openiddict-core: Missing claims using Introspection
Confirm you’ve already contributed to this project or that you sponsor it
- I confirm I’m a sponsor or a contributor
Version
3.x
Question
Hello, I have 1 application which can work in standalone or proxy mode. In standalone mode an instance is responsible for verifying his tokens. In proxy mode token is generated on master instance and proxy verifies if token contain all required claims. We are using Yarp to forward requests to master instance.
First I configure my OpenIdDict to use local server in validation method but because these 2 applications have different signing keys, I had to change it to use introspection. However I notice that token doesn’t contain all claims which I can see on jwt.io (e.g. oi_tkn_id, scope).
I notice that configure method doesn’t work in my case. I tried to explain server to not validate signing key but it doesn’t work. I get this error message: The signing key associated to the specified token was not found.
services.AddOpenIddict()
.AddCore(options =>
{
options.UseEntityFrameworkCore()
.UseDbContext<ApplicationDbContext>()
.ReplaceDefaultEntities<Client, Authorization, Scope, Token, int>();
})
.AddServer(options =>
{
options
.SetTokenEndpointUris("/connect/token")
.SetRevocationEndpointUris("/connect/revocation")
.SetIntrospectionEndpointUris("/connect/introspect");
options.AddEventHandler<OpenIddictServerEvents.ProcessSignInContext>(builder =>
{
builder.UseInlineHandler(context =>
{
if (context.Transaction.Request != null)
{
context.Response["scope"] = string.Join(" ", context.Transaction.Request.GetScopes().OrderBy(z => z));
}
return default;
});
});
options.AddEventHandler<OpenIddictServerEvents.ProcessChallengeContext>(builder =>
{
builder.UseInlineHandler(context =>
{
var authPropertiesKey = typeof(AuthenticationProperties).ToString();
if (context.Transaction.Properties.ContainsKey(authPropertiesKey))
{
var props = context.Transaction.Properties[authPropertiesKey] as AuthenticationProperties;
context.Response["message"] = props.Items["message"];
}
return default;
});
});
options.AllowClientCredentialsFlow();
options.AllowPasswordFlow();
options.AllowRefreshTokenFlow();
options.UseReferenceRefreshTokens();
options.RegisterScopes(
OpenIddictConstants.Permissions.Scopes.Profile.Replace(OpenIddictConstants.Permissions.Prefixes.Scope, string.Empty),
OpenIddictConstants.Permissions.Scopes.Roles.Replace(OpenIddictConstants.Permissions.Prefixes.Scope, string.Empty),
CustomScopes.APPLICATION,
CustomScopes.IDENTITY_SETUP,
CustomScopes.SUPPORT_PACKAGE);
options.SetAccessTokenLifetime(TimeSpan.FromHours(1));
options.SetRefreshTokenLifetime(TimeSpan.FromDays(7));
options.AddEncryptionCertificate(signingCertificate)
.AddSigningCertificate(signingCertificate);
options.DisableAccessTokenEncryption();
options.UseAspNetCore()
.EnableTokenEndpointPassthrough();
})
.AddValidation(options =>
{
options.Configure(c =>
{
c.TokenValidationParameters.ValidateIssuer = false;
c.TokenValidationParameters.ValidateIssuerSigningKey = false;
});
options.SetIssuer("https://localhost:44322/");
options.UseIntrospection()
.SetClientId(GeneralConstants.APP_CLIENT_ID)
.SetClientSecret(GeneralConstants.APP_CLIENT_SECRET);
options.UseSystemNetHttp();
//options.UseLocalServer();
options.UseAspNetCore();
});
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 25 (12 by maintainers)
Thanks @kevinchalet, we rediscussed our architecture and we will change like you said. So, we will use introspection and issuer has to confirm token.