Merge pull request #223 from DuendeSoftware/mb/720

maartenba · web-flow · commit 96c980462aac · 2025-03-18T17:00:02.000+01:00
Add Strict Audience Validation to Private Key JWT samples
diff --git a/IdentityServer/v7/Basics/IdentityServer/src/HostingExtensions.cs b/IdentityServer/v7/Basics/IdentityServer/src/HostingExtensions.cs
@@ -21,6 +21,8 @@ public static WebApplication ConfigureServices(this WebApplicationBuilder builde
             // see https://docs.duendesoftware.com/identityserver/v6/fundamentals/resources/api_scopes
             options.EmitStaticAudienceClaim = true;
             options.PushedAuthorization.AllowUnregisteredPushedRedirectUris = true;
+
+            options.Preview.StrictClientAssertionAudienceValidation = true;
         })
             .AddTestUsers(TestUsers.Users);
 
@@ -68,4 +70,4 @@ public static WebApplication ConfigurePipeline(this WebApplication app)
 
         return app;
     }
-}
+}
diff --git a/IdentityServer/v7/Basics/IdentityServer/src/IdentityServerHost.csproj b/IdentityServer/v7/Basics/IdentityServer/src/IdentityServerHost.csproj
@@ -6,7 +6,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Duende.IdentityServer" Version="7.1.0" />
+    <PackageReference Include="Duende.IdentityServer" Version="7.2.0" />
     <PackageReference Include="Serilog.AspNetCore" Version="8.0.3" />
   </ItemGroup>
 
diff --git a/IdentityServer/v7/Basics/JwtBasedClientAuthentication/src/Program.cs b/IdentityServer/v7/Basics/JwtBasedClientAuthentication/src/Program.cs
@@ -75,6 +75,8 @@ static string CreateClientToken(SigningCredentials credential, string clientId,
         credential
     );
 
+    token.Header[JwtClaimTypes.TokenType] = "client-authentication+jwt";
+
     var tokenHandler = new JwtSecurityTokenHandler();
     var clientToken = tokenHandler.WriteToken(token);
     "\n\nClient Authentication Token:".ConsoleGreen();
@@ -94,4 +96,4 @@ static async Task CallServiceAsync(string token)
 
     "\n\nService claims:".ConsoleGreen();
     Console.WriteLine(response.PrettyPrintJson());
-}
+}
diff --git a/IdentityServer/v7/Basics/MvcJarJwt/src/AssertionService.cs b/IdentityServer/v7/Basics/MvcJarJwt/src/AssertionService.cs
@@ -40,6 +40,8 @@ public string CreateClientToken()
             new SigningCredentials(new JsonWebKey(key), "RS256")
         );
 
+        token.Header[JwtClaimTypes.TokenType] = "client-authentication+jwt";
+
         var tokenHandler = new JwtSecurityTokenHandler();
         tokenHandler.OutboundClaimTypeMap.Clear();
     
