"cnf" claim not present in reference token introspection.

[dreampunchboy]

Issue / Steps to reproduce the problem

Setup a basic mTSL client with AccessTokenType.Reference. Grab a new token and run an introspection on that token:

{ "iss": "https://localhost:5000", "nbf": 1643810842, "exp": 1643814442, "aud": [ "resource1", "resource2" ], "client_id": "mtlsref", "jti": "E70CF07882B9798FB9061388B6572664", "iat": 1643810842, "active": true, "scope": "resource1.scope1" }

Claim "cnf" is missing. Now do the same as above but for a client with AccessTokenType.Jwt and "cnf" is there.

The suggested fix: https://github.com/IdentityServer/IdentityServer4/blob/3ff3b46698f48f164ab1b54d124125d63439f9d0/src/IdentityServer4/src/Extensions/TokenExtensions.cs#L53-L56

The above or something similar needs to be added to the ValidateReferenceAccessTokenAsync() method within TokenValidator.cs as the TokenValidationResult gets passed back to create the response for Introspection.

[leastprivilege]

Important update

This organization is not maintained anymore besides critical security bugfixes (if feasible). This organization will be archived when .NET Core 3.1 end of support is reached (3rd Dec 2022). All new development is happening in the new Duende Software organization.

The new Duende IdentityServer comes with a commercial license but is free for dev/testing/personal projects and companies or individuals making less than 1M USD gross annnual revenue. Please get in touch with us if you have any question.