identitymodel / identitymodel Goto Github PK

In the documentation example http://docs.identityserver.io/en/release/endpoints/introspection.html
IntrospectionClient constructor parameters are shown as for scope( is it the same asAPI?)

var introspectionClient = new IntrospectionClient(
    doc.IntrospectionEndpoint,
    "scope_name",
    "scope_secret");

However intellisense and actual code in
https://github.com/IdentityModel/IdentityModel2/blob/dev/src/IdentityModel/Client/IntrospectionClient.cs uses clientId/clientSecret parameter names.

It causing confusion as scope, API and client are very different actors in OIdC.

Can you make the code/documentation consistent, or add explanation, which parameters can be passed to IntrospectionClient.

If I have a discovery response string, it's quite useful to pass it to DiscoveryResponse class then I get all kinds of information easily.

However, currently DiscoveryResponse class can't be used directly because of DiscoveryPolicy.Authority property, it's an internal property, no way to set its value outside the assembly, I can instantiate DiscoveryResponse class with this constructor public DiscoveryResponse(string raw, DiscoveryPolicy policy = null), pass in my raw response string, but it's IsError property will be true because exception will be thrown in code allowedHosts.Add(new Uri(policy.Authority).Authority); in DiscoveryResponse class.

My suggestion is:

• make DiscoveryPolicy.Authority property public or add a constructor public DiscoveryPolicy(string authority)
• public DiscoveryResponse(string raw, DiscoveryPolicy policy = null) will not validate the raw string if policy is null.
• tweak the ValidateEndpoints method, handle the situation policy.Authority == null

Hey, so here's my issue - I'm just starting out with this library, but I lost about half an hour trying to figure out why I couldn't use anything or even add IdentityModel as a using statement. Then it hit me - I changed the project's target framework to .NET Core 1.0 from .NET Core 1.1 and it started working. So, might be good to note that.

If it matters, I got this when creating a default .NET core Console application from VS 2017's templates.

Is there any specific reason to drop.NET 4.5 support?

I understand .NET 4.5 is kind of ancient and MS has stopped the support but I am working on a project where I need to develop plugin for a .NET 4.5. I would appreciate it if you could keep supporting .NET 4.5 as long as it doesn't make things harder for you.

Hi,
Currently this library supports dotnet framework 4.5.2
Does it support previous versions like 4.5
Otherwise I will have to change all other projects of my solution to 4.5.2
Please let me know.
Thanks

DiscoveryClient allows you to specify a DiscoveryPolicy to aid in validation. However, the first thing it does in DiscoveryClient.GetAsync is overwrite the policy Authority so there's no way to cause validation to obey the specified Authority.

The use case in which I'm hitting this is multitenancy. I have a multitenant OIDC provider much like Azure AD where the tenant ID in the URL is case-sensitive and contains upper-case letters - https://my.identity.server/TenantIdHere/.well-known/openid-configuration

However, Identity Server forces the base URL to lowercase as the issuer like https://my.identity.server/tenantidhere. I wanted to set the authority in the validation policy to be the "normalized lowercase" version of the URL so validation would work, but that gets overwritten. I also can't address it by adding to the AdditionalEndpointBaseAddresses because only the authority is used for issuer validation

My current workaround is to disable issuer validation entirely.

I have a Xamarin PCL (profile 44), and when I'm trying to add the IdentityModel package (2.8.0), I get the following error:

Could not install package 'IdentityModel 2.8.0'. You are trying to install this package into a project that targets '.NETPortable,Version=v4.6,Profile=Profile44', but the package does not contain any assembly references or content files that are compatible with that framework. For more information, contact the package author.

Is IdentityModels supposed to support Xamarin?

Issuer name should (per spec) be equal to the base addresss.

Optional - but on by default

Hello, I have noticed that there is a ordinal string comparison when the Issuer is validated.
It this intentional? For security reasons may be?

public bool ValidateIssuerName(string issuer, string authority)
{
return string.Equals(issuer, authority, StringComparison.Ordinal);
}

Can we switch that to StringComparison.OrdinalIgnoreCase ?
The same thing I saw when the allowedAuthorities are checked.

CC: @brockallen

Hi, when using IntrospectionEndpoint, I am receiving 401. Here's my code:

var tokenClient = new TokenClient("http://localhost:1000/connect/token", "client_id", "client_secret");

var scopes = "MyApi offline_access openid profile";

var tokenResponse = await tokenClient.RequestResourceOwnerPasswordAsync(request.UserName, request.Password, scopes);

var accessToken = tokenResponse.AccessToken;

var introspectionClient = new IntrospectionClient("http://localhost:1000/connect/introspect",
    "client_id", "client_secret");

var introspectResponse = await introspectionClient.SendAsync(new IntrospectionRequest()
{
    Token = accessToken
});

The introspectResponse's response is the HTML markup of my login page. Debugging on IdentityServer code, it fails on validation of scope. It is searching the secret ID against the scope store and it cannot find it.

Am I doing something wrong? How do I use IntrospectionEndpoint properly? It seems it is using client id to validate against scopes. Thank you.

IdentityModel 1.9.2 had ProtocolHelperExtensions & HashStringExtensions methods. Now IdentityModel2 does not seem to have those? Have these methods been moved to another project?

Just like TokenClient.

I want to use the client side of IdentityServer which is the IdentityModel nuget package. It looks like PCL support is dropped. Do I have to go back to version 1.13.1 to use it with Xamarin applications?

https://www.nuget.org/packages/IdentityModel/1.13.1

AuthorizeResponse with url https://code_client/callback?error=invalid_request&error_description=code%20challenge%20required fails to read error_description as "code challenge required". Instead it keeps the %20 in the returned value.

should we url decode the values in TryGet?

It'd be nice to have something easy to use and similar to the 24h cache from the Config Mgr plumbing.

Could you please document what's the difference compare to another repository "IdentityModel"?
It should be really helpful for some readers like me. thanks!

Hi,

I'm calling RequestAuthorizationCodeAsync like so:

tokenResponse = await client.RequestAuthorizationCodeAsync(
                    tokenExchangeInput.Code, 
                    tokenExchangeInput.RedirectUri);

I don't get any errors or anything. It just seems to hang. Any help is appreciated.

-J

Hey Guys,

The Tokenclient returns with the Constructor TokenClient(string address) and TokenClient(string address, HttpMessageHandler innerHttpMessageHandler); "invalid_client" as response

invalid example
var invalid = new TokenClient(AppConstants.TokenEndpoint, new NativeMessageHandler()) { ClientId = AppConstants.ClientId, ClientSecret = AppConstants.ClientSecret };

using
var tokenClient = new TokenClient(AppConstants.TokenEndpoint, AppConstants.ClientId,AppConstants.ClientSecret);

works fine

My guess is that you use the private fields in the Class methods and not the the Properties.

hope I could help

When executing this

[HttpGet]
public async Task<IHttpActionResult> GetOpenId(string code, string state) {
    var discoveryClient = new DiscoveryClient(issuerUri);
    // rest omitted for brevity, it breaks here
}

I get

Method not found: 'Void IdentityModel.Client.DiscoveryClient..ctor(System.String, System.Net.Http.HttpMessageHandler)'.

Response from a Web Api 2 action:

<Error><Message>An error has occurred.</Message><ExceptionMessage>Method not found: 'Void IdentityModel.Client.DiscoveryClient..ctor(System.String, System.Net.Http.HttpMessageHandler)'.</ExceptionMessage><ExceptionType>System.MissingMethodException</ExceptionType><StackTrace>   at Admin.OpenIdController.&lt;GetOpenId&gt;d__0.MoveNext()
   at System.Runtime.CompilerServices.AsyncTaskMethodBuilder`1.Start[TStateMachine](TStateMachine&amp; stateMachine)
   at Admin.OpenIdController.GetOpenId(String code, String state)
   at lambda_method(Closure , Object , Object[] )
   at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.&lt;&gt;c__DisplayClass12.&lt;GetExecutor&gt;b__8(Object instance, Object[] methodParameters)
   at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken)
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Http.Controllers.ApiControllerActionInvoker.&lt;InvokeActionAsyncCore&gt;d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Http.Controllers.ActionFilterResult.&lt;ExecuteAsync&gt;d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Web.Http.Dispatcher.HttpControllerDispatcher.&lt;SendAsync&gt;d__1.MoveNext()</StackTrace></Error>

Hello,

I tried to refresh my access token from a xamarin application by using the IdentityModel package (v2.10.0) but I received an exception.

