Merge pull request #307 from DuendeSoftware/ev/atm/authority-in-samples

Erwinvandervalk · web-flow · commit f82c261385ce · 2025-12-12T16:53:32.000+01:00
explicitly set audience in samples
diff --git a/access-token-management/samples/WebJarJwt/ClientAssertionService.cs b/access-token-management/samples/WebJarJwt/ClientAssertionService.cs
@@ -46,7 +46,11 @@ public ClientAssertionService(
         var descriptor = new SecurityTokenDescriptor
         {
             Issuer = config.ClientId.ToString(),
-            Audience = config.TokenEndpoint.GetLeftPart(UriPartial.Authority),
+
+            // Don't use the TokenEndpoint here. Use the Authority as the audience. 
+            // You may expose yourself to a vulnerability, as described in the document below:
+            // https://openid.net/wp-content/uploads/2025/01/OIDF-Responsible-Disclosure-Notice-on-Security-Vulnerability-for-private_key_jwt.pdf
+            Audience = "https://demo.duendesoftware.com",
             Expires = DateTime.UtcNow.AddMinutes(1),
             SigningCredentials = Credential,
 
@@ -87,7 +91,11 @@ public async Task<string> SignAuthorizeRequest(OpenIdConnectMessage message,
         var descriptor = new SecurityTokenDescriptor
         {
             Issuer = config.ClientId.ToString(),
-            Audience = config.TokenEndpoint.GetLeftPart(UriPartial.Authority),
+
+            // Don't use the TokenEndpoint here. Use the Authority as the audience. 
+            // You may expose yourself to a vulnerability, as described in the document below:
+            // https://openid.net/wp-content/uploads/2025/01/OIDF-Responsible-Disclosure-Notice-on-Security-Vulnerability-for-private_key_jwt.pdf
+            Audience = "https://demo.duendesoftware.com",
             Expires = DateTime.UtcNow.AddMinutes(1),
             SigningCredentials = Credential,
 
diff --git a/access-token-management/samples/Worker/ClientAssertionService.cs b/access-token-management/samples/Worker/ClientAssertionService.cs
@@ -40,7 +40,7 @@ public class ClientAssertionService(IOptionsMonitor<ClientCredentialsClient> opt
             var descriptor = new SecurityTokenDescriptor
             {
                 Issuer = options1.ClientId?.ToString(),
-                Audience = options1.TokenEndpoint?.ToString(),
+                Audience = "https://demo.duendesoftware.com",
                 Expires = DateTime.UtcNow.AddMinutes(1),
                 SigningCredentials = Credential,
 
diff --git a/access-token-management/samples/WorkerDI/ClientAssertionService.cs b/access-token-management/samples/WorkerDI/ClientAssertionService.cs
@@ -40,7 +40,7 @@ public class ClientAssertionService(IOptionsMonitor<ClientCredentialsClient> opt
             var descriptor = new SecurityTokenDescriptor
             {
                 Issuer = options1.ClientId!.ToString(),
-                Audience = options1.TokenEndpoint!.ToString(),
+                Audience = "https://demo.duendesoftware.com",
                 Expires = DateTime.UtcNow.AddMinutes(1),
                 SigningCredentials = Credential,
 

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ public class ClientAssertionService(IOptionsMonitor<ClientCredentialsClient> opt`
`40`	`40`	`var descriptor = new SecurityTokenDescriptor`
`41`	`41`	`{`
`42`	`42`	`Issuer = options1.ClientId?.ToString(),`
`43`		`- Audience = options1.TokenEndpoint?.ToString(),`
	`43`	`+ Audience = "https://demo.duendesoftware.com",`
`44`	`44`	`Expires = DateTime.UtcNow.AddMinutes(1),`
`45`	`45`	`SigningCredentials = Credential,`
`46`	`46`