diff --git a/src/OpenIddict.Abstractions/OpenIddictResources.resx b/src/OpenIddict.Abstractions/OpenIddictResources.resx
index 8f1b2d43..4a8b06ca 100644
--- a/src/OpenIddict.Abstractions/OpenIddictResources.resx
+++ b/src/OpenIddict.Abstractions/OpenIddictResources.resx
@@ -406,6 +406,9 @@ To enable DI support, call 'services.AddQuartz(options => options.UseMicrosof
Reference tokens cannot be used when disabling token storage.
+
+ The device grant must be allowed when enabling the device endpoint.
+
At least one encryption key must be registered in the OpenIddict server options.
Consider registering a certificate using 'services.AddOpenIddict().AddServer().AddEncryptionCertificate()' or 'services.AddOpenIddict().AddServer().AddDevelopmentEncryptionCertificate()' or call 'services.AddOpenIddict().AddServer().AddEphemeralEncryptionKey()' to use an ephemeral key.
@@ -1116,9 +1119,6 @@ To register the OpenIddict core services, reference the 'OpenIddict.Core' packag
The specified principal doesn't contain a valid claims-based identity.
-
- The device grant must be allowed when enabling the device endpoint.
-
The security token is missing.
@@ -1200,6 +1200,9 @@ To register the OpenIddict core services, reference the 'OpenIddict.Core' packag
The specified user code is no longer valid.
+
+ The client application is not allowed to use the device code flow.
+
The '{0}' parameter is not supported.
@@ -1266,6 +1269,9 @@ To register the OpenIddict core services, reference the 'OpenIddict.Core' packag
The client application is not allowed to use the hybrid flow.
+
+ The client type cannot be null or empty.
+
This client application is not allowed to use the specified scope.
@@ -1296,6 +1302,12 @@ To register the OpenIddict core services, reference the 'OpenIddict.Core' packag
A scope with the same name already exists.
+
+ Callback URLs cannot be null or empty.
+
+
+ Callback URLs must be valid absolute URLs.
+
This client application is not allowed to use the token endpoint.
@@ -1461,18 +1473,6 @@ To register the OpenIddict core services, reference the 'OpenIddict.Core' packag
The specified authorization type is not supported by the default token manager.
-
- The client type cannot be null or empty.
-
-
- Callback URLs cannot be null or empty.
-
-
- Callback URLs must be valid absolute URLs.
-
-
- The client application is not allowed to use the device code flow.
-
The '{0}' parameter shouldn't be null or empty at this point.
@@ -1833,9 +1833,15 @@ The principal used to create the token contained the following claims: {Claims}.
The introspection request was rejected because the received token was of an unsupported type.
+
+ Potentially sensitive application claims were excluded from the introspection response as the client '{ClientId}' was not explicitly listed as an audience.
+
The introspection request was rejected because the access token was issued to a different client or for another resource server.
+
+ Potentially sensitive application claims were excluded from the introspection response as the client '{ClientId}' is a public application.
+
The introspection request was rejected because the refresh token was issued to a different client.
@@ -1866,9 +1872,15 @@ The principal used to create the token contained the following claims: {Claims}.
The revocation request was rejected because the received token was of an unsupported type.
+
+ The device request was rejected because the application '{ClientId}' was not allowed to use the device code flow.
+
The revocation request was rejected because the access token was issued to a different client or for another resource server.
+
+ The device request was rejected because the application '{ClientId}' was not allowed to request the '{Scope}' scope.
+
The revocation request was rejected because the refresh token was issued to a different client.
@@ -1987,10 +1999,10 @@ The principal used to create the token contained the following claims: {Claims}.
Client authentication cannot be enforced for public applications.
- Client authentication failed for {Client} because no client secret was associated with the application.
+ Client authentication failed for {ClientId} because no client secret was associated with the application.
- Client authentication failed for {Client}.
+ Client authentication failed for {ClientId}.
Client validation failed because '{RedirectUri}' was not a valid redirect_uri for {Client}.
@@ -2008,45 +2020,39 @@ This may indicate that the hashed entry is corrupted or malformed.
