Reputation: 31
Openiddict 4.2.0 upgrade causes missing audience in access_token but works with 3.0.3
We have an application that uses openiddict 3.0.3 with .net 5.0. Now, we are upgrading to .net 7.0 and wanted to upgrade openiddict to 4.2.0 but unfornately it doesn't work. We found the access_token doesn't contain the audience property. The following decoded token contains 'aud' for example:
{
"sub": "admin",
"oi_prst": "postman",
"oi_au_id": "172421a9-ac85-4040-8045-2a7505fa447d",
"aud": "api",
"client_id": "postman",
"oi_tkn_id": "02df2c16-9881-46d1-9f69-36fa69192d86",
"scope": "api openid",
"exp": 1682342328,
"iss": "https://localhost:44330/",
"iat": 1682338728
}
But that is absent in the token generated with openiddict 4.2.0.
Here is my code sample:
var request = HttpContext.GetOpenIddictServerRequest() ??
throw new InvalidOperationException("The OpenID Connect request cannot be retrieved.");
var app = await applicationManager.FindByClientIdAsync(request.ClientId) ??
throw new InvalidOperationException("The application cannot be found."); ;
var properties = await applicationManager.GetPropertiesAsync(app);
string audience = properties[OpenIddictConstants.Claims.Audience].GetString();
ClaimsPrincipal claimsPrincipal = (await HttpContext.AuthenticateAsync(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme)).Principal;
var identity = ((ClaimsIdentity)claimsPrincipal.Identity);
identity.AddClaim(OpenIddictConstants.Claims.Audience,
audience,
OpenIddictConstants.Destinations.AccessToken);
var resp = SignIn(claimsPrincipal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
I found(debugging) 'aud' is there in resp object but not in the token.
Does it make any sense? Do I need to update the code or any configuration for version 4.2.0?
I have tried to find in google if anyone found the similar issue. But didn't find such thing. I have also checked couple of times if the openiddict version is causing the issue and found yes, that is.
Upvotes: 3
Views: 606
Answers (1)
Reputation: 42020
Use principal.SetResources("api_audience") to set the list of resources that will be used as audiences for the access tokens.
Upvotes: 1
Related Questions
- Missing claims in ClaimsPrincipal in the Resource/API Server protected with OpenIddict
- ASP.NET Core API with OpenIddict Works for CSHTML Pages but Redirects to Login Page for Next.js Web App with Bearer Token
- The mandatory 'code_challenge' parameter is missing with OpenIddict
- ASP.Net Azure OpenId integration
- Google oAuth 2.0 (JWT token request) for Service Application