-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request: refresh 'id_token' w/ 'access_token' #53
Comments
The logout is described in the OpenID Connect RP-Initiated Logout 1.0 spec. Section 2 states that:
The interpretation of SHOULD is defined in RFC2119 as
To me, it looks like an OP should not validate the |
@AndersAbel thank you for your feedback and for chiming in on the linked post! |
The Duende.AccessTokenManagement library is, as the name implies, all about access token management. We never really considered the The only use we see for the Our conclusion is that we will not make any changes to the library to automatically save the |
https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
We don't currently implement this, I think we should cc @josephdecock |
As far as I can see, we do implement this correctly on the IdentityServer side. The question in this issue is about Duende.AccessTokenManagement not making the new id_token available. This is an original id_token as issued at login time:
And this is the corresponding id_token returned from token endpoint from the refresh token flow:
My suggestion for this issue is to make the refreshed id_token available from the refresh result, but we should not store it automatically. |
Which version of Duende IdentityServer are you using?
I am using only
Duende.AccessTokenManagement
, version 2.0.3.Which version of .NET are you using?
.NET 8 RC2.
Describe the bug
This is a feature request. I apologize if this is not the right forum. I tried to find the right path from the here.
I saw this mentioned and closed previously here:
IdentityModel/IdentityModel.AspNetCore#291
We are using a 3rd-party IDP (Ping Identity) and, if we try to sign out using the normal
SignOutAsync()
after the id_token has expired, we receive an error that the id token is expired.I can see that the new id_token is returned with the refresh call, but in the current implementation of this library, it is dropped rather than returned with the user token and stored in the cookie.
I've put together a very simple bit of code that unfortunately has to duplicate some of your internal logic to refresh the id_token with the rest of them, e.g. similar to what is seen here:
https://devforum.okta.com/t/get-token-from-asp-net-core-to-pass-to-backend-as-verification/5914/6
And confirmed that this does work.
Given there may be other IDPs with this challenge, is it possible you may revisit refreshing the id_token along with the access_token and refresh_token?
To Reproduce
Output an id_token, access_token, and refresh_token before calling e.g.
HttpContext.GetUserAccessTokenAsync()
. Note that afterward only the access_token and refresh_token were updated / persisted.Expected behavior
I'd like to see, either OOTB or optionally, the id_token returned when using a refresh_token returned in the
UserToken
object and persisted in the store / cookie.Additional context
You can see the report on this to the IDP (Ping) here: pingidentity/pingone-sample-dotnet#8
The text was updated successfully, but these errors were encountered: