Do not auto-include custom ciba request params in response

DuendeSoftware · Jan 14, 2024 · 56b93dc · 56b93dc
1 parent 40a5967
commit 56b93dc
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 5 deletions.
diff --git a/src/IdentityServer/ResponseHandling/Default/BackchannelAuthenticationResponseGenerator.cs b/src/IdentityServer/ResponseHandling/Default/BackchannelAuthenticationResponseGenerator.cs
@@ -99,7 +99,6 @@ public virtual async Task<BackchannelAuthenticationResponse> ProcessAsync(Backch
             AuthenticationRequestId = requestId,
             ExpiresIn = request.Lifetime,
             Interval = interval,
-            Properties = validationResult.ValidatedRequest.Properties
         };
 
         await UserLoginService.SendLoginRequestAsync(new BackchannelUserLoginRequest

diff --git a/test/IdentityServer.IntegrationTests/Endpoints/Ciba/CibaTests.cs b/test/IdentityServer.IntegrationTests/Endpoints/Ciba/CibaTests.cs
@@ -252,7 +252,7 @@ public async Task custom_validators_are_invoked_and_can_process_custom_input()
 
     [Fact]
     [Trait("Category", Category)]
-    public async Task custom_validator_can_add_complex_properties_that_are_passed_to_user_notification_and_client_response()
+    public async Task custom_validator_can_add_complex_properties_that_are_passed_to_user_notification_but_not_client_response()
     {
         _mockCustomBackchannelAuthenticationValidator.Thunk = ctx =>
             {
@@ -281,13 +281,12 @@ public async Task custom_validator_can_add_complex_properties_that_are_passed_to
             IdentityServerPipeline.BackchannelAuthenticationEndpoint,
             new FormUrlEncodedContent(body));
 
-        // Custom properties are flattened into the response to the client
+        // Custom request properties are not included automatically in the response to the client
         response.StatusCode.Should().Be(HttpStatusCode.OK);
         var responseContent = await response.Content.ReadAsStringAsync();
         var json = JsonSerializer.Deserialize<Dictionary<string, JsonElement>>(responseContent);
         json.Should().NotBeNull();
-        var complex = json["complex"];
-        complex.TryGetValue("nested").GetString().Should().Be("value");
+        json.Should().NotContainKey("complex");
 
         // Custom properties are passed to the notification service
         var notificationProperties = _mockCibaUserNotificationService.LoginRequest.Properties;