Using AspNet 4.6.2 to generate access tokens, using any Auth flow (have tried Code Flow, Implicit Flow, Client Credentials Flow), using the AuthenticationTokenCreateContext class from Microsoft.Owin.Security.Infrastructure, I have observed some strange behaviour.
We have implemented an Auth server where resources can allow clients to request certain scopes, however, a token is always returned with all scopes that a client is able to request from that resource.
The relevant code is:
var accessTicket = new AuthenticationTicket(new ClaimsIdentity(identity), new AuthenticationProperties());
accessTicket.Properties.SetTicketType("access_token");
accessTicket.Properties.IssuedUtc = nowUtc;
accessTicket.Properties.SetNotBeforeUtc(nowUtc);
accessTicket.Properties.ExpiresUtc = nowUtc.Add(Options.AccessTokenLifetime);
accessTicket.Properties.SetClientId(clientId);
accessTicket.Properties.SetResource(resource);
accessTicket.Properties.SetTokenId(Guid.NewGuid().ToString());
accessTicket.Properties.SetScope(scope);
var accessTokenCreateContext = new AuthenticationTokenCreateContext(Context, Options.AccessTokenFormat, accessTicket);
await Options.AccessTokenProvider.CreateAsync(accessTokenCreateContext);
var accessToken = accessTokenCreateContext.Token;
if (string.IsNullOrEmpty(accessToken))
{
accessToken = accessTokenCreateContext.SerializeTicket();
}
Once created, accessTokenCreateContext.Ticket.Properties.GetScope() returns the expected scope, but then once the (JWT) accessToken is created via the SerializeTicket() method, the token has all of the scopes that the client is able to request from the resource.
Why does this method serialize the ticket with scopes that are not in the ticket?
This is merely a misunderstanding of my IDE. I didn't realise that VisualStudio was not stepping into certain methods, and I took that for granted since I saw it step into others.
Lesson for me: need to learn to use my tools better.