// refresh_token = 58be5f9658374556ee01350d5d4d166d

var _tokenClient = new TokenClient(this.Authenticator.TokenUri, this.ClientKey.ClientId, this.ClientKey.Credential.Secret);
await _tokenClient.RequestRefreshTokenAsync(requestParameters[OAuthParameter.RefreshToken]); 

Stack trace :

at IdentityModel.Client.TokenClientExtensions.Merge (IdentityModel.Client.TokenClient client, System.Collections.Generic.Dictionary`2[TKey,TValue] explicitValues, System.Object extra) [0x00014] in <d2248fbe73ed43a3a46db147f1d67a2c>:0 
 at IdentityModel.Client.TokenClientExtensions.RequestRefreshTokenAsync (IdentityModel.Client.TokenClient client, System.String refreshToken, System.Object extra, System.Threading.CancellationToken cancellationToken) [0x00022] in <d2248fbe73ed43a3a46db147f1d67a2c>:0 
 at AG.MDF.Security.Identity.Handlers.Idsv.AcquireTokenInteractiveFromIdsvHandler+<SendHttpMessageAsync>d__68.MoveNext () [0x00117] in /Users/olivier/Projets/AG/AG.MDF.Security/AG.MDF.Security.Identity/src/AG.MDF.Security.Identity.Common/Handlers/Idsv/AcquireTokenInteractiveFromIdsvHandler.cs:346 
--- End of stack trace from previous location where exception was thrown ---
 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in /Library/Frameworks/Xamarin.iOS.framework/Versions/10.10.0.36/src/mono/mcs/class/referencesource/mscorlib/system/runtime/exceptionservices/exceptionservicescommon.cs:151 
 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x00037] in /Library/Frameworks/Xamarin.iOS.framework/Versions/10.10.0.36/src/mono/mcs/class/referencesource/mscorlib/system/runtime/compilerservices/TaskAwaiter.cs:187 
 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in /Library/Frameworks/Xamarin.iOS.framework/Versions/10.10.0.36/src/mono/mcs/class/referencesource/mscorlib/system/runtime/compilerservices/TaskAwaiter.cs:156 
 at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in /Library/Frameworks/Xamarin.iOS.framework/Versions/10.10.0.36/src/mono/mcs/class/referencesource/mscorlib/system/runtime/compilerservices/TaskAwaiter.cs:128 
 at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[TResult].GetResult () [0x00000] in /Library/Frameworks/Xamarin.iOS.framework/Versions/10.10.0.36/src/mono/mcs/class/referencesource/mscorlib/system/runtime/compilerservices/TaskAwaiter.cs:535 
 at AG.MDF.Security.Identity.Handlers.Idsv.AcquireTokenInteractiveFromIdsvHandler+<SendTokenRequestByRefreshTokenAsync>d__66.MoveNext () [0x0008c] in /Users/olivier/Projets/AG/AG.MDF.Security/AG.MDF.Security.Identity/src/AG.MDF.Security.Identity.Common/Handlers/Idsv/AcquireTokenInteractiveFromIdsvHandler.cs:285 
--- End of stack trace from previous location where exception was thrown ---
 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in /Library/Frameworks/Xamarin.iOS.framework/Versions/10.10.0.36/src/mono/mcs/class/referencesource/mscorlib/system/runtime/exceptionservices/exceptionservicescommon.cs:151 
 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x00037] in /Library/Frameworks/Xamarin.iOS.framework/Versions/10.10.0.36/src/mono/mcs/class/referencesource/mscorlib/system/runtime/compilerservices/TaskAwaiter.cs:187 
 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in /Library/Frameworks/Xamarin.iOS.framework/Versions/10.10.0.36/src/mono/mcs/class/referencesource/mscorlib/system/runtime/compilerservices/TaskAwaiter.cs:156 
 at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in /Library/Frameworks/Xamarin.iOS.framework/Versions/10.10.0.36/src/mono/mcs/class/referencesource/mscorlib/system/runtime/compilerservices/TaskAwaiter.cs:128 
 at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[TResult].GetResult () [0x00000] in /Library/Frameworks/Xamarin.iOS.framework/Versions/10.10.0.36/src/mono/mcs/class/referencesource/mscorlib/system/runtime/compilerservices/TaskAwaiter.cs:535 
 at AG.MDF.Security.Identity.Handlers.Idsv.AcquireTokenInteractiveFromIdsvHandler+<RefreshAccessTokenAsync>d__67.MoveNext () [0x0007b] in /Users/olivier/Projets/AG/AG.MDF.Security/AG.MDF.Security.Identity/src/AG.MDF.Security.Identity.Common/Handlers/Idsv/AcquireTokenInteractiveFromIdsvHandler.cs:306 
--- End of stack trace from previous location where exception was thrown ---
 at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in /Library/Frameworks/Xamarin.iOS.framework/Versions/10.10.0.36/src/mono/mcs/class/referencesource/mscorlib/system/runtime/exceptionservices/exceptionservicescommon.cs:151 
 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x00037] in /Library/Frameworks/Xamarin.iOS.framework/Versions/10.10.0.36/src/mono/mcs/class/referencesource/mscorlib/system/runtime/compilerservices/TaskAwaiter.cs:187 
 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in /Library/Frameworks/Xamarin.iOS.framework/Versions/10.10.0.36/src/mono/mcs/class/referencesource/mscorlib/system/runtime/compilerservices/TaskAwaiter.cs:156 
 at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in /Library/Frameworks/Xamarin.iOS.framework/Versions/10.10.0.36/src/mono/mcs/class/referencesource/mscorlib/system/runtime/compilerservices/TaskAwaiter.cs:128 
 at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[TResult].GetResult () [0x00000] in /Library/Frameworks/Xamarin.iOS.framework/Versions/10.10.0.36/src/mono/mcs/class/referencesource/mscorlib/system/runtime/compilerservices/TaskAwaiter.cs:535 
 at AG.MDF.Security.Identity.Handlers.Idsv.AcquireTokenInteractiveFromIdsvHandler+<RunAsync>d__58.MoveNext () [0x001cb] in /Users/olivier/Projets/AG/AG.MDF.Security/AG.MDF.Security.Identity/src/AG.MDF.Security.Identity.Common/Handlers/Idsv/AcquireTokenInteractiveFromIdsvHandler.cs:173 

