From ba6444cfbcc19c03328f5e11e023decbbf6df0ec Mon Sep 17 00:00:00 2001 From: Roland Guijt Date: Wed, 30 Apr 2025 12:10:28 +0200 Subject: [PATCH 1/6] Clarify introspection endpoint --- .../reference/endpoints/introspection.md | 23 ++++++++++++++----- 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/src/content/docs/identityserver/reference/endpoints/introspection.md b/src/content/docs/identityserver/reference/endpoints/introspection.md index 8eec2b40..6a92143c 100644 --- a/src/content/docs/identityserver/reference/endpoints/introspection.md +++ b/src/content/docs/identityserver/reference/endpoints/introspection.md @@ -16,8 +16,20 @@ The introspection endpoint is an implementation of [RFC 7662](https://tools.ietf It can be used to validate reference tokens, JWTs (if the consumer does not have support for appropriate JWT or cryptographic libraries) and refresh tokens. Refresh tokens can only be introspected by the client that requested them. -The introspection endpoint requires authentication - since the client of an introspection endpoint is an API, you -configure the secret on the `ApiResource`. +The introspection endpoint requires authentication. Since the request to the introspection endpoint is typically done by an API, which is not an OAuth client the [`ApiResource`](/identityserver/fundamentals/resources/api-resources) is used to configure credentials: + +```cs +new ApiResource("resource1") +{ + Scopes = { .. }, + + ApiSecrets = + { + new Secret("secret".Sha256()) + } +} +``` +Here the id used for authentication is the name of the `ApiResource`: "resource1" and the secret the configured secret. The introspection endpoint uses HTTP basic auth to communicate these credentials: ```text POST /connect/introspect @@ -26,8 +38,7 @@ Authorization: Basic xxxyyy token= ``` -A successful response will return a status code of 200, the token claims, the token type and a flag indicating the token -is active: +A successful response will return a status code of 200, the token claims, the token type and a flag indicating the token is active: ```json { @@ -66,9 +77,9 @@ var client = new HttpClient(); var response = await client.IntrospectTokenAsync(new TokenIntrospectionRequest { Address = "https://demo.duendesoftware.com/connect/introspect", - ClientId = "api1", + ClientId = "resource1", ClientSecret = "secret", - Token = accessToken + Token = dsf43534j33kkl.. }); ``` \ No newline at end of file From 4dc989d120c84cf5f82abac892c7682feaa6008e Mon Sep 17 00:00:00 2001 From: RolandGuijt Date: Wed, 30 Apr 2025 12:13:20 +0200 Subject: [PATCH 2/6] Update src/content/docs/identityserver/reference/endpoints/introspection.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../docs/identityserver/reference/endpoints/introspection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/identityserver/reference/endpoints/introspection.md b/src/content/docs/identityserver/reference/endpoints/introspection.md index 6a92143c..7461f9fc 100644 --- a/src/content/docs/identityserver/reference/endpoints/introspection.md +++ b/src/content/docs/identityserver/reference/endpoints/introspection.md @@ -21,7 +21,7 @@ The introspection endpoint requires authentication. Since the request to the int ```cs new ApiResource("resource1") { - Scopes = { .. }, + Scopes = { "scope1", "scope2" }, // Replace "scope1", "scope2" with the actual scopes required for your API ApiSecrets = { From b030927a92755ac39a3213ee63ab514dac22560d Mon Sep 17 00:00:00 2001 From: RolandGuijt Date: Wed, 30 Apr 2025 12:13:27 +0200 Subject: [PATCH 3/6] Update src/content/docs/identityserver/reference/endpoints/introspection.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../docs/identityserver/reference/endpoints/introspection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/identityserver/reference/endpoints/introspection.md b/src/content/docs/identityserver/reference/endpoints/introspection.md index 7461f9fc..d9224079 100644 --- a/src/content/docs/identityserver/reference/endpoints/introspection.md +++ b/src/content/docs/identityserver/reference/endpoints/introspection.md @@ -80,6 +80,6 @@ var response = await client.IntrospectTokenAsync(new TokenIntrospectionRequest ClientId = "resource1", ClientSecret = "secret", - Token = dsf43534j33kkl.. + Token = "" // Replace with the actual token }); ``` \ No newline at end of file From 46f30b0a4ef1f23eb4b85dcb994d373069b90056 Mon Sep 17 00:00:00 2001 From: RolandGuijt Date: Wed, 30 Apr 2025 12:50:14 +0200 Subject: [PATCH 4/6] Update src/content/docs/identityserver/reference/endpoints/introspection.md Co-authored-by: Maarten Balliauw --- .../docs/identityserver/reference/endpoints/introspection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/identityserver/reference/endpoints/introspection.md b/src/content/docs/identityserver/reference/endpoints/introspection.md index d9224079..c14eb269 100644 --- a/src/content/docs/identityserver/reference/endpoints/introspection.md +++ b/src/content/docs/identityserver/reference/endpoints/introspection.md @@ -16,7 +16,7 @@ The introspection endpoint is an implementation of [RFC 7662](https://tools.ietf It can be used to validate reference tokens, JWTs (if the consumer does not have support for appropriate JWT or cryptographic libraries) and refresh tokens. Refresh tokens can only be introspected by the client that requested them. -The introspection endpoint requires authentication. Since the request to the introspection endpoint is typically done by an API, which is not an OAuth client the [`ApiResource`](/identityserver/fundamentals/resources/api-resources) is used to configure credentials: +The introspection endpoint requires authentication. Since the request to the introspection endpoint is typically done by an API, which is not an OAuth client, the [`ApiResource`](/identityserver/fundamentals/resources/api-resources) is used to configure credentials: ```cs new ApiResource("resource1") From e478bf7e593d40883821ebdbe964d3137cfcc3ed Mon Sep 17 00:00:00 2001 From: RolandGuijt Date: Wed, 30 Apr 2025 12:50:28 +0200 Subject: [PATCH 5/6] Update src/content/docs/identityserver/reference/endpoints/introspection.md Co-authored-by: Maarten Balliauw --- .../docs/identityserver/reference/endpoints/introspection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/identityserver/reference/endpoints/introspection.md b/src/content/docs/identityserver/reference/endpoints/introspection.md index c14eb269..71f66ff2 100644 --- a/src/content/docs/identityserver/reference/endpoints/introspection.md +++ b/src/content/docs/identityserver/reference/endpoints/introspection.md @@ -18,7 +18,7 @@ cryptographic libraries) and refresh tokens. Refresh tokens can only be introspe The introspection endpoint requires authentication. Since the request to the introspection endpoint is typically done by an API, which is not an OAuth client, the [`ApiResource`](/identityserver/fundamentals/resources/api-resources) is used to configure credentials: -```cs +```csharp new ApiResource("resource1") { Scopes = { "scope1", "scope2" }, // Replace "scope1", "scope2" with the actual scopes required for your API From 03d0c83914257a2479345795c1196d7e1ee6bb73 Mon Sep 17 00:00:00 2001 From: RolandGuijt Date: Wed, 30 Apr 2025 12:51:22 +0200 Subject: [PATCH 6/6] Update src/content/docs/identityserver/reference/endpoints/introspection.md Co-authored-by: Maarten Balliauw --- .../docs/identityserver/reference/endpoints/introspection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/identityserver/reference/endpoints/introspection.md b/src/content/docs/identityserver/reference/endpoints/introspection.md index 71f66ff2..26b3b2bb 100644 --- a/src/content/docs/identityserver/reference/endpoints/introspection.md +++ b/src/content/docs/identityserver/reference/endpoints/introspection.md @@ -38,7 +38,7 @@ Authorization: Basic xxxyyy token= ``` -A successful response will return a status code of 200, the token claims, the token type and a flag indicating the token is active: +A successful response will return a status code of 200, the token claims, the token type, and a flag indicating the token is active: ```json {