Refresh Token Expiry after Package update #1439
Comments
|
There is no known reason why the expiration column suddenly would get a value while upgrading IdentityServer or by changing the key material. The exception you show at the end of the issue has to do with ASP.NET Core's data protection. When the application didn't have an application name assigned and you changed the hosting/location of the application the items in the persisted grant store can't be read anymore since they are protected with data protection. |
|
@ali-bajwa1 Would you like to follow up on this issue? If not I'd like to close it. |
Which version of Duende.AccessTokenManagement are you using?
7
Which version of .NET are you using?
8
Describe the bug
We are using three authentication mechanism to log our members into the app using Deunde Identity Server User/Password, PIN and biometrics. We have recently upgraded the Duende Identity Server after vulnerability fix package was released. After update all our refresh tokens in the DB got expired in the "PersistedGrants" table "Expiration" column. This issue is now forcing all our members to use the UserName/Password flow.
While upgradation we didn't notice any change in the new DB migrations or in the posts/documents related to refresh token expiry behavior. So my question is this an expected behavior after the vulnerability fix package update or it might be some other possible cause?
On another note we also changed the way we use and store certificate for private key to sign tokens because our API is hosted on Azure App Service and it was throwing "Keyset not found" error so we changed it from:
var cert = new X509Certificate2(pfxBytes, (string)null, X509KeyStorageFlags.MachineKeySet);
X509Certificate2 cert = new X509Certificate2(file, (string)null,
X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.Exportable
);
Is above the possible cause to expire tokens?
Third change we did was upgrading the Deunde license which does not seems to cause it but worth mentioning here.
To Reproduce
1) Upgrade Identity Project from .Net version 6 to 8
2) Upgrade from Duende Identity Server packages from version 6 to 7
3) Try the Refresh Tokens flow all the refresh tokens get expire when version is updated
Expected behavior
Refresh token should not expire upon upgradation.
Log output/exception with stacktrace
Duende.IdentityServer.Stores.DefaultRefreshTokenStore
Failed to deserialize JSON from grant store.
System.Security.Cryptography.CryptographicException: The payload was invalid. For more information go to
https://aka.ms/aspnet/dataprotectionwarning
at Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(Byte* pbCiphertext, UInt32 cbCiphertext, Byte* pbAdditionalAuthenticatedData, UInt32 cbAdditionalAuthenticatedData)
at Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment
1 ciphertext, ArraySegment1 additionalAuthenticatedData)at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
at Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions.Unprotect(IDataProtector protector, String protectedData)
at Duende.IdentityServer.Stores.Serialization.PersistentGrantSerializer.Deserialize[T](String json) in /_/src/Storage/Stores/Serialization/PersistentGrantSerializer.cs:line 103
at Duende.IdentityServer.Stores.DefaultGrantStore`1.GetItemByHashedKeyAsync(String hashedKey)
Additional context
The text was updated successfully, but these errors were encountered: