IdentityServer4: Multiple Instances of a WinForm client with client credentials - Token question

Question

I have a WinForm App and an API which I secure with IdentityServer4. The client setup in IS4 is as follows, since there are no individual credentials, and only this application itself should have general access to the API.

new Client
{
    ClientId = "ClientApp",
        // no interactive user, use the clientid/secret for authentication
    AllowedGrantTypes = GrantTypes.ClientCredentials,

    // secret for authentication
    ClientSecrets =
    {
        new Secret("secret".Sha256())
    },

    // scopes that client has access to
    AllowedScopes = { "APIOne" }
}

This works well so far, but I have a question about multiple instances of the WinForm app. Do all clients receive the same token? Because there are no individual credentials, only a client secret.

If I take a look into the tokens with https://jwt.io/ I see that they are different, but only the "exp" field, rest seems to be the same.

Answer 1

This works well so far, but I have a question about multiple instances of the WinForm app. Do all clients receive the same token?

No, in general they have not. But do note: if they would receive the same token it shouldn't matter.

The exp field is most likely "always" different, because it depends on the time it has been created, and therefor your token will not likely to be the same.

But, again; the token is most likely signed (or even encrypted). This is basically your safe-guard that the token is valid. Even if the tokens are equal, it should not matter. This means, the server for example, shouldn't expect the token to be unique.

---

Having said that; there is a catch.

It seems, that you now have a couple application which log's in with the same api key and secret.

I would suggest to add something, like a client id just to be able to identify the different clients. It would also make your token unique.