Token refreshing failure - use error_description property

[PrzemyslawMucha]

IdentityServer version

7.1

.NET version

8

Description

When token refreshing ends with failure, we always got only generic error response as {"error": "invalid_grant"}. OAuth 2.0 standard allows use optional error_description property (https://datatracker.ietf.org/doc/html/rfc6749#section-5.2).

It's possible to overrite DefaultRefreshTokenService (https://github.com/DuendeSoftware/products/blob/main/identity-server/src/IdentityServer/Services/Default/DefaultRefreshTokenService.cs#L79) to add error_description information.

But TokenRequestValidator (https://github.com/DuendeSoftware/products/blob/main/identity-server/src/IdentityServer/Validation/Default/TokenRequestValidator.cs) implementation is internal, hard to ovverride, and whatmore, it does not use error data from IRefreshTokenService (https://github.com/DuendeSoftware/products/blob/main/identity-server/src/IdentityServer/Validation/Default/TokenRequestValidator.cs#L695).

I can see two solutions:

1. TokenRequestValidator copies error and error_description from IRefreshTokenService
2. DefaultRefreshTokenService and TokenRequestValidator fills error_description property in all cases

Reproduction steps

No response

Expected behavior

No response

Logs

No response

Additional context

No response

[RolandGuijt]

We are deliberately vague with error responses. We don't want to volunteer too much information to attackers.
Having said that: are the error details you're looking for visible in the log? If so, is that enough for you or do you need it to be part of the response?
If that's the case can you please elaborate on why you need that?

[PrzemyslawMucha]

Thank you for your quick response.

Of course I can extend logs in DefaultRefreshTokenService, but easier is log both http request and http response in applicatioin which using IdentityServer.

Some of new features, like proof of possession (https://github.com/DuendeSoftware/products/blob/main/identity-server/src/IdentityServer/Validation/Default/TokenRequestValidator.cs#L707C12-L707C31), using error_description property, so I thougth that all error reponses colud contain this property.

[RolandGuijt]

I was not suggesting extending the logs. I meant are the error details in the log? And is that enough for you? And if not: why?

[PrzemyslawMucha]

Logs from default IS implementation does not contain enough information for debugging reason why refreshing token ends with failure.

Examples:

• missing info about token : https://github.com/DuendeSoftware/products/blob/main/identity-server/src/IdentityServer/Services/Default/DefaultRefreshTokenService.cs#L92

• missing info about token, subjectId, expiration time, clientId: https://github.com/DuendeSoftware/products/blob/main/identity-server/src/IdentityServer/Services/Default/DefaultRefreshTokenService.cs#L101

• missing info about token, subjectId : https://github.com/DuendeSoftware/products/blob/main/identity-server/src/IdentityServer/Services/Default/DefaultRefreshTokenService.cs#L110

• missing info about token, subjectId: https://github.com/DuendeSoftware/products/blob/main/identity-server/src/IdentityServer/Services/Default/DefaultRefreshTokenService.cs#L119

• missing info about token, subjectId, clientId, consumption time: https://github.com/DuendeSoftware/products/blob/main/identity-server/src/IdentityServer/Services/Default/DefaultRefreshTokenService.cs#L130

• missing info about token, clientId: https://github.com/DuendeSoftware/products/blob/main/identity-server/src/IdentityServer/Services/Default/DefaultRefreshTokenService.cs#L147

• missing info about token: https://github.com/DuendeSoftware/products/blob/main/identity-server/src/IdentityServer/Validation/Default/TokenRequestValidator.cs#L685

Also log from https://github.com/DuendeSoftware/products/blob/main/identity-server/src/IdentityServer/Validation/Default/TokenRequestValidator.cs#L693 doesn't have any details

So how can I get detailed info why token refreshing ends with failure when I have only that kind of logs, how to bind certain token with certain log? What more http response contains only {"error": "invalid_grant"}.

[RolandGuijt]

Thanks for bringing this to our attention. Our development team will look at your suggestions and possibly improve the log messages. @josephdecock

In the meantime we suggest that you look into OpenTelemetry. Using that you should be able to trace problems easier because messages are correlated to each other. As a consumer you could use Application Insights on Azure or Aspire but there are numerous other options.