Fall back to other token types when passed an invalid token_type_hint
YC opened this issue · 2 comments
YC commented
Which version of Duende IdentityServer are you using?
7.0.5
Which version of .NET are you using?
.NET 8
Describe the bug
Hitting the introspection endpoint with access token and invalid token_type_hint
fails.
To Reproduce
- Get valid access token.
- Send request to token introspection endpoint with valid access token as
token
, validclient_id
, validclient_secret
, and invalidtoken_type_hint
such asabc
andrefresh_token
. - Results in 400 with
{"error": "invalid_request"}
and 200 with{"active":false}
respectively.
Expected behavior
Introspection should succeed.
Per RFC 7662:
If the
server is unable to locate the token using the given hint, it MUST
extend its search across all of its supported token types.
Log output/exception with stacktrace
Note that some lines were omitted or redacted.
IdentityServer 6 (Previously successful)
2024-07-09 23:50:18.971 -07:00 [DBG] Introspection request validation started.
2024-07-09 23:50:18.979 -07:00 [VRB] Start access token validation
2024-07-09 23:50:19.026 -07:00 [DBG] Calling into custom token validator: Duende.IdentityServer.Validation.DefaultCustomTokenValidator
2024-07-09 23:50:19.027 -07:00 [DBG] Token validation success
2024-07-09 23:50:19.028 -07:00 [DBG] Introspection request validation successful.
2024-07-09 23:50:21.593 -07:00 [INF] Success token introspection. Token active: true, for API name: ***
2024-07-09 23:50:21.594 -07:00 [INF] Request finished HTTP/2 POST https://*** - 200 null application/json; charset=UTF-8 129.7857ms
IdentityServer 7 (Failure in IdentityServer 7)
2024-07-10 00:08:38.320 -07:00 [DBG] ApiResource making introspection request: ***
2024-07-10 00:08:38.320 -07:00 [VRB] Calling into introspection request validator: Duende.IdentityServer.Validation.IntrospectionRequestValidator
2024-07-10 00:08:38.320 -07:00 [DBG] Introspection request validation started.
2024-07-10 00:08:38.320 -07:00 [ERR] Invalid token type hint: abc
2024-07-10 00:08:38.320 -07:00 [ERR] Failed token introspection: invalid_request, for caller: ***
2024-07-10 00:08:38.320 -07:00 [VRB] Invoking result: Duende.IdentityServer.Endpoints.Results.BadRequestResult
2024-07-10 00:08:38.320 -07:00 [VRB] The response for the request is:
400: {"error":"invalid_request"}
2024-07-10 00:08:38.320 -07:00 [INF] Request finished HTTP/2 POST https://***/connect/introspect - 400 null application/json; charset=UTF-8 6.2499ms
2024-07-09 23:59:48.669 -07:00 [DBG] ApiResource making introspection request: ***
2024-07-09 23:59:48.669 -07:00 [VRB] Calling into introspection request validator: Duende.IdentityServer.Validation.IntrospectionRequestValidator
2024-07-09 23:59:48.669 -07:00 [DBG] Introspection request validation started.
2024-07-09 23:59:48.669 -07:00 [DBG] Token type hint found in request: refresh_token
2024-07-09 23:59:48.669 -07:00 [DBG] Token is invalid.
2024-07-09 23:59:48.669 -07:00 [VRB] Calling into introspection response generator: Duende.IdentityServer.ResponseHandling.IntrospectionResponseGenerator
2024-07-09 23:59:48.669 -07:00 [VRB] Creating introspection response
2024-07-09 23:59:48.669 -07:00 [DBG] Creating introspection response for inactive token.
2024-07-09 23:59:48.669 -07:00 [INF] Success token introspection. Token active: false, for caller: ***
2024-07-09 23:59:48.669 -07:00 [VRB] Invoking result: Duende.IdentityServer.Endpoints.Results.IntrospectionResult
2024-07-09 23:59:48.669 -07:00 [VRB] The response for the request is:
200: {"active":false}
2024-07-09 23:59:48.669 -07:00 [INF] Request finished HTTP/2 POST https://***/connect/introspect - 200 null application/json; charset=UTF-8 6.136ms
Additional context
#1334, IntrospectionRequestValidator.cs
AndersAbel commented
Thank you for your detailed bug report. We are indeed not doing the right thing according to the spec and will fix this.
Is this anything that is urgent for you to get fixed?
YC commented
Not urgent, thanks.