Menu
I'm using Identity Server 4 and I'm trying to use the introspection endpoint, but just by the docs I'm not getting it.
The docs just gives this example
POST /connect/introspect Authorization: Basic xxxyyy token=<token> Now, why there is this basic authentication and what should be xxxyyy? I mean, there's no basic auth set in my app. I've just setup Identity Server 4 using ASP.NET Core as follows in the ConfigureServices:
services.AddIdentityServer() .AddTemporarySigningCredential() .AddInMemoryApiResources(ApiResourceProvider.GetAllResources()) .AddAspNetIdentity<Usuario>(); and in Configure
app.UseIdentity(); app.UseIdentityServer(); Now I've tried just a POST to /connect/introspect with the body just token=<token>, but it returned a 404.
I believe I really didn't get it.
How do we use the introspection endpoint with Identity Server 4 in ASP.NET Core?
681
The introspection endpoint is an implementation of RFC 7662. It can be used to validate reference tokens (or JWTs if the consumer does not have support for appropriate JWT or cryptographic libraries).
The introspection endpoint enables holders of access tokens to request a set of metadata about an access token from the OpenID Connect Provider that issued the access token. The access token must be one that was obtained through OpenID Connect or OAuth authentication.
About IdentityServer4 IdentityServer is a free, open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core.
The implementation of IdSvr4 is fantastic, but the docs leave a lot to be desired - I spent a good hour searching on the internet to be able to come up with a working solution. Being told to 'read the spec' just isn't always helpful if you are new to a concept - which is something that happens alot on their forums.
So - what you have to pass to the POST /connect/introspect is a scope secret.
You can configure the quickstarts by changing the config.cs class. You will need to update whatever datastore you use if you have customised it, or are not using the quickstart - but the concept should (hopefully) be clear.
public static IEnumerable<ApiResource> GetApiResources() { return new List<ApiResource> { new ApiResource("MyResource", "My_Resource_DisplayName") { ApiSecrets = new List<Secret> { new Secret("hello".Sha256()) }, Scopes= { new Scope("MY_CUSTOM_SCOPE") } } }; } Now...
MY_CUSTOM_SCOPE MY_CUSTOM_SCOPE when getting a bearer token.Now, make a Base64 encoded string of the api resource name and secret like this:
Convert.ToBase64String(Encoding.UTF8.GetBytes(string.Format("{0}:{1}", userName, password)));
Where username is MyResource and password is plaintext hello (obv. use your own values!) - should end up with a string which looks like this: TXlSZXNvdXJjZTpoZWxsbw==
Now, you can post to IDSvr4...
POST /connect/introspect Authorization: Basic TXlSZXNvdXJjZTpoZWxsbw== Accept: application/json Content-Type: application/x-www-form-urlencoded token=<YOUR_TOKEN> So, as long as your bearer token has the scope MY_CUSTOM_SCOPE (or whatever you ended up calling it) - you should now be able to use to introspection endpoint of IdSvr to get info about it.
65
Introspection is typically used by APIs to validate an incoming token. Also the introspection endpoint requires authentication per spec.
You need to setup an API secret:
https://identityserver4.readthedocs.io/en/latest/reference/api_resource.html
And then use the api name/secret to authenticate against the introspection endpoint. Either using Basic authentication or posting the values in the form.
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
