How to correctly use the introspection endpoint with identity server 4?

asp.net-core .net-core openid-connect identityserver4
user1620696 picture user1620696 · Feb 9, 2017 · Viewed 12.4k times · Source

I'm using Identity Server 4 and I'm trying to use the introspection endpoint, but just by the docs I'm not getting it.

The docs just gives this example

POST /connect/introspect
Authorization: Basic xxxyyy

token=<token>

Now, why there is this basic authentication and what should be xxxyyy? I mean, there's no basic auth set in my app. I've just setup Identity Server 4 using ASP.NET Core as follows in the ConfigureServices:

services.AddIdentityServer()
            .AddTemporarySigningCredential()
            .AddInMemoryApiResources(ApiResourceProvider.GetAllResources())
            .AddAspNetIdentity<Usuario>();

and in Configure

app.UseIdentity();
app.UseIdentityServer();

Now I've tried just a POST to /connect/introspect with the body just token=<token>, but it returned a 404.

I believe I really didn't get it.

How do we use the introspection endpoint with Identity Server 4 in ASP.NET Core?

Answer

Jay picture Jay · Feb 21, 2018

The implementation of IdSvr4 is fantastic, but the docs leave a lot to be desired - I spent a good hour searching on the internet to be able to come up with a working solution. Being told to 'read the spec' just isn't always helpful if you are new to a concept - which is something that happens alot on their forums.

So - what you have to pass to the POST /connect/introspect is a scope secret.

You can configure the quickstarts by changing the config.cs class. You will need to update whatever datastore you use if you have customised it, or are not using the quickstart - but the concept should (hopefully) be clear.

public static IEnumerable<ApiResource> GetApiResources()
{
    return new List<ApiResource>
    {
        new ApiResource("MyResource", "My_Resource_DisplayName")
        {
            ApiSecrets = new List<Secret>
            {
                new Secret("hello".Sha256())
            },
            Scopes=
            {
                new Scope("MY_CUSTOM_SCOPE")
            }
        }
    };
}

Now...

  1. Ensure that your client has the scope MY_CUSTOM_SCOPE
  2. Ensure you have requested the scope MY_CUSTOM_SCOPE when getting a bearer token.

Now, make a Base64 encoded string of the api resource name and secret like this:

Convert.ToBase64String(Encoding.UTF8.GetBytes(string.Format("{0}:{1}", userName, password)));

Where username is MyResource and password is plaintext hello (obv. use your own values!) - should end up with a string which looks like this: TXlSZXNvdXJjZTpoZWxsbw==

Now, you can post to IDSvr4...

POST /connect/introspect
Authorization: Basic TXlSZXNvdXJjZTpoZWxsbw==
Accept: application/json
Content-Type: application/x-www-form-urlencoded

token=<YOUR_TOKEN>

So, as long as your bearer token has the scope MY_CUSTOM_SCOPE (or whatever you ended up calling it) - you should now be able to use to introspection endpoint of IdSvr to get info about it.

Related questions

AddTransient, AddScoped and AddSingleton Services Differences

I want to implement dependency injection (DI) in ASP.NET Core. So after adding this code to ConfigureServices method, both ways work. What is the difference between the services.AddTransient and service.AddScoped methods in ASP.NET Core? public void …

Read More
How to read AppSettings values from a .json file in ASP.NET Core

I have set up my AppSettings data in file appsettings/Config .json like this: { "AppSettings": { "token": "1234" } } I have searched online on how to read AppSettings values from .json file, but I could not get anything useful. I tried: var configuration = …

Read More
How to determine if .NET Core is installed

I know that for older versions of .NET, you can determine if a given version is installed by following https://support.microsoft.com/en-us/kb/318785 Is there an official method of determining if .NET Core is installed? (And I don't …

Read More