diff --git a/src/OpenIddict.Validation/OpenIddictValidationHandlers.Introspection.cs b/src/OpenIddict.Validation/OpenIddictValidationHandlers.Introspection.cs
index 3288aa72..150699cb 100644
--- a/src/OpenIddict.Validation/OpenIddictValidationHandlers.Introspection.cs
+++ b/src/OpenIddict.Validation/OpenIddictValidationHandlers.Introspection.cs
@@ -27,7 +27,7 @@ namespace OpenIddict.Validation
* Introspection response handling:
*/
AttachCredentials.Descriptor,
- AttachAccessToken.Descriptor,
+ AttachToken.Descriptor,
/*
* Introspection response handling:
@@ -75,16 +75,16 @@ namespace OpenIddict.Validation
}
///
- /// Contains the logic responsible of attaching the access token to the introspection request.
+ /// Contains the logic responsible of attaching the token to the introspection request.
///
- public class AttachAccessToken : IOpenIddictValidationHandler
+ public class AttachToken : IOpenIddictValidationHandler
{
///
/// Gets the default descriptor definition assigned to this handler.
///
public static OpenIddictValidationHandlerDescriptor Descriptor { get; }
= OpenIddictValidationHandlerDescriptor.CreateBuilder()
- .UseSingletonHandler()
+ .UseSingletonHandler()
.SetOrder(AttachCredentials.Descriptor.Order + 100_000)
.Build();
@@ -372,15 +372,19 @@ namespace OpenIddict.Validation
// OpenIddict-based authorization servers always return the actual token type using
// the special "token_usage" claim, that helps resource servers determine whether the
- // introspected token is an access token and thus prevent token substitution attacks.
- var usage = (string) context.Response[Claims.TokenUsage];
- if (!string.IsNullOrEmpty(usage) && !string.Equals(usage, context.TokenType, StringComparison.OrdinalIgnoreCase))
+ // introspected token is of the expected type and prevent token substitution attacks.
+ if (!string.IsNullOrEmpty(context.TokenType))
{
- context.Reject(
- error: Errors.InvalidToken,
- description: "The introspected token is not an access token.");
+ var usage = (string) context.Response[Claims.TokenUsage];
+ if (!string.IsNullOrEmpty(usage) &&
+ !string.Equals(usage, context.TokenType, StringComparison.OrdinalIgnoreCase))
+ {
+ context.Reject(
+ error: Errors.InvalidToken,
+ description: "The type of the introspection token doesn't match the expected type.");
- return default;
+ return default;
+ }
}
return default;
diff --git a/src/OpenIddict.Validation/OpenIddictValidationService.cs b/src/OpenIddict.Validation/OpenIddictValidationService.cs
index c9756c38..ddf248d5 100644
--- a/src/OpenIddict.Validation/OpenIddictValidationService.cs
+++ b/src/OpenIddict.Validation/OpenIddictValidationService.cs
@@ -90,7 +90,9 @@ namespace OpenIddict.Validation
var message = new StringBuilder()
.AppendLine("An error occurred while preparing the configuration request.")
.AppendFormat("Error: {0}", context.Error ?? "(not available)")
+ .AppendLine()
.AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)")
+ .AppendLine()
.AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)")
.ToString();
@@ -115,7 +117,9 @@ namespace OpenIddict.Validation
var message = new StringBuilder()
.AppendLine("An error occurred while sending the configuration request.")
.AppendFormat("Error: {0}", context.Error ?? "(not available)")
+ .AppendLine()
.AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)")
+ .AppendLine()
.AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)")
.ToString();
@@ -140,7 +144,9 @@ namespace OpenIddict.Validation
var message = new StringBuilder()
.AppendLine("An error occurred while extracting the configuration response.")
.AppendFormat("Error: {0}", context.Error ?? "(not available)")
+ .AppendLine()
.AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)")
+ .AppendLine()
.AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)")
.ToString();
@@ -166,7 +172,9 @@ namespace OpenIddict.Validation
var message = new StringBuilder()
.AppendLine("An error occurred while handling the configuration response.")
.AppendFormat("Error: {0}", context.Error ?? "(not available)")
+ .AppendLine()
.AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)")
+ .AppendLine()
.AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)")
.ToString();
@@ -254,7 +262,9 @@ namespace OpenIddict.Validation
var message = new StringBuilder()
.AppendLine("An error occurred while preparing the cryptography request.")
.AppendFormat("Error: {0}", context.Error ?? "(not available)")
+ .AppendLine()
.AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)")
+ .AppendLine()
.AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)")
.ToString();
@@ -279,7 +289,9 @@ namespace OpenIddict.Validation
var message = new StringBuilder()
.AppendLine("An error occurred while sending the cryptography request.")
.AppendFormat("Error: {0}", context.Error ?? "(not available)")
+ .AppendLine()
.AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)")
+ .AppendLine()
.AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)")
.ToString();
@@ -304,7 +316,9 @@ namespace OpenIddict.Validation
var message = new StringBuilder()
.AppendLine("An error occurred while extracting the cryptography response.")
.AppendFormat("Error: {0}", context.Error ?? "(not available)")
+ .AppendLine()
.AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)")
+ .AppendLine()
.AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)")
.ToString();
@@ -330,7 +344,9 @@ namespace OpenIddict.Validation
var message = new StringBuilder()
.AppendLine("An error occurred while handling the cryptography response.")
.AppendFormat("Error: {0}", context.Error ?? "(not available)")
+ .AppendLine()
.AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)")
+ .AppendLine()
.AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)")
.ToString();
@@ -433,6 +449,21 @@ namespace OpenIddict.Validation
await provider.DispatchAsync(context);
+ if (context.IsRejected)
+ {
+ var message = new StringBuilder()
+ .AppendLine("An error occurred while preparing the introspection request.")
+ .AppendFormat("Error: {0}", context.Error ?? "(not available)")
+ .AppendLine()
+ .AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)")
+ .AppendLine()
+ .AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)")
+ .ToString();
+
+ throw new OpenIddictExceptions.GenericException(message,
+ context.Error, context.ErrorDescription, context.ErrorUri);
+ }
+
return context.Request;
}
@@ -445,6 +476,21 @@ namespace OpenIddict.Validation
await provider.DispatchAsync(context);
+ if (context.IsRejected)
+ {
+ var message = new StringBuilder()
+ .AppendLine("An error occurred while sending the introspection request.")
+ .AppendFormat("Error: {0}", context.Error ?? "(not available)")
+ .AppendLine()
+ .AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)")
+ .AppendLine()
+ .AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)")
+ .ToString();
+
+ throw new OpenIddictExceptions.GenericException(message,
+ context.Error, context.ErrorDescription, context.ErrorUri);
+ }
+
return context.Request;
}
@@ -457,6 +503,21 @@ namespace OpenIddict.Validation
await provider.DispatchAsync(context);
+ if (context.IsRejected)
+ {
+ var message = new StringBuilder()
+ .AppendLine("An error occurred while extracting the introspection response.")
+ .AppendFormat("Error: {0}", context.Error ?? "(not available)")
+ .AppendLine()
+ .AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)")
+ .AppendLine()
+ .AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)")
+ .ToString();
+
+ throw new OpenIddictExceptions.GenericException(message,
+ context.Error, context.ErrorDescription, context.ErrorUri);
+ }
+
return context.Response;
}
@@ -472,6 +533,21 @@ namespace OpenIddict.Validation
await provider.DispatchAsync(context);
+ if (context.IsRejected)
+ {
+ var message = new StringBuilder()
+ .AppendLine("An error occurred while handling the introspection response.")
+ .AppendFormat("Error: {0}", context.Error ?? "(not available)")
+ .AppendLine()
+ .AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)")
+ .AppendLine()
+ .AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)")
+ .ToString();
+
+ throw new OpenIddictExceptions.GenericException(message,
+ context.Error, context.ErrorDescription, context.ErrorUri);
+ }
+
return context.Principal;
}
}