-
-
Notifications
You must be signed in to change notification settings - Fork 764
Reference Token Validation throws exception #826
Comments
Client details: new Client
{
Enabled = true,
ClientName = "CustomApp",
ClientId = "customapp",
ClientSecrets = new List<ClientSecret> { new ClientSecret("customsecret".Sha256())},
AccessTokenType = AccessTokenType.Reference,
AccessTokenLifetime = 300,
RefreshTokenUsage = TokenUsage.OneTimeOnly,
RefreshTokenExpiration = TokenExpiration.Absolute,
AbsoluteRefreshTokenLifetime = 86400, // one day
SlidingRefreshTokenLifetime = 43200,
Flow = Flows.ResourceOwner
} |
have you debugged it? |
i just tried to repro it. works for me. Try with the RO flow sample from the Clients solution (sample repo together with the core source code repo) and see if that works for you when you switch the token type to reference. |
Yes. I was off by one line earlier, the Claims in the When it attempts to validate the access token in async is where it loses track here https://github.com/IdentityServer/Thinktecture.IdentityServer3/blob/master/source/Core/Validation/TokenValidator.cs#L161. I can't debug any further, as it then jumps to the Logger to log the exception listed in the earlier stacktrace above. |
Ok, just caught your comment about the samples repo. I'll give that a try. |
As I said - download the source code and the client repo and debug it. |
You're correct, I couldn't repro using the IdSvr3 Core host from the source code repo (master). The only difference on our setup is that we're using a custom user service to validate credentials, but that shouldn't cause this problem since a reference token is still being issued. The validation endpoint is able to trap it when the reference token is expired or invalid (with the "invalid_token" response). Plus I can see the claims when debugging on the lines mentioned above. From the earlier stacktrace, I take it somehow a custom claim is being added that it can't process... I'll keep digging, at a loss for the moment. |
Well - maybe you IsActiveAsync implementation does not return true...? |
Nope, I verified it returns true on debug. However, I just noticed we had a custom |
Ok, so our own custom public override async Task<IEnumerable<Claim>> GetAccessTokenClaimsAsync(ClaimsPrincipal subject, Client client, IEnumerable<Scope> scopes, ValidatedRequest request)
{
var claims = await base.GetAccessTokenClaimsAsync(subject, client, scopes, request);
var newClaims = claims.ToList();
newClaims.Add(subject.FindFirst("MyCustomClaim")); // BAD!
return newClaims;
} So when the token is validated, it balks on that NULL. Not a very informative exception, but it's accurate. Here's a simple dev fix for this scenario: // newClaims.Add(subject.FindFirst("MyCustomClaim")); // BAD!
var newClaim = subject.FindFirst("MyCustomClaim");
if (newClaim != null)
newClaims.Add(newClaim); This isn't a bug with IdSvr, but just something we now watch out for when messing with custom claims in the provider... |
While we have successfully retrieved and validated self-contained JWT-based Access Tokens, I'm having issues validating a Reference Token type using the token validation endpoint (with the default in-memory
TokenValidationStore
).Request to the validator (using a fake ref token for this post):
https://myidsvr3/core/connect/accesstokenvalidation?token=2fc954023e5f71286ac5d018e301f8f7 GET
It fails with a System.NullReferenceException when adding claims to the ClaimsIdentity, starting here: https://github.com/IdentityServer/Thinktecture.IdentityServer3/blob/master/source/Core/Services/Default/DefaultCustomTokenValidator.cs#L78
Stacktrace snippet:
Note that, for the above example, there are no custom claims or anything special being added or used with the Client. The token was originally retrieved through an RO grant type request. We're using IdSvr3 RTM released yesterday. Any ideas?
The text was updated successfully, but these errors were encountered: