Skip to content
This repository has been archived by the owner on Jul 31, 2024. It is now read-only.

Refresh requests should not return identity tokens if no identity scopes were requested #781

Closed
ghost opened this issue Feb 5, 2017 · 3 comments
Closed

Refresh requests should not return identity tokens if no identity scopes were requested #781

ghost opened this issue Feb 5, 2017 · 3 comments
Assignees
@leastprivilege
Labels
bug
Milestone
1.1.1

Comments

@ghost
Copy link

ghost commented Feb 5, 2017
edited by ghost
Loading

In IdentityServer 1.1 you add #694 but when I use pure OAuth 2.0 Resource Owner Credentials Flow there is no option to disable id_token generation on response. My configuration looks like this.

public static class Constants
{
    public const string ApiV1Scope = "api_v1";
    public const string FrontEndClientId = "front-end";
}

public class SystemClaims
{
    public const string UserIdClaim = "sub";
    public const string NameClaim = "name";
    public const string EmailClaim = "email";

    public static string[] AllClaims = {
        UserIdClaim,
        NameClaim,
        EmailClaim
    };
}

public class IdentityServerConfiguration
{
    internal static IEnumerable<ApiResource> GetApiResources(string apiSecret)
    {
        if (string.IsNullOrEmpty(apiSecret))
            throw new ArgumentNullException(nameof(apiSecret));
        var result = new[]
        {
            new ApiResource(Constants.ApiV1Scope, "HTTP API")
            {
                ApiSecrets = {new Secret(apiSecret.Sha256())},
                UserClaims = SystemClaims.AllClaims
            }
        };
        return result;
    }

    internal static IEnumerable<Client> GetClients(string[] frontEndLocations)
    {
        if (frontEndLocations?.Length == 0)
            throw new ArgumentNullException(nameof(frontEndLocations));
        return new[]
        {
            new Client
            {
                ClientId = Constants.FrontEndClientId,
                AllowedScopes = {Constants.ApiV1Scope},
                RequireClientSecret = false,
                AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
                AllowOfflineAccess = true,
                AllowAccessTokensViaBrowser = true,
                UpdateAccessTokenClaimsOnRefresh = true,
                AllowedCorsOrigins = frontEndLocations,
                RefreshTokenUsage = TokenUsage.OneTimeOnly,
                AccessTokenType = AccessTokenType.Jwt
            }
        };
    }
}

My access_token request looks like this.

POST /connect/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=test&password=test&client_id=front-end

It return a correct answer like this

{
  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjM2NDg5RjM1NTUyNDI2MDdEOUYxMUMyOEQ1QUQzMDdDQTc1MTU2MUQiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJOa2lmTlZVa0pnZlo4UndvMWEwd2ZLZFJWaDAifQ.eyJuYmYiOjE0ODYyOTc0MDksImV4cCI6MTQ4NjMwMTAwOSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNzIiLCJhdWQiOlsiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNzIvcmVzb3VyY2VzIiwiYXBpX3YxIl0sImNsaWVudF9pZCI6ImZyb250LWVuZCIsInN1YiI6IjkwIiwiYXV0aF90aW1lIjoxNDg2Mjk3NDA5LCJpZHAiOiJsb2NhbCIsIm5hbWUiOiLQotC10YHRgtC-0LLRi9C5INC60LvQuNC10L3RgiIsImVtYWlsIjoidGVzdEBtYWlsLnJ1Iiwic2NvcGUiOlsiYXBpX3YxIiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbInB3ZCJdfQ.dh-4wWwGuOjBHNlxLTRX2HFZy-pkbekTkikBE6LGv3WFGppOVGpAPeZQ_OtEWz16SY2aJHqfu1J4alWWoX3ySjBlBeJ0ifRCrs1nzTT7bSe7P8T9mORRMaqgYEnTkQ3WROPY2KywZny1W4LZ4sFUfIIBUZHhUCUb5gAX7MlHxVJaplg1h4u5_9G0GLOgvsLdkNm68lKrPnF5TtianycAjoJqaEQiACRqyLGEJ-AmqihXI8Nv_WI_1YjGh9tVsNSx6qWvaC3HCxVj4juu30ccHfKFobwuqhPje34c0FxK_5cXWjm78g2Xv0KV9KMREUtmR9oGjyq3a4w0cd19DN-lFg",
  "expires_in": 3600,
  "token_type": "Bearer",
  "refresh_token": "596d9e5e6841b75262ed2d632d70a1d14164ef80f741867cb0c93d9876f0d8da"
}

But when I refresh my token with

POST /connect/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=596d9e5e6841b75262ed2d632d70a1d14164ef80f741867cb0c93d9876f0d8da&client_id=front-end

It will return something like this

{
  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjM2NDg5RjM1NTUyNDI2MDdEOUYxMUMyOEQ1QUQzMDdDQTc1MTU2MUQiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJOa2lmTlZVa0pnZlo4UndvMWEwd2ZLZFJWaDAifQ.eyJuYmYiOjE0ODYyOTc0MzgsImV4cCI6MTQ4NjI5NzczOCwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNzIiLCJhdWQiOiJmcm9udC1lbmQiLCJpYXQiOjE0ODYyOTc0MzgsImF0X2hhc2giOiJVMkZTNmJBY1Fia3NPNVF3WVAyT0VRIiwic3ViIjoiOTAiLCJhdXRoX3RpbWUiOjE0ODYyOTc0MDksImlkcCI6ImxvY2FsIiwiYW1yIjpbInB3ZCJdfQ.JkhQmMb00O4GEeHWPKCY1JsRFTAM-e2Xx8ilT8FPwydP1K6UnvpMPAhcirD8qR6ImXfis1tcLdrCCDx1Rox6j8hSofI6o-rtkpVJc5bMxI3RSWwr-5fIABhzrYRDMXUBKkWuuywRNxOIq9NCpqRKWjN124iy2s8o0rDrA9tC6Ix_ETF-UxGJGHvx_CJARCz_8GVhyCdMcFaZhShXCOko7fEvww2tkud2tcqndcY7ggLO4UhYvEfecU_sPqd4cPX3Gn7E2FgLC316LjXy0C73FiViHRokuG01csxToqhoLyGVScUegrTEX8ij3cc4TkqXzcNBSl2508J2xEepeUgAEA",
  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjM2NDg5RjM1NTUyNDI2MDdEOUYxMUMyOEQ1QUQzMDdDQTc1MTU2MUQiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJOa2lmTlZVa0pnZlo4UndvMWEwd2ZLZFJWaDAifQ.eyJuYmYiOjE0ODYyOTc0MzgsImV4cCI6MTQ4NjMwMTAzOCwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNzIiLCJhdWQiOlsiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzNzIvcmVzb3VyY2VzIiwiYXBpX3YxIl0sImNsaWVudF9pZCI6ImZyb250LWVuZCIsInN1YiI6IjkwIiwiYXV0aF90aW1lIjoxNDg2Mjk3NDA5LCJpZHAiOiJsb2NhbCIsIm5hbWUiOiLQotC10YHRgtC-0LLRi9C5INC60LvQuNC10L3RgiIsImVtYWlsIjoidGVzdEBtYWlsLnJ1Iiwic2NvcGUiOlsiYXBpX3YxIiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbInB3ZCJdfQ.P3emTNUg7kheLN-W3cmsygHdMiG26GWZX9LhryF2PIqeh9TZoj9gS4-UmEgXeISqyZgepSh0VuRI5KNhiMRnfKxwBApnkZ5MqNhHXifpnRHgI4RQ2acZkeEEGMEsJ-ilo5EX7PWzcJu6YGPmGX68cer3TT2dqSaqca6-XpP5Y4AyOEY4dEVs4M2JSHzAj92wBN_kHDfG44sU7CAzpoqo9znISO9TgnzNKvjHHu1NeipHcvvmXpOlBBoMU-1yIflmVsQijwIXyCi97654xEo3T1yk1pIKGCFqbeXFJM95K85F137qkK3JTau6jQP-Rzp3icbIRlSw5RCNXi4UCEPXYA",
  "expires_in": 3600,
  "token_type": "Bearer",
  "refresh_token": "d9b86b7b92c42da801c383f58dcd2d9bb89d406d28363015fb1770f54959da9b"
}

But I don't ask Idsrv4 for id_token in my config! I think Idsrv4 it should check scopes for openid and return id_token only if it was required with identity scope.

P.S. - sorry for my English.
@leastprivilege
Copy link
Member

I agree that this is odd behavior. We'll look into it. thanks!

@leastprivilege leastprivilege self-assigned this Feb 5, 2017
@leastprivilege leastprivilege added this to the 1.1.1 milestone Feb 5, 2017
@leastprivilege leastprivilege changed the title How to disable id_token generation on response when refresh token. Refresh requests should not return identity tokens if no identity scopes were requested Feb 15, 2017
@leastprivilege
Copy link
Member

done

@github-actions
Copy link

github-actions bot commented Jun 1, 2021

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 1, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@leastprivilege leastprivilege

Labels
bug
Projects
None yet
Milestone
1.1.1
Development

No branches or pull requests
1 participant
@leastprivilege