diff --git a/src/OpenIddict.Abstractions/Resources/OpenIddictResources.resx b/src/OpenIddict.Abstractions/Resources/OpenIddictResources.resx
index 4fcb9e1c..c2ebc116 100644
--- a/src/OpenIddict.Abstractions/Resources/OpenIddictResources.resx
+++ b/src/OpenIddict.Abstractions/Resources/OpenIddictResources.resx
@@ -1833,7 +1833,7 @@ To register the OpenIddict core services, reference the 'OpenIddict.Core' packag
{Locked}
- The access token '{Identifier}' was successfully created: {Payload}.
+ A new access token was successfully created: {Payload}.
The principal used to create the token contained the following claims: {Claims}.
{Locked}
@@ -1846,7 +1846,7 @@ The principal used to create the token contained the following claims: {Claims}.
{Locked}
- The authorization code '{Identifier}' was successfully created: {Payload}.
+ A new authorization code was successfully created: {Payload}.
The principal used to create the token contained the following claims: {Claims}.
{Locked}
@@ -1859,7 +1859,7 @@ The principal used to create the token contained the following claims: {Claims}.
{Locked}
- The device code '{Identifier}' was successfully created: {Payload}.
+ A new device code was successfully created: {Payload}.
The principal used to create the token contained the following claims: {Claims}.
{Locked}
@@ -1876,7 +1876,7 @@ The principal used to create the token contained the following claims: {Claims}.
{Locked}
- The refresh token '{Identifier}' was successfully created: {Payload}.
+ A new refresh token was successfully created: {Payload}.
The principal used to create the token contained the following claims: {Claims}.
{Locked}
@@ -1889,7 +1889,7 @@ The principal used to create the token contained the following claims: {Claims}.
{Locked}
- The user code '{Identifier}' was successfully created: {Payload}.
+ A new user code was successfully created: {Payload}.
The principal used to create the token contained the following claims: {Claims}.
{Locked}
@@ -1902,7 +1902,7 @@ The principal used to create the token contained the following claims: {Claims}.
{Locked}
- The identity token '{Identifier}' was successfully created: {Payload}.
+ A new identity token was successfully created: {Payload}.
The principal used to create the token contained the following claims: {Claims}.
{Locked}
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Introspection.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Introspection.cs
index 1b1eeec4..4bfff7c7 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Introspection.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Introspection.cs
@@ -894,11 +894,10 @@ namespace OpenIddict.Server
context.IssuedAt = context.NotBefore = context.Principal.GetCreationDate();
context.ExpiresAt = context.Principal.GetExpirationDate();
- // Infer the audiences/client_id claims from the properties stored in the security principal.
- // Note: the client_id claim must be a unique string so multiple presenters cannot be returned.
- // To work around this limitation, only the first one is returned if multiple values are listed.
+ // Infer the audiences/client_id from the claims stored in the security principal.
context.Audiences.UnionWith(context.Principal.GetAudiences());
- context.ClientId = context.Principal.GetPresenters().FirstOrDefault();
+ context.ClientId = context.Principal.GetClaim(Claims.ClientId) ??
+ context.Principal.GetPresenters().FirstOrDefault();
// Note: only set "token_type" when the received token is an access token.
// See https://tools.ietf.org/html/rfc7662#section-2.2
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.cs
index cddc1f30..2b1fa782 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.cs
@@ -1872,7 +1872,6 @@ namespace OpenIddict.Server
claim.Properties.Remove(OpenIddictConstants.Properties.Destinations);
}
- principal.SetClaim(Claims.JwtId, Guid.NewGuid().ToString());
principal.SetCreationDate(DateTimeOffset.UtcNow);
var lifetime = context.Principal.GetAccessTokenLifetime() ?? context.Options.AccessTokenLifetime;
@@ -1957,7 +1956,6 @@ namespace OpenIddict.Server
return true;
});
- principal.SetClaim(Claims.JwtId, Guid.NewGuid().ToString());
principal.SetCreationDate(DateTimeOffset.UtcNow);
var lifetime = context.Principal.GetAuthorizationCodeLifetime() ?? context.Options.AuthorizationCodeLifetime;
@@ -2050,7 +2048,6 @@ namespace OpenIddict.Server
return true;
});
- principal.SetClaim(Claims.JwtId, Guid.NewGuid().ToString());
principal.SetCreationDate(DateTimeOffset.UtcNow);
var lifetime = context.Principal.GetDeviceCodeLifetime() ?? context.Options.DeviceCodeLifetime;
@@ -2124,7 +2121,6 @@ namespace OpenIddict.Server
return true;
});
- principal.SetClaim(Claims.JwtId, Guid.NewGuid().ToString());
