RevokeRefreshTokenAsync throws Revocation endpoint not configured

[agerchev]

Which version of Duende.AccessTokenManagement are you using?
3.0.0
Which version of .NET are you using?
8
Describe the bug
When I call RevokeRefreshTokenAsync the method throw exception: "Revocation endpoint not configured"

This is the callstack:

System.InvalidOperationException: Revocation endpoint not configured
at Duende.AccessTokenManagement.OpenIdConnect.UserTokenEndpointService.RevokeRefreshTokenAsync(UserToken userToken, UserTokenRequestParameters parameters, CancellationToken cancellationToken) in /_/src/Duende.AccessTokenManagement.OpenIdConnect/UserTokenEndpointService.cs:line 169
at Duende.AccessTokenManagement.OpenIdConnect.UserAccessAccessTokenManagementService.RevokeRefreshTokenAsync(ClaimsPrincipal user, UserTokenRequestParameters parameters, CancellationToken cancellationToken) in /_/src/Duende.AccessTokenManagement.OpenIdConnect/UserAccessTokenManagementService.cs:line 128
at Microsoft.AspNetCore.Authentication.TokenManagementHttpContextExtensions.RevokeRefreshTokenAsync(HttpContext httpContext, UserTokenRequestParameters parameters, CancellationToken cancellationToken) in /_/src/Duende.AccessTokenManagement.OpenIdConnect/TokenManagementHttpContextExtensions.cs:line

Additional context

The problem occurs only with the new version of Microsoft.IdentityModel.Protocols.OpenIdConnect (8.1.0)

It seems that they created new property for the RevocationEndpoint and it does not appear in AdditionalData.
(AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@d0131d5)

But Duende.AccessTokenManagement.OpenIdConnect.OpenIdConnectConfigurationService try to get it from AdditionalData and it is not there.

        return new OpenIdConnectClientConfiguration
        {
            Scheme = configScheme,
            
            Authority = options.Authority,
            TokenEndpoint = configuration.TokenEndpoint,
            RevocationEndpoint = configuration.AdditionalData.TryGetValue(OidcConstants.Discovery.RevocationEndpoint, out var value) ? value?.ToString() : null,
            
            ClientId = options.ClientId,
            ClientSecret = options.ClientSecret,
            HttpClient = options.Backchannel,
        };

[RolandGuijt]

Can you please follow the pointers in #1373 and let me know if that helped? Thanks.

[agerchev]

Yes, the problem is the same.
When do you expect to fix the implementation of the OpenIdConnectConfigurationService service ?

[AndersAbel]

Asp.NET Core 8 on .NET 8 references Microsoft.IdentityModel.* version 7.x and that is what we are currently supporting.

I do not think that i makes sense to support Microsoft.IdentityModel.* version 8.x on a .NET 8 target. Is that something you need?`

The work to make Duende.AccessTokenManagement compatible with .NET 9 is tracked in an issue in that repo: DuendeSoftware/foss#51

[damianh]

Hi @agerchev , generally our policy is to reference the same version that Microsoft.AspNetCore.Authentication.OpenIdConnect references. As you can see here it's 7.1.2 and we very much want to stay aligned.

What is the motivation for you to use a newer Microsoft.IdentityModel. version?

[damianh]

@agerchev It seems that MS/AspNet core folks are advising explicit package references to 8.x versions of Microsoft.IdentityModel.* dotnet/aspnetcore#57940 (comment)

We're going to do an exception to our policy and have released a preview version of AccessTokenManagement that sets the minimum version of System.IdentityModel.Tokens.Jwt to 8.0.1 (and thus Microsoft.IdentityModel.* to 8.0.0.

Please try out the package and let us know how you get on. Thanks.

[agerchev]

Hi @damianh,
I was short of time, and could not inspect why exactly we ended up with newer versions of this package (newer than the default for the .net 8 as you pointed out)

I tried the preview version and it works. When can we expect to have 3.1 released ?

[damianh]

We have a few more issues we want to address for a 3.1 release. Should be in next 2-3 weeks.

Going to close this issue as it's been addressed.