IdentityServer3 icon indicating copy to clipboard operation
IdentityServer3 copied to clipboard
verified publisher icon IdentityServer

Disabled clients can still be used for client secret authentication.

Open acollard opened this issue 9 years ago • 1 comments

From ClientSecretValidator.cs:

// load client
var client = await _clients.FindClientByIdAsync(parsedSecret.Id);
if (client == null)
{
  await RaiseFailureEvent(parsedSecret.Id, "Unknown client");

  Logger.Info("No client with that id found. aborting");
  return fail;
}

This should check if the client is null or disabled.

if (client == null || !client.Enabled)

This issue is also present in TokenValidator.cs. https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Validation/TokenValidator.cs#L114 https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Validation/TokenValidator.cs#L267

AuthorizeRequestValidator.cs handles it correctly.

acollard avatar Jan 16 '17 18:01 acollard

I just noticed your InMemoryClientStore.cs filters out disabled clients internally. In my scenario we use a custom IClientStore which is why I am seeing the issue.

Off the top of my head I can think of two reasons why the disabled flag should probably be handled outside:

  1. Users implementing the interface wouldn't expect disabled clients to be filtered out.
  2. A user may want to use the IClientStore outside of the authentication process, maybe an administrative page that lists the current clients and their state.

acollard avatar Jan 16 '17 18:01 acollard