Skip to content

Commit 5b80d33

Browse files
Merge pull request #5704 from wso2/fixing-product-is-issue-19615-1731417600
Fix: Add scope-based access control configuration for introspection endpoint (Product IS issue #19615)
2 parents 32722e9 + c566d54 commit 5b80d33

1 file changed

Lines changed: 90 additions & 103 deletions

File tree

Lines changed: 90 additions & 103 deletions
Original file line numberDiff line numberDiff line change
@@ -1,63 +1,46 @@
1-
# Token validation by resource servers
1+
# Validate tokens at a resource server
22

3-
Access tokens provide limited authorization to resources within a resource server. The resource server is responsible for validating these tokens before granting access. Token validation differs based on the [type of the access tokens]({{base_path}}/references/app-settings/oidc-settings-for-app/#access-token) that the resource server receives.
3+
While resource servers can validate JSON Web Tokens (JWT) locally, opaque access tokens don't carry authorization information that a resource server can decode. The resource server must validate the token by querying the authorization server.
44

5-
## Validate JWT tokens
5+
{{product_name}} supports token validation through the **OAuth 2.0 Token Introspection endpoint** defined in [RFC 7662](https://datatracker.ietf.org/doc/html/rfc7662){: target="_blank"}.
66

7-
A JSON Web Token (JWT) is a self-contained token. This means that the resource server does not need to interact with the identity provider to validate tokens. The payload of a sample decoded JWT token is as shown below.
7+
`https://<IS_HOST>:<IS_PORT>/oauth2/introspect`
88

9-
```json
10-
{
11-
"sub": "Alica@bifrost.com",
12-
"aut": "APPLICATION_USER",
13-
"aud": "Wsoq8t4nHW80gSnPfyDvRbiC__Ea",
14-
"nbf": 1623904805,
15-
"azp": "Wsoq8t4nHW80gSnPfyDvRbiC__Ea",
16-
"scope": "openid",
17-
"iss": "{{product_url_sample}}/oauth2/token",
18-
"exp": 1623908405,
19-
"iat": 1623904805,
20-
"jti": "9fac7747-bb2d-46be-bef2-a95b2f69f8b2"
21-
}
22-
```
9+
The resource server sends the access token to this endpoint, and the authorization server responds with metadata about the token, such as its validity, scopes, and expiry time.
2310

24-
## Validate opaque tokens
11+
## Prerequisites
2512

26-
Unlike JWT tokens, opaque tokens are non-transparent. This means that the authorization information is not readily available to resource servers and they should interact with the identity provider to validate and extract the relevant information. OAuth2.0 supports [token introspection](https://datatracker.ietf.org/doc/html/rfc7662){:target="_blank"} to inspect access tokens and refresh tokens.
13+
By default, to invoke the introspection endpoint, the caller must have the `internal_oauth2_introspect` scope.
2714

28-
{{ product_name }} provides the following endpoint to perform token validation.
15+
- To customize the scopes callers must present, add the following to `<IS_HOME>/repository/conf/deployment.toml`.
2916

30-
```
31-
{{product_url_format}}/oauth2/introspect
32-
```
17+
```toml
18+
[resource_access_control.introspect]
19+
scopes = ["internal_oauth2_introspect"]
20+
```
3321

34-
{% if product_name == 'Asgardeo' %}
35-
=== "Request format"
22+
- To **remove all scope requirements** and allow any authenticated caller to introspect tokens, set `scopes` to an empty list.
3623

37-
```bash
38-
curl --location --request POST {{product_url_format}}/oauth2/introspect \
39-
--header 'Content-Type: application/x-www-form-urlencoded' \
40-
--header 'Authorization: Basic <Base64Encoded