HTTP Clients created by AddUserAccessTokenHttpClient
may use a different user's access token after a token refresh. This occurs because a refreshed token will be captured in pooled HttpClient
instances, which may be used by a different user.
Instead of using AddUserAccessTokenHttpClient
to create an HttpClient
that automatically adds a managed token to outgoing requests, you can use the HttpConext.GetUserAccessTokenAsync
extension method or the IUserTokenManagementService.GetAccessTokenAsync
method.
This issue is fixed in Duende.AccessTokenManagement.OpenIdConnect 3.0.1.
{ "nvd_published_at": "2024-11-08T00:15:15Z", "cwe_ids": [ "CWE-270" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-11-07T21:57:52Z" }