Identityserver4: How to make IS4 add 'aud' claim with /resources value?
IS3 added aud : Is3BaseAddr/resources claim to access token for the requested scopes openid offline_access
But IS4 does not add aud claim at all unless client requests particular scope.
The main difference between IS3 and IS4 configurations is that in IS3 no resource is defined, so I made an experiment and removed resources, but still there is no audience among the claims.
How to make IS4 to add this value to access token?
voroninp
All 11 comments
I do not know whether it is the best option, but I did it this way:
public sealed class TokenCreationWithDefaultAudienceService : DefaultTokenCreationService
{
private readonly Settings _settings;
public TokenCreationWithDefaultAudienceService(
Settings settings,
ISystemClock clock, IKeyMaterialService keys, IdentityServerOptions options, ILogger<TokenCreationWithDefaultAudienceService> logger)
: base(clock, keys, options, logger)
{
Guard.NotNull(settings, nameof(settings));
_settings = settings;
}
public override Task<string> CreateTokenAsync(Token token)
{
if (token.Audiences.IsEmpty() && !_settings.DefaultAudience.IsNullOrEmpty())
{
token.Audiences.Add(_settings.DefaultAudience);
}
return base.CreateTokenAsync(token);
}
public sealed class Settings
{
public string DefaultAudience { get; }
public Settings(string defaultAudience)
{
DefaultAudience = defaultAudience.NullIfWhiteSpace();
}
}
}
why?
leastprivilege
on 25 Sep 2019
@leastprivilege, because IS3 Access Token audience validation requires resources.
We have APIs which use IS3 UseIdentityServerBearerTokenAuthentication
voroninp
on 25 Sep 2019
OK - well you above workaround looks fine to me.
leastprivilege
on 25 Sep 2019
Great work voroninp! This one saved my bacon since we are making the jump from Idserver2 to 4, and running non core.
deniedOne
on 7 Nov 2019
@deniedOne We hit so many issues migrating from IS3 to IS4 that it took us about 2 months instead of initially estimated two weeks. But most of them were not caused by new version of IS per se, rather by other services each validating tokens in their own way. That was a mess.
voroninp
on 7 Nov 2019
I added a flag in the latest release to bring the /resources audience back for backwards compat.
leastprivilege
on 8 Nov 2019
leastprivilege
on 8 Nov 2019
One more step for backwards compatibility
using IdentityModel;
using IdentityServer4.Services;
using IdentityServer4.Stores;
using IdentityServer4.Stores.Serialization;
using Microsoft.Extensions.Logging;
using System.Security.Cryptography;
using System.Text;
namespace Luscii.Identity.Core.Services
{
public sealed class RefreshTokenStoreWithIS3KeyHashing : DefaultRefreshTokenStore
{
private static readonly HashAlgorithm Hash = HashAlgorithm.Create("SHA256");
public RefreshTokenStoreWithIS3KeyHashing(
IPersistedGrantStore store, IPersistentGrantSerializer serializer,
IHandleGenerationService handleGenerationService, ILogger<RefreshTokenStoreWithIS3KeyHashing> logger)
: base(store, serializer, handleGenerationService, logger)
{
}
protected override string GetHashedKey(string value)
{
var bytes = Encoding.UTF8.GetBytes(value);
var hashedBytes = Hash.ComputeHash(bytes);
var hashedString = Base64Url.Encode(hashedBytes);
return hashedString;
}
}
}
@leastprivilege Thanks Dom and not for just this issue, but for the product support. I'm new to all of this so it's a lot to take in, but a lot of resources, examples, etc will surely get me going.
deniedOne
on 8 Nov 2019
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars1.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 10 Jan 2020
Related issues
nukec
路
3Comments
krgm03
路
3Comments
agilenut
路
3Comments
leastprivilege
路
3Comments
klioqc
路
3Comments
Most helpful comment
why?