An exception occurred while trying to revoke the authorization '{Identifier}'.
-
+
+ A signing key of type '{Type}' was ignored because its EC curve couldn't be inferred.
+
+
The token '{Identifier}' was successfully marked as redeemed.
-
+
A concurrency exception occurred while trying to redeem the token '{Identifier}'.
-
+
An exception occurred while trying to redeem the token '{Identifier}'.
-
+
The token '{Identifier}' was successfully marked as rejected.
-
+
A concurrency exception occurred while trying to reject the token '{Identifier}'.
-
+
An exception occurred while trying to reject the token '{Identifier}'.
-
+
The token '{Identifier}' was successfully revoked.
-
+
A concurrency exception occurred while trying to revoke the token '{Identifier}'.
-
+
An exception occurred while trying to revoke the token '{Identifier}'.
-
- A signing key of type '{Type}' was ignored because its EC curve couldn't be inferred.
-
-
+
The authorization request was rejected because the application '{ClientId}' was not allowed to use the '{ResponseType}' response type.
-
- The device request was rejected because the application '{ClientId}' was not allowed to use the device code flow.
-
-
- The device request was rejected because the application '{ClientId}' was not allowed to request the '{Scope}' scope.
-
https://documentation.openiddict.com/errors/{0}
diff --git a/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs b/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
index db0eb6dd..b0475f46 100644
--- a/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
+++ b/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
@@ -1179,7 +1179,7 @@ namespace OpenIddict.Core
var type = await Store.GetClientTypeAsync(application, cancellationToken);
if (string.IsNullOrEmpty(type))
{
- yield return new ValidationResult(SR.GetResourceString(SR.ID2118));
+ yield return new ValidationResult(SR.GetResourceString(SR.ID2050));
}
else
@@ -1214,7 +1214,7 @@ namespace OpenIddict.Core
// Ensure the address is not null or empty.
if (string.IsNullOrEmpty(address))
{
- yield return new ValidationResult(SR.GetResourceString(SR.ID2119));
+ yield return new ValidationResult(SR.GetResourceString(SR.ID2061));
break;
}
@@ -1222,7 +1222,7 @@ namespace OpenIddict.Core
// Ensure the address is a valid absolute URL.
if (!Uri.TryCreate(address, UriKind.Absolute, out Uri? uri) || !uri.IsWellFormedOriginalString())
{
- yield return new ValidationResult(SR.GetResourceString(SR.ID2120));
+ yield return new ValidationResult(SR.GetResourceString(SR.ID2062));
break;
}
diff --git a/src/OpenIddict.Core/Managers/OpenIddictTokenManager.cs b/src/OpenIddict.Core/Managers/OpenIddictTokenManager.cs
index dc5f363a..65caa516 100644
--- a/src/OpenIddict.Core/Managers/OpenIddictTokenManager.cs
+++ b/src/OpenIddict.Core/Managers/OpenIddictTokenManager.cs
@@ -1061,21 +1061,21 @@ namespace OpenIddict.Core
{
await UpdateAsync(token, cancellationToken);
- Logger.LogInformation(SR.GetResourceString(SR.ID6171), await Store.GetIdAsync(token, cancellationToken));
+ Logger.LogInformation(SR.GetResourceString(SR.ID6168), await Store.GetIdAsync(token, cancellationToken));
return true;
}
catch (ConcurrencyException exception)
{
- Logger.LogDebug(exception, SR.GetResourceString(SR.ID6172), await Store.GetIdAsync(token, cancellationToken));
+ Logger.LogDebug(exception, SR.GetResourceString(SR.ID6169), await Store.GetIdAsync(token, cancellationToken));
return false;
}
catch (Exception exception)
{
- Logger.LogWarning(exception, SR.GetResourceString(SR.ID6173), await Store.GetIdAsync(token, cancellationToken));
+ Logger.LogWarning(exception, SR.GetResourceString(SR.ID6170), await Store.GetIdAsync(token, cancellationToken));
return false;
}
@@ -1100,21 +1100,21 @@ namespace OpenIddict.Core
{
await UpdateAsync(token, cancellationToken);
- Logger.LogInformation(SR.GetResourceString(SR.ID6174), await Store.GetIdAsync(token, cancellationToken));
+ Logger.LogInformation(SR.GetResourceString(SR.ID6171), await Store.GetIdAsync(token, cancellationToken));
return true;
}
catch (ConcurrencyException exception)
{
- Logger.LogDebug(exception, SR.GetResourceString(SR.ID6175), await Store.GetIdAsync(token, cancellationToken));
+ Logger.LogDebug(exception, SR.GetResourceString(SR.ID6172), await Store.GetIdAsync(token, cancellationToken));
return false;
}
catch (Exception exception)
{
- Logger.LogWarning(exception, SR.GetResourceString(SR.ID6176), await Store.GetIdAsync(token, cancellationToken));
+ Logger.LogWarning(exception, SR.GetResourceString(SR.ID6173), await Store.GetIdAsync(token, cancellationToken));
return false;
}
@@ -1139,21 +1139,21 @@ namespace OpenIddict.Core
{
await UpdateAsync(token, cancellationToken);
- Logger.LogInformation(SR.GetResourceString(SR.ID6177), await Store.GetIdAsync(token, cancellationToken));
+ Logger.LogInformation(SR.GetResourceString(SR.ID6174), await Store.GetIdAsync(token, cancellationToken));
return true;
}
catch (ConcurrencyException exception)
{
- Logger.LogDebug(exception, SR.GetResourceString(SR.ID6178), await Store.GetIdAsync(token, cancellationToken));
+ Logger.LogDebug(exception, SR.GetResourceString(SR.ID6175), await Store.GetIdAsync(token, cancellationToken));
return false;
}
catch (Exception exception)
{
- Logger.LogWarning(exception, SR.GetResourceString(SR.ID6179), await Store.GetIdAsync(token, cancellationToken));
+ Logger.LogWarning(exception, SR.GetResourceString(SR.ID6176), await Store.GetIdAsync(token, cancellationToken));
return false;
}
diff --git a/src/OpenIddict.Server/OpenIddictServerConfiguration.cs b/src/OpenIddict.Server/OpenIddictServerConfiguration.cs
index ccad6ce8..6879179e 100644
--- a/src/OpenIddict.Server/OpenIddictServerConfiguration.cs
+++ b/src/OpenIddict.Server/OpenIddictServerConfiguration.cs
@@ -113,7 +113,7 @@ namespace OpenIddict.Server
// Ensure the device grant is allowed when the device endpoint is enabled.
if (options.DeviceEndpointUris.Count > 0 && !options.GrantTypes.Contains(GrantTypes.DeviceCode))
{
- throw new InvalidOperationException(SR.GetResourceString(SR.ID0287));
+ throw new InvalidOperationException(SR.GetResourceString(SR.ID0084));
}
// Ensure the grant types/response types configuration is consistent.
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs
index 42ba9361..d5986036 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs
@@ -1448,7 +1448,7 @@ namespace OpenIddict.Server
// Reject requests that specify a response_type for which no permission was granted.
if (!await HasPermissionAsync(context.Request.GetResponseTypes()))
{
- context.Logger.LogError(SR.GetResourceString(SR.ID6181), context.ClientId, context.Request.ResponseType);
+ context.Logger.LogError(SR.GetResourceString(SR.ID6177), context.ClientId, context.Request.ResponseType);
context.Reject(
error: Errors.UnauthorizedClient,
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Device.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Device.cs
index 33fd5865..e8c47ea4 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Device.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Device.cs
@@ -776,12 +776,12 @@ namespace OpenIddict.Server
// Reject the request if the application is not allowed to use the device code grant.
