DuendeSoftware/IdentityServer

Fall back to other token types when passed an invalid token_type_hint

YC opened this issue · 2 comments

YC commented

Which version of Duende IdentityServer are you using?
7.0.5

Which version of .NET are you using?
.NET 8

Describe the bug
Hitting the introspection endpoint with access token and invalid token_type_hint fails.

To Reproduce

  1. Get valid access token.
  2. Send request to token introspection endpoint with valid access token as token, valid client_id, valid client_secret, and invalid token_type_hint such as abc and refresh_token.
  3. Results in 400 with {"error": "invalid_request"} and 200 with {"active":false} respectively.

Expected behavior
Introspection should succeed.
Per RFC 7662:

If the
server is unable to locate the token using the given hint, it MUST
extend its search across all of its supported token types.  

Log output/exception with stacktrace
Note that some lines were omitted or redacted.

IdentityServer 6 (Previously successful)

2024-07-09 23:50:18.971 -07:00 [DBG] Introspection request validation started.
2024-07-09 23:50:18.979 -07:00 [VRB] Start access token validation
2024-07-09 23:50:19.026 -07:00 [DBG] Calling into custom token validator: Duende.IdentityServer.Validation.DefaultCustomTokenValidator
2024-07-09 23:50:19.027 -07:00 [DBG] Token validation success
2024-07-09 23:50:19.028 -07:00 [DBG] Introspection request validation successful.
2024-07-09 23:50:21.593 -07:00 [INF] Success token introspection. Token active: true, for API name: ***
2024-07-09 23:50:21.594 -07:00 [INF] Request finished HTTP/2 POST https://*** - 200 null application/json; charset=UTF-8 129.7857ms

IdentityServer 7 (Failure in IdentityServer 7)

2024-07-10 00:08:38.320 -07:00 [DBG] ApiResource making introspection request: ***
2024-07-10 00:08:38.320 -07:00 [VRB] Calling into introspection request validator: Duende.IdentityServer.Validation.IntrospectionRequestValidator
2024-07-10 00:08:38.320 -07:00 [DBG] Introspection request validation started.
2024-07-10 00:08:38.320 -07:00 [ERR] Invalid token type hint: abc
2024-07-10 00:08:38.320 -07:00 [ERR] Failed token introspection: invalid_request, for caller: ***
2024-07-10 00:08:38.320 -07:00 [VRB] Invoking result: Duende.IdentityServer.Endpoints.Results.BadRequestResult
2024-07-10 00:08:38.320 -07:00 [VRB] The response for the request is:
400: {"error":"invalid_request"}
2024-07-10 00:08:38.320 -07:00 [INF] Request finished HTTP/2 POST https://***/connect/introspect - 400 null application/json; charset=UTF-8 6.2499ms
2024-07-09 23:59:48.669 -07:00 [DBG] ApiResource making introspection request: ***
2024-07-09 23:59:48.669 -07:00 [VRB] Calling into introspection request validator: Duende.IdentityServer.Validation.IntrospectionRequestValidator
2024-07-09 23:59:48.669 -07:00 [DBG] Introspection request validation started.
2024-07-09 23:59:48.669 -07:00 [DBG] Token type hint found in request: refresh_token
2024-07-09 23:59:48.669 -07:00 [DBG] Token is invalid.
2024-07-09 23:59:48.669 -07:00 [VRB] Calling into introspection response generator: Duende.IdentityServer.ResponseHandling.IntrospectionResponseGenerator
2024-07-09 23:59:48.669 -07:00 [VRB] Creating introspection response
2024-07-09 23:59:48.669 -07:00 [DBG] Creating introspection response for inactive token.
2024-07-09 23:59:48.669 -07:00 [INF] Success token introspection. Token active: false, for caller: ***
2024-07-09 23:59:48.669 -07:00 [VRB] Invoking result: Duende.IdentityServer.Endpoints.Results.IntrospectionResult
2024-07-09 23:59:48.669 -07:00 [VRB] The response for the request is:
200: {"active":false}
2024-07-09 23:59:48.669 -07:00 [INF] Request finished HTTP/2 POST https://***/connect/introspect - 200 null application/json; charset=UTF-8 6.136ms

Additional context
#1334, IntrospectionRequestValidator.cs

Thank you for your detailed bug report. We are indeed not doing the right thing according to the spec and will fix this.

Is this anything that is urgent for you to get fixed?

YC commented

Not urgent, thanks.