Merge pull request #316 from DuendeSoftware/brock/patch_client_assert…

…ion_token_audience Add physical token endpoint to audience list for private key JWTs
DuendeSoftware · Jul 9, 2021 · b28f8dd · b28f8dd
2 parents 429b746 + b2d31b5
commit b28f8dd
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/src/IdentityServer/Validation/Default/PrivateKeyJwtSecretValidator.cs b/src/IdentityServer/Validation/Default/PrivateKeyJwtSecretValidator.cs
@@ -13,6 +13,7 @@
 using Microsoft.Extensions.Logging;
 using Microsoft.IdentityModel.JsonWebTokens;
 using Microsoft.IdentityModel.Tokens;
+using Microsoft.AspNetCore.Http;
 
 namespace Duende.IdentityServer.Validation
 {
@@ -21,6 +22,7 @@ namespace Duende.IdentityServer.Validation
     /// </summary>
     public class PrivateKeyJwtSecretValidator : ISecretValidator
     {
+        private readonly IHttpContextAccessor _contextAccessor; 
         private readonly IIssuerNameService _issuerNameService;
         private readonly IReplayCache _replayCache;
         private readonly IdentityServerOptions _options;
@@ -32,11 +34,13 @@ public class PrivateKeyJwtSecretValidator : ISecretValidator
         /// Instantiates an instance of private_key_jwt secret validator
         /// </summary>
         public PrivateKeyJwtSecretValidator(
+            IHttpContextAccessor contextAccessor,
             IIssuerNameService issuerNameService, 
             IReplayCache replayCache,
             IdentityServerOptions options,
             ILogger<PrivateKeyJwtSecretValidator> logger)
         {
+            _contextAccessor = contextAccessor;
             _issuerNameService = issuerNameService;
             _replayCache = replayCache;
             _options = options;
@@ -88,9 +92,13 @@ public async Task<SecretValidationResult> ValidateAsync(IEnumerable<Secret> secr
             var validAudiences = new[]
             {
                 // token endpoint URL
+                string.Concat(_contextAccessor.HttpContext.GetIdentityServerBaseUrl().EnsureTrailingSlash(),
+                    Constants.ProtocolRoutePaths.Token),
+                // TODO: remove the issuer URL in a future major release?
+                // issuer URL
                 string.Concat((await _issuerNameService.GetCurrentAsync()).EnsureTrailingSlash(),
                     Constants.ProtocolRoutePaths.Token)
-            };
+            }.Distinct();
 
             var tokenValidationParameters = new TokenValidationParameters
             {

diff --git a/test/IdentityServer.UnitTests/Validation/Secrets/PrivateKeyJwtSecretValidation.cs b/test/IdentityServer.UnitTests/Validation/Secrets/PrivateKeyJwtSecretValidation.cs
@@ -21,6 +21,7 @@
 using Microsoft.Extensions.Logging;
 using Microsoft.IdentityModel.Tokens;
 using Xunit;
+using Microsoft.AspNetCore.Http;
 
 namespace UnitTests.Validation.Secrets
 {
@@ -31,7 +32,12 @@ public class PrivateKeyJwtSecretValidation
 
         public PrivateKeyJwtSecretValidation()
         {
+            var ctx = new DefaultHttpContext();
+            ctx.Request.Scheme = "https";
+            ctx.Request.Host = new HostString("idsrv3.com");
+
             _validator = new PrivateKeyJwtSecretValidator(
+                 new HttpContextAccessor { HttpContext = ctx },
                  new TestIssuerNameService("https://idsrv3.com"),
                  new DefaultReplayCache(new TestCache()), 
                  new IdentityServerOptions(),