if (!await _applicationManager.HasPermissionAsync(application, Permissions.GrantTypes.DeviceCode))
{
- context.Logger.LogError(SR.GetResourceString(SR.ID6182), context.ClientId);
+ context.Logger.LogError(SR.GetResourceString(SR.ID6118), context.ClientId);
context.Reject(
error: Errors.UnauthorizedClient,
- description: SR.GetResourceString(SR.ID2121),
- uri: SR.FormatID8000(SR.ID2121));
+ description: SR.GetResourceString(SR.ID2027),
+ uri: SR.FormatID8000(SR.ID2027));
return;
}
@@ -791,7 +791,7 @@ namespace OpenIddict.Server
if (context.Request.HasScope(Scopes.OfflineAccess) &&
!await _applicationManager.HasPermissionAsync(application, Permissions.GrantTypes.RefreshToken))
{
- context.Logger.LogError(SR.GetResourceString(SR.ID6183), context.ClientId, Scopes.OfflineAccess);
+ context.Logger.LogError(SR.GetResourceString(SR.ID6120), context.ClientId, Scopes.OfflineAccess);
context.Reject(
error: Errors.InvalidRequest,
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs
index a52a3456..11d84241 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs
@@ -1199,7 +1199,7 @@ namespace OpenIddict.Server
if (string.IsNullOrEmpty(curve))
{
- context.Logger.LogWarning(SR.GetResourceString(SR.ID6180), credentials.Key.GetType().Name);
+ context.Logger.LogWarning(SR.GetResourceString(SR.ID6167), credentials.Key.GetType().Name);
continue;
}
diff --git a/src/OpenIddict.Server/OpenIddictServerHandlers.Introspection.cs b/src/OpenIddict.Server/OpenIddictServerHandlers.Introspection.cs
index 134c6e2b..c583543e 100644
--- a/src/OpenIddict.Server/OpenIddictServerHandlers.Introspection.cs
+++ b/src/OpenIddict.Server/OpenIddictServerHandlers.Introspection.cs
@@ -968,6 +968,8 @@ namespace OpenIddict.Server
// application-specific claims contained in the introspected access/identity token.
if (!context.Principal.HasAudience(context.Request.ClientId))
{
+ context.Logger.LogInformation(SR.GetResourceString(SR.ID6105), context.Request.ClientId);
+
return;
}
@@ -980,6 +982,8 @@ namespace OpenIddict.Server
// Public clients are not allowed to access sensitive claims as authentication cannot be enforced.
if (await _applicationManager.HasClientTypeAsync(application, ClientTypes.Public))
{
+ context.Logger.LogInformation(SR.GetResourceString(SR.ID6107), context.Request.ClientId);
+
return;
}
@@ -992,8 +996,8 @@ namespace OpenIddict.Server
// Make sure to always update this list when adding new built-in claim properties.
var type = group.Key;
if (type is Claims.Audience or Claims.ExpiresAt or Claims.IssuedAt or
- Claims.Issuer or Claims.NotBefore or Claims.Scope or
- Claims.Subject or Claims.TokenType or Claims.TokenUsage)
+ Claims.Issuer or Claims.NotBefore or Claims.Scope or
+ Claims.Subject or Claims.TokenType or Claims.TokenUsage)
{
continue;
}
diff --git a/test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTests.Device.cs b/test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTests.Device.cs
index e1fadbdd..7b89a304 100644
--- a/test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTests.Device.cs
+++ b/test/OpenIddict.Server.IntegrationTests/OpenIddictServerIntegrationTests.Device.cs
@@ -572,8 +572,8 @@ namespace OpenIddict.Server.IntegrationTests
// Assert
Assert.Equal(Errors.UnauthorizedClient, response.Error);
- Assert.Equal(SR.GetResourceString(SR.ID2121), response.ErrorDescription);
- Assert.Equal(SR.FormatID8000(SR.ID2121), response.ErrorUri);
+ Assert.Equal(SR.GetResourceString(SR.ID2027), response.ErrorDescription);
+ Assert.Equal(SR.FormatID8000(SR.ID2027), response.ErrorUri);
Mock.Get(manager).Verify(manager => manager.FindByClientIdAsync("Fabrikam", It.IsAny()), Times.AtLeastOnce());
Mock.Get(manager).Verify(manager => manager.HasPermissionAsync(application,