Search code examples
asp.net-coreidentityserver4access-token

IdentityServer4 Introspection multi tenant request

I am trying to use the Introspection sample available here to send a tenant in the request 

var client = new HttpClient();
var tokenRequest = new PasswordTokenRequest {
    Address = disco.TokenEndpoint,
    ClientId = "roclient.reference",
    ClientSecret = "secret",
    UserName = "user",
    Password = "password",
    Scope = "api1 api2.read_only"
};
tokenRequest.Parameters.Add( "acr_values", "tenant:mytenant" );
var response = await client.RequestPasswordTokenAsync( tokenRequest );

However the tenant parameter, is always null server side, as you can see from the following log

    [09:54:02 INF] User authentication failed: ["invalid_username_or_password"], request details: 
{
    "ClientId": "roclient.reference", 
    "ClientName": "Introspection Client Sample", 
    "GrantType": "password", 
    "Scopes": "api1 api2.read_only", 
    "AuthorizationCode": null, 
    "RefreshToken": null, 
    "UserName": "user", 
    "AuthenticationContextReferenceClasses": null, 
    "Tenant": null, 
    "IdP": null, 
    "Raw": {"acr_values": "tenant:mytenant", "grant_type": "password", "username": "user", "password": "***REDACTED***", "scope": "api1 api2.read_only", "client_id": "roclient.reference", "client_secret": "***REDACTED***"}, 
    "$type": "TokenRequestValidationLog"
}

Which is the correct way to send the tenant parameter in the request?

Solution

  • You're doing it correctly but IdentityServer doesn't automatically parse acr_values in the token request. Depending on what you would like to do, you can create and register an implementation of ICustomTokenRequestValidator to perform special actions upon receiving particular acr_values. The docs would lead one to believe otherwise though but I think that's just the result of a copy-paste job that lead to a typo (it pretty much says the same thing about acrs on the authorize endpoint page).

    To see for yourself that this is the case you can take a look at the token endpoint which calls the token request validator before generating a response with the token response generator. If you compare the TokenRequestValidator with the AuthorizeRequestValidator you'll quickly notice that it doesn't have the same treatment of acr_values (just ctrl-f 'acr' on each page).