From b39aba8477c5aa6326015dff82817916d9ac4089 Mon Sep 17 00:00:00 2001 From: Maarten Balliauw Date: Fri, 14 Mar 2025 14:47:46 +0100 Subject: [PATCH 1/2] Add Strict Audience Validation to Private Key JWT samples --- .../v7/Basics/IdentityServer/src/HostingExtensions.cs | 4 +++- .../v7/Basics/IdentityServer/src/IdentityServerHost.csproj | 7 ++++++- .../v7/Basics/JwtBasedClientAuthentication/src/Program.cs | 4 +++- IdentityServer/v7/Basics/MvcJarJwt/src/AssertionService.cs | 2 ++ 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/IdentityServer/v7/Basics/IdentityServer/src/HostingExtensions.cs b/IdentityServer/v7/Basics/IdentityServer/src/HostingExtensions.cs index 828833df..c379bfed 100644 --- a/IdentityServer/v7/Basics/IdentityServer/src/HostingExtensions.cs +++ b/IdentityServer/v7/Basics/IdentityServer/src/HostingExtensions.cs @@ -21,6 +21,8 @@ public static WebApplication ConfigureServices(this WebApplicationBuilder builde // see https://docs.duendesoftware.com/identityserver/v6/fundamentals/resources/api_scopes options.EmitStaticAudienceClaim = true; options.PushedAuthorization.AllowUnregisteredPushedRedirectUris = true; + + options.Preview.StrictClientAssertionAudienceValidation = true; }) .AddTestUsers(TestUsers.Users); @@ -68,4 +70,4 @@ public static WebApplication ConfigurePipeline(this WebApplication app) return app; } -} +} \ No newline at end of file diff --git a/IdentityServer/v7/Basics/IdentityServer/src/IdentityServerHost.csproj b/IdentityServer/v7/Basics/IdentityServer/src/IdentityServerHost.csproj index e0397565..cb1ba345 100755 --- a/IdentityServer/v7/Basics/IdentityServer/src/IdentityServerHost.csproj +++ b/IdentityServer/v7/Basics/IdentityServer/src/IdentityServerHost.csproj @@ -5,8 +5,13 @@ enable + + + DUENDEPREVIEW002 + + - + diff --git a/IdentityServer/v7/Basics/JwtBasedClientAuthentication/src/Program.cs b/IdentityServer/v7/Basics/JwtBasedClientAuthentication/src/Program.cs index 564e3ef4..04692e88 100755 --- a/IdentityServer/v7/Basics/JwtBasedClientAuthentication/src/Program.cs +++ b/IdentityServer/v7/Basics/JwtBasedClientAuthentication/src/Program.cs @@ -75,6 +75,8 @@ static string CreateClientToken(SigningCredentials credential, string clientId, credential ); + token.Header[JwtClaimTypes.TokenType] = "client-authentication+jwt"; + var tokenHandler = new JwtSecurityTokenHandler(); var clientToken = tokenHandler.WriteToken(token); "\n\nClient Authentication Token:".ConsoleGreen(); @@ -94,4 +96,4 @@ static async Task CallServiceAsync(string token) "\n\nService claims:".ConsoleGreen(); Console.WriteLine(response.PrettyPrintJson()); -} +} \ No newline at end of file diff --git a/IdentityServer/v7/Basics/MvcJarJwt/src/AssertionService.cs b/IdentityServer/v7/Basics/MvcJarJwt/src/AssertionService.cs index 2888f121..90b9355b 100755 --- a/IdentityServer/v7/Basics/MvcJarJwt/src/AssertionService.cs +++ b/IdentityServer/v7/Basics/MvcJarJwt/src/AssertionService.cs @@ -40,6 +40,8 @@ public string CreateClientToken() new SigningCredentials(new JsonWebKey(key), "RS256") ); + token.Header[JwtClaimTypes.TokenType] = "client-authentication+jwt"; + var tokenHandler = new JwtSecurityTokenHandler(); tokenHandler.OutboundClaimTypeMap.Clear(); From e46593315832537e5a0716bf9264849face9cd77 Mon Sep 17 00:00:00 2001 From: Maarten Balliauw Date: Mon, 17 Mar 2025 20:48:24 +0100 Subject: [PATCH 2/2] Update IdentityServer/v7/Basics/IdentityServer/src/IdentityServerHost.csproj --- .../v7/Basics/IdentityServer/src/IdentityServerHost.csproj | 5 ----- 1 file changed, 5 deletions(-) diff --git a/IdentityServer/v7/Basics/IdentityServer/src/IdentityServerHost.csproj b/IdentityServer/v7/Basics/IdentityServer/src/IdentityServerHost.csproj index cb1ba345..6db61746 100755 --- a/IdentityServer/v7/Basics/IdentityServer/src/IdentityServerHost.csproj +++ b/IdentityServer/v7/Basics/IdentityServer/src/IdentityServerHost.csproj @@ -5,11 +5,6 @@ enable - - - DUENDEPREVIEW002 - -