Thx you for your help.

Was there a reason that ScopeAuthorizeAttribute was removed in this implementation of IdentityModel?

I would like this back unless this decision was by design.

This issue is related to this StackOverflow question. https://stackoverflow.com/questions/44211741/how-to-resolve-httpclient-exists-in-multiple-libs/44299428.

We need to refer IdentityModel library which is targeting .netstandared1.4 from our library targeting .netstandared2.0. But we also refer to HttpClient in our library as well. Ideally .netstandared1.4 targeted library is callable from higher version targeted library. But IdentityModel also references System.Net.Http outside of the standard library. So we ended up with 2 HttpClients and failed to build our project. What is the proper way to fix this? Should we wait until newer version targeting .netstandared2.0?

Hi there!

It looks like a ConfigureAwait(false) directive was erroneously removed when the TokenClient code was recently refactored for release 2.1.0 of IdentityModel. The following statement creates a deadlock when I call RequestAsync() (indirectly from RequestClientCredentialsAsync()) from a non-async ASP.NET method, using .Result or .Wait() to block on the resulting task.

response = await _client.SendAsync(request, cancellationToken);

(line 88 from TokenClient.cs, from this commit)

Hello,

It looks like there is an issue related to HttpClientExtensions.cs and precompiled Azure Functions.

I'm receiving System.MissingMethodException : Method not found: 'System.Threading.Tasks.Task'1<!!0> System.Net.Http.HttpContentExtensions.ReadAsAsync(System.Net.Http.HttpContent)' error once IdentityModel package added.

It happens in both cases during debug session and in Azure itself.

Example repository: https://github.com/GreenAirplane/IdentityModelAzureFunctionIssue
Commit which introduces the issue: GreenAirplane/IdentityModelAzureFunctionIssue@f48e530

So I tried to add support for Windows.Web.Http and it requires to create counterparts for:

• BasicAuthenticationHeaderValue
• HttpClientExtensions
• IntrospectionClient
• RefreshTokenHandler
• TokenClient
• TokenClientExtensions
• TokenRevocationClient
• TokenRevocationClientExtensions
• UserInfoClient

Which is not a big deal for me.
However as you expose public HttpStatusCode HttpErrorStatusCode { get; } from TokenResponse and UserInfoResponse they cannot be universal. As HttpStatusCode in WinRT is absolutely different enum.

What do you think? Let us change it to int?

I guess ValidateEndoints method should be ValidateEndpoints, it seems a typo?

The NuGet package for IdentityModel 2.8.0 depends on System.ValueTuple 4.3.0. However, the assembly for .NETStandard1.4 references System.ValueTuple 4.0.1.

This prevents Xamarin on Visual Studio 2017 from building a project that references Identity Model 2.8.0.

Dependency from IdentityModel.2.8.0.nuspec
<dependency id="System.ValueTuple" version="4.3.0" exclude="Build,Analyzers" />

Reference from IdentityModel.dll (.NETStandard1.4)
System.ValueTuple, Version=4.0.1.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51

typeof(Identity).Assembly.GetReferencedAssemblies()
    .First(a => a.Name == "System.ValueTuple")
    .FullName

Excerpt of Xamarin build output

5>    Adding assembly reference for IdentityModel, Version=2.8.0.0, Culture=neutral, PublicKeyToken=null, recursively...
5>      Adding assembly reference for System.Security.Claims, Version=4.0.1.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, recursively...
5>      Adding assembly reference for System.Security.Cryptography.Algorithms, Version=4.2.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, recursively...
5>      Adding assembly reference for System.Security.Cryptography.X509Certificates, Version=4.1.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a, recursively...
5>C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\MSBuild\Xamarin\Android\Xamarin.Android.Common.targets(1399,2): error : Exception while loading assemblies: System.IO.FileNotFoundException: Could not load assembly 'System.ValueTuple, Version=4.0.1.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51'. Perhaps it doesn't exist in the Mono for Android profile?
5>C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\MSBuild\Xamarin\Android\Xamarin.Android.Common.targets(1399,2): error : File name: 'System.ValueTuple.dll'
5>C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\MSBuild\Xamarin\Android\Xamarin.Android.Common.targets(1399,2): error :    at Java.Interop.Tools.Cecil.DirectoryAssemblyResolver.Resolve(AssemblyNameReference reference, ReaderParameters parameters)
5>C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\MSBuild\Xamarin\Android\Xamarin.Android.Common.targets(1399,2): error :    at Xamarin.Android.Tasks.ResolveAssemblies.AddAssemblyReferences(DirectoryAssemblyResolver resolver, ICollection`1 assemblies, AssemblyDefinition assembly, Boolean topLevel)
5>C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\MSBuild\Xamarin\Android\Xamarin.Android.Common.targets(1399,2): error :    at Xamarin.Android.Tasks.ResolveAssemblies.Execute(DirectoryAssemblyResolver resolver)

Endpoints

• token
• introspection
• revocation

Styles

• client_secret_jwt
• private_key_jwt

Client_secret_jwt require an additional signingAlgorithm parameter. The key is the client_secret.
private_key_jwt require the additional parameters signingAlgorithm and an asymmetric key. The key could be a JWK.

Requirement
No dependency to Microsoft JWT package
Integrated within a generic callback when creating the POST body

It should be sufficient to have a dependency on the System.Net.Http nupkg.

The frameworkAssembly reference breaks downstream packages that target net461 but have other dependencies that target netstandardx.x and depend on System.Net.Http via NuGet because the assembly versions in the GAC (for both 4.5.x and 4.6.x) differ from the latest published via NuGet.

I am looking to evaluate IdentityModel2 for use within a Xamarin Forms application but am running into issues installing the corresponding nuget package due to PCL profile issues.

Issue = "Could not install package 'IdentityModel 2.0.0'. You are trying to install this package into a project that targets '.NETPortable,Version=v4.5,Profile=Profile78', but the package does not contain any assembly references or content files that are compatible with that framework. For more information, contact the package author."

Can you provide me with any direction on how this may have been resolved already, or give me some pointers on how I may resolve this on my own?

This response url:

https://code_client/callback?error=invalid_request#=

does not parse properly.

The OAuth2 provider can also return a refresh_expires_in value to indicate when the RefreshToken expires.

see http://www.keycloak.org/docs/javadocs/index.html?org/keycloak/representations/AccessTokenResponse.html

If you use IdentityModel2 from an assembly which is signed with a strong name all referenced assemblies have to have a strong name.
Please "give" the net45 assembly with a strong name.

When using the DiscoveryClient to request metadata from my Identity Server, the resulting DiscoveryResponse is not validated if the Issuer and Authority are not an exact case-sensitive match. This causes us issues when our build process uses capital letters when specifying our environment names in our config, but the discovery document returns all URLs lowercase regardless of the request URL.

e.g. "Authority: https://idsrv-Production" and "Issuer: https://idsrv-production". I realize that I could work around this by forcing all my authority URLs to lowercase, either in config or in the actual code where I use DiscoveryClient but this seems messy and brittle. I'm not sure I even understand what security benefit a case-sensitive validation like this provides.

Is there a specific need for performing case-sensitive validation on the issuer and authority? If not, would it be possible to change the comparison from StringComparison.Ordinal to StringComparison.OrdinalIgnoreCase?

When calling the DiscoveryClient from an .NET Framework 4.6.1 project with System.ValueTuple 4.3.1 referenced, I get an exception:

Exception

=== Pre-bind state information ===
LOG: DisplayName = System.ValueTuple, Version=4.0.1.1, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51
 (Fully-specified)
LOG: Appbase = file:///C:/Users/johann/AppData/Local/Azure.Functions.Cli/1.0.4/
LOG: Initial PrivatePath = NULL
Calling assembly : IdentityModel, Version=2.12.0.0, Culture=neutral, PublicKeyToken=null.
===
LOG: This bind starts in LoadFrom load context.
WRN: Native image will not be probed in LoadFrom context. Native image will only be probed in default load context, like with Assembly.Load().
LOG: Using application configuration file: C:\Users\johann\AppData\Local\Azure.Functions.Cli\1.0.4\func.exe.Config
LOG: Using host configuration file: 
LOG: Using machine configuration file from C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config.
LOG: The same bind was seen before, and was failed with hr = 0x80070002.

Stack Trace

   at IdentityModel.Client.DiscoveryClient..ctor(String authority, HttpMessageHandler innerHandler)
   at IdentityModel.Client.DiscoveryClient.<GetAsync>d__1.MoveNext()

RefeshTokenHandler uses lock.WaitAsync in RefreshTokensAsync, but SendAsync accesses the lock.Wait()-using AccessToken. This would cause the request originator to be blocked since DelegatingHandlers are not called on a background thread.

Adding a GetAccessTokenAsync would solve the problem. I'm happy to submit a PR if I get the time.

Hi,

I was wondering if there was any chance that the assembly distributed in nuget can be signed with a strong name? I need to install it in the GAC, but in order to do this I am having to decompile and resign it, which is something Id like to avoid if possible.

Thanks

Andy

A client is requesting an access token from my IdentityServer4 based token service using client credentials.
On the IdentityServer side the client is configured to have access to several scopes which all belong to a single api and issue an access token in JWT format.
What I want to do, is to request more than one scope and get all of them included in the access token, for example as an array.
Currently I do this:

var disco = discoveryClient.GetAsync().Result;
var tokenEndpoint = disco.TokenEndpoint;
using (var tokenClient = new TokenClient(tokenEndpoint, _options.Client, _options.Secret))
{
    var tokenResponse = tokenClient.RequestClientCredentialsAsync(_options.Scopes.First()).Result;
    if (tokenResponse.IsError)
        throw new HttpRequestException(tokenResponse.Error);

    tokenExpiration = DateTime.Now.AddSeconds(tokenResponse.ExpiresIn);
    client.SetBearerToken(tokenResponse.AccessToken);
}

At the point where I do tokenClient.RequestClientCredentialsAsync(_options.Scopes.First()) . I'd like to pass an IEnumerable<string> or something.

How can I do this with IdentityModel? Or why is it not possible/"a bad idea"?

Apologies if this has been discussed previously, but according to the spec, the base64 encoded credentials in the Authorize HTTP header should use ISO-8859-1

There's a reasonable amount of detail on alternatives on this stack overflow question: http://stackoverflow.com/questions/7242316/what-encoding-should-i-use-for-http-basic-authentication

What is the purpose of the RefreshTokenHandler? Should I expect something like refreshing the access token when it is expired using the refreshtoken?

To continue our discussion about WinRT support.
What if we split a library into two parts:

1. Common classes that are not relay on System.Net.Http
2. Your logic specific to System.Net.Http

In this case I will be able to provide my own package for WinRT with logic specific to Windows.Net.Http

Only 2 changes required except splitting into 2 projects:

1. Specify sub namespace for classes specific to System.Net.Http
2. Expose HttpCode as a number but not Enum. And an extension method that return enum from number.

Implementations should validate the ID Token and its authenticity (that it is indeed signed by the expected Provider).

I couldn't find any explicit methods that might assist in ID Token validation – do they exist in this lib? If not, do you have suggestions for handling this?

It is possible to provide interfaces for the purpose of mocking for unit testing?

If an exception is thrown in my class which implements IResourceOwnerPasswordValidator, the TokenResponse exception field is NULL. All I get is an "Internal Server Error". I am using IdentityServer4, FYI.

The introspection client only support the client authentication method client_secret_post.
The introspection endpoint may also support other methods:

• client_secret_basic
• client_secret_jwt
• private_key_jwt

The discovery endpoint should be used for retrieving the following metadata:

• introspection_endpoint_auth_methods_supported
• introspection_endpoint_auth_signing_alg_values_supported

Related IdentityModel/IdentityModel.AspNetCore.OAuth2Introspection#21