Include error description into `invalid_grant` validation result in `TokenRequestValidator`

Question

Include error description into `invalid_grant` validation result in `TokenRequestValidator`

Closed this issue 2 months ago · 4 comments

Which version of Duende IdentityServer are you using?
7.0.6

Which version of .NET are you using?
.Net 8

Describe the bug
There is no error description in the validation result model when the return error is invalid_grant

To Reproduce
During refresh put a refresh token that is longer than InputLengthRestrictions.RefreshToken, but applicable for every invalid_grant result.

Expected behavior
Besides having logs, it would be better to have errorDescription in the validation result.
That way clients won't need to reach out to us for an explanation of what has happened during the action since errorDescription will be supplied.
Also, it will help applications with zero-log policy.

Log output/exception with stacktrace
n/a

Additional context
n/a

Answer 1 · 2024-09-09T08:44:42.000Z

Details in the validation result, although convenient for your clients, would also be very interesting for potential attackers. They tend to try a large number of parameter combinations on endpoints and see what the response is to find potential vulnerabilities. That's the reason we're not including any details in the response.

Answer 2 · 2024-09-16T15:03:53.000Z

@kollabara Would you like to add anything to this issue? Feel free to do so. If not, I'll close the issue.

Answer 3 · 2024-09-23T11:14:50.000Z

I'll go ahead and close this for now. Please feel free to add if you'd like to add anything.

Answer 4 · 2024-09-24T07:37:52.000Z

Hello @RolandGuijt, that's make sense.

On the other hand would it be possible to lower severity of these logs from Error -> Warning because on a high volume load our logs are spammed with IdentityServer Errors.

Same as for this ticket - Issue-1547

Thank you