principal.SetCreationDate(DateTimeOffset.UtcNow);
// When sliding expiration is disabled, the expiration date of generated refresh tokens is fixed
@@ -2236,7 +2232,6 @@ namespace OpenIddict.Server
claim.Properties.Remove(OpenIddictConstants.Properties.Destinations);
}
- principal.SetClaim(Claims.JwtId, Guid.NewGuid().ToString());
principal.SetCreationDate(DateTimeOffset.UtcNow);
var lifetime = context.Principal.GetIdentityTokenLifetime() ?? context.Options.IdentityTokenLifetime;
@@ -2323,7 +2318,6 @@ namespace OpenIddict.Server
return true;
});
- principal.SetClaim(Claims.JwtId, Guid.NewGuid().ToString());
principal.SetCreationDate(DateTimeOffset.UtcNow);
var lifetime = context.Principal.GetUserCodeLifetime() ?? context.Options.UserCodeLifetime;
@@ -2583,8 +2577,7 @@ namespace OpenIddict.Server
context.AccessToken = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
- context.Logger.LogTrace(SR.GetResourceString(SR.ID6013), principal.GetClaim(Claims.JwtId),
- context.AccessToken, principal.Claims);
+ context.Logger.LogTrace(SR.GetResourceString(SR.ID6013), context.AccessToken, principal.Claims);
return default;
}
@@ -2830,8 +2823,7 @@ namespace OpenIddict.Server
context.AuthorizationCode = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
- context.Logger.LogTrace(SR.GetResourceString(SR.ID6016), principal.GetClaim(Claims.JwtId),
- context.AuthorizationCode, principal.Claims);
+ context.Logger.LogTrace(SR.GetResourceString(SR.ID6016), context.AuthorizationCode, principal.Claims);
return default;
}
@@ -3081,8 +3073,7 @@ namespace OpenIddict.Server
context.DeviceCode = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
- context.Logger.LogTrace(SR.GetResourceString(SR.ID6019), principal.GetClaim(Claims.JwtId),
- context.DeviceCode, principal.Claims);
+ context.Logger.LogTrace(SR.GetResourceString(SR.ID6019), context.DeviceCode, principal.Claims);
return default;
}
@@ -3416,8 +3407,7 @@ namespace OpenIddict.Server
context.RefreshToken = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
- context.Logger.LogTrace(SR.GetResourceString(SR.ID6023), principal.GetClaim(Claims.JwtId),
- context.RefreshToken, principal.Claims);
+ context.Logger.LogTrace(SR.GetResourceString(SR.ID6023), context.RefreshToken, principal.Claims);
return default;
}
@@ -3694,8 +3684,7 @@ namespace OpenIddict.Server
context.UserCode = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
- context.Logger.LogTrace(SR.GetResourceString(SR.ID6026), principal.GetClaim(Claims.JwtId),
- context.UserCode, principal.Claims);
+ context.Logger.LogTrace(SR.GetResourceString(SR.ID6026), context.UserCode, principal.Claims);
return default;
}
@@ -4109,8 +4098,7 @@ namespace OpenIddict.Server
context.IdentityToken = context.Options.JsonWebTokenHandler.CreateToken(descriptor);
- context.Logger.LogTrace(SR.GetResourceString(SR.ID6029), principal.GetClaim(Claims.JwtId),
- context.IdentityToken, principal.Claims);
+ context.Logger.LogTrace(SR.GetResourceString(SR.ID6029), context.IdentityToken, principal.Claims);
return default;
}
diff --git a/src/OpenIddict.Server/OpenIddictServerOptions.cs b/src/OpenIddict.Server/OpenIddictServerOptions.cs
index beb95478..baf96460 100644
--- a/src/OpenIddict.Server/OpenIddictServerOptions.cs
+++ b/src/OpenIddict.Server/OpenIddictServerOptions.cs
@@ -261,7 +261,6 @@ namespace OpenIddict.Server
OpenIddictConstants.Claims.ExpiresAt,
OpenIddictConstants.Claims.IssuedAt,
OpenIddictConstants.Claims.Issuer,
- OpenIddictConstants.Claims.JwtId,
OpenIddictConstants.Claims.Subject
};
diff --git a/test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTests.Introspection.cs b/test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTests.Introspection.cs
index 23d93a56..01687e82 100644
--- a/test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTests.Introspection.cs
+++ b/test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTests.Introspection.cs
@@ -730,6 +730,7 @@ namespace OpenIddict.Server.IntegrationTests
.SetPresenters("Contoso", "AdventureWorks Cycles")
.SetCreationDate(new DateTimeOffset(2016, 1, 1, 0, 0, 0, TimeSpan.Zero))
.SetExpirationDate(new DateTimeOffset(2017, 1, 1, 0, 0, 0, TimeSpan.Zero))
+ .SetClaim(Claims.ClientId, "AdventureWorks Cycles")
.SetClaim(Claims.Subject, "Bob le Magnifique")
.SetClaim(Claims.JwtId, "66B65AED-4033-4E9C-B975-A8CA7FB6FA79");
@@ -763,7 +764,7 @@ namespace OpenIddict.Server.IntegrationTests
Assert.Equal(1451606400, (long) response[Claims.NotBefore]);
Assert.Equal(1483228800, (long) response[Claims.ExpiresAt]);
Assert.Equal("Fabrikam", (string?) response[Claims.Audience]);
- Assert.Equal("Contoso", (string?) response[Claims.ClientId]);
+ Assert.Equal("AdventureWorks Cycles", (string?) response[Claims.ClientId]);
}
[Fact]