1

I implemented the Identity Server using the stores against CosmosDb, the access token is very short compared to the id token, guess I'm missing some config or some interface to implement.

Access Token: -TPc90IVKUxMOxLLIZmQcCgGGkdRXf7207sfb_b1-7E

Id Token: eyJhbGciOiJSUzI1NiIsImtpZCI6InNOcnBNMlVrUEF0ajlZYzZFZGNaVWciLCJ0eXAiOiJKV1QifQ.eyJuYmYiOjE1ODQ5MDMyMjgsImV4cCI6MTU4NDkwMzUyOCwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NjAwMSIsImF1ZCI6Im12Y0NvZGVGbG93Q2xpZW50Iiwibm9uY2UiOiI2MzcyMDUwMDAyMDQyODgxNzQuWmpjMU9HSTVOVEF0WWpKbVpTMDBNMlJsTFRnelkyTXRaRFZoWmpSbFpUSXpZVEppWWpSa01tWTNZemd0TW1Nell5MDBabUk1TFRrMU9UTXRaamMyTTJRek1XTXpNbVF6IiwiaWF0IjoxNTg0OTAzMjI3LCJhdF9oYXNoIjoiWUM4OU1TTnVmZTVycEpZby14Y3l1QSIsInNfaGFzaCI6IkcwUmM0eDktTHRJN0pFZUdxQmtUN1EiLCJzaWQiOiJ0a3IwNGVNOG1UVS02dG96anNqTEdBIiwic3ViIjoic3VkaGVyc29uLnZAZ21haWwuY29tIiwiYXV0aF90aW1lIjoxNTg0OTAyNjYzLCJpZHAiOiJsb2NhbCIsImlkIjoiYjQ0YjRhMWItOGU1NS00OGUzLThkZjktYWUxNzhmZThkY2ZjIiwibmFtZSI6IlN1ZGhlcnNvbiBWZXRyaWNoZWx2YW4iLCJnaXZlbl9uYW1lIjoiU3VkaGVyc29uIiwiZmFtaWx5X25hbWUiOiJWZXRyaWNoZWx2YW4iLCJlbWFpbCI6InN1ZGhlcnNvbi52QGdtYWlsLmNvbSIsImFtciI6WyJwd2QiXX0.N9Xv7Uvgg5GlrB-9HPU3-WJffdP1z_400Rm2f246DPWEM7tDkBOtCUW_1Oo5GXURNgCJXmsQGvKelGUs8ysPzHS_t3faK-_57QHugubUqvDPqJgimHw8iJz-PFNKPS9hPI0Bnw889tNYJ7pnmTQH16PurF2Cgi2xB7p2Uc4SN1HLK5ed3usoMQ4Sxu08ONcy4MFy1b5JDjttSq4EA4xZGunQFNUNxOziroE6VTuvn7aOsEIKIiRuOyKOKQBct_H68Px3FUgwzTZ5ABD52_SzdzqoP1gZEZavSI6Wl5xIlRvaZqEyCUoGZ2TqFKSydRdZbARmSbFl1SfmAzyCwvYjHA

Sudherson Vetrichelvan
  • 557
  • 5
  • 12
  • 2
    If you're using reference tokens, that's completely expected. – sellotape Mar 22 '20 at 19:00
  • How did you use IdentityServer4 for cosmos db? Have you followed this document:https://dujushi.github.io/2019/07/10/IdentityServer4-Tutorial-Cosmos-Db.html? – Jay Gong Mar 23 '20 at 08:27
  • access_token contains less information than id_token so it is OK to has shorter length than access_token. – Mehrdad Mar 24 '20 at 12:03
  • @JayGong, thank you for this article 'https://dujushi.github.io/2019/07/10/IdentityServer4-Tutorial-Cosmos-Db.html'. After I implemented the PersistedGrantStore in this way, the PII error is gone. The only problem is that the access token (short) cannot be used to authroize API, since it is missing a lot of information. – Sudherson Vetrichelvan Mar 24 '20 at 16:05
  • @sellotape, any ideas on making this access token to be fully loaded like the id token? – Sudherson Vetrichelvan Mar 24 '20 at 16:07
  • @Mehrdad, any ideas on making this access token to be fully loaded like the id token? – Sudherson Vetrichelvan Mar 24 '20 at 16:07
  • As you know, access_token will be send with all requests' headers, and we have some [limitation](https://stackoverflow.com/questions/686217/maximum-on-http-header-values) for header's data. Because of this limitation we can't include all data in access_token and make it very long. – Mehrdad Mar 24 '20 at 16:54
  • You really should favour reference tokens. They contain nothing but a reference to the real token, hence clients like UIs can't derive anything from them (as they shouldn't); they can cut down on network traffic, as they could be quite large if there are many claims in them; they can fairly easily be revoked, which JWT-style tokens can't (easily); and back-ends (APIs) still get access to the real content of the token when they need it. – sellotape Mar 24 '20 at 19:22
  • 1
    Thank you guys, @sellotape and Mehrdad my tweaked my api to use the reference token instead of JWT. I believe Id Server 4 by default is writing grants to storage as reference. Now, I'm all set! – Sudherson Vetrichelvan Mar 24 '20 at 20:01
  • @SudhersonVetrichelvan Well done! Why not just summarize your solution as an answer to log this issue. Thank you for your sharing. – Jay Gong Mar 25 '20 at 01:20
  • @SudhersonVetrichelvan I tried summarize your solution as an answer to end this case.If you don't mind, you could mark the answer for others' reference.Thank you – Jay Gong Mar 26 '20 at 08:26
  • @JayGong, I have explained how I solved the problem, please check it out. – Sudherson Vetrichelvan Mar 27 '20 at 02:18
  • @SudhersonVetrichelvan Thank you for your sharing ,pls accept your anwer.It's perfect. – Jay Gong Mar 27 '20 at 02:19

2 Answers2

1

Just for summary:

The issue is solved by using reference token instead of JWT. Id Server 4 is writing grants to storage as reference token by default.

More details for reference token of identityserver4 ,please refer to https://identityserver4.readthedocs.io/en/latest/topics/reference_tokens.html

Jay Gong
  • 23,163
  • 2
  • 27
  • 32
1

I started implementing IdentityServer4 against cosmosdb as persistence, referenceLink, had some error while writing grants to cosmos db, then I followed the cosmosGrantStore which helped in fixing this error. However, the Identity server by default generates reference tokens which are shorter compared to jwt. While use Asp Net Identity Server, jwt tokens were generated, hence the confusion. Later, this useReferenceTokenForApiAuth helped me to use the reference token to authorize Api against the identity server.

Sudherson Vetrichelvan
  • 557
  • 5
  • 12