Token Cache Key Does Not Consider Updated Scopes, Leading to Stale Tokens

Question

Token Cache Key Does Not Consider Updated Scopes, Leading to Stale Tokens

Closed this issue 23 days ago · 3 comments

PratikPatel-Mtech commented 2 months ago

Which version of Duende.AccessTokenManagement are you using?
Version 2.1.1 - also tried using the latest version 3.0.0.

Which version of .NET are you using?
Version 8.0

Describe the bug
The TokenRequestParameters, such as scopes and resources, are not considered when building a token cache key (Distributed Cache using Redis). The key is only generated based on the TokenClientName. This causes an issue when new scopes are added to the client, as it continues using the old cached token.

To Reproduce

Configure the client using AddClient, setting the scope to user:read and the client name to UserClient. The service will invoke the GET: /v1/users API.
Run the application and invoke the code that calls the GET: /v1/users API. Verify that the token is cached using the cleitn name UserClient key.
Now, add another scope, user:write, to invoke the POST: /v1/users API.
Run the application again and invoke the code that calls the POST: /v1/users API. It will return a 403 error because the cached token is still being used, and it doesn’t include the new user:write scope.

Expected behavior

The token cache key should be generated using both the TokenClientName and the scopes from the TokenRequestParameters. When new scopes or resources are added, the token cache key should be updated to reflect these changes, ensuring that the correct token is used for API calls.

Upon reviewing the method responsible for generating the cache key, it appears that the code to include scopes is present, but the required parameter is not passed from the caller. The missing parameter for scopes should be passed to the cache key generation method to avoid using stale tokens.

Answer 1 · 2024-10-02T12:00:55.000Z

Thanks for your detailed analysis.
Can you tell us a bit more about why you need to request an extra scope? Please give us a bit more insight into your real world scenario so we can determine if the code as it is needs a change.

Answer 2 · 2024-10-16T09:51:41.000Z

@PratikPatel-Mtech Would you like to follow up on this? If so feel free to do so. If not I'll close the issue.

Answer 3 · 2024-10-24T08:47:36.000Z

Closing the issue due to inactivity, but feel free to add a comment if you want to follow up.