-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session ID is lost during Token Exchange #1312
Comments
And this together with the slow token cleanup query is a bad combination #1304 |
Have you tried copying the session id into the custom claims? We don't automatically copy the sid forward into an exchanged token because depending on the semantics of the exchange that may or may not be appropriate. But I can't think of anything that would prevent that from working. |
I'm revisiting this. I think that you correctly identified the issue in the original post:
Token exchange swaps one access token for another. It should not involve any refresh token at all. The request does not include any refresh token from the original session, so (if such a refresh token exists) it shouldn't be updated. The result of the token exchange is another access token - it should not create any new refresh token. Do you have custom code that is used to create the token that is the result of the token exchange? |
We use custom implementations for IProfileService and ITokenExchangeGrantValidator. My original post has the relevant parts of the latter. Our IProfileService implementation only adds some custom claims. Otherwise, no. |
Which version of Duende IdentityServer are you using?
7.0.5
Which version of .NET are you using?
8
Describe the bug
When calling
/connect/token
with grant_typeurn:ietf:params:oauth:grant-type:token-exchange
and an existing access token with asid
claim, the resulting access token does not have asid
claim. A resulting refresh token is not correlated with the session, and an entry with SessionId=null is added to the persisted grant store for each exchange.This is causing issues for us because we exchange tokens quite frequently and each one creates a fairly long-lived, orphaned refresh token entry in the persisted grant database that remains after logout because its session id is null.
To Reproduce
sid
claim and offline_access in its scopes.sid
claim.Expected behavior
sid
of given access token should be put into exchanged token. No extra refresh token should go into the persisted grant store, rather the existing one should be renewed or replaced.Additional context
Our TokenExchangeGrantValidator:
The text was updated successfully, but these errors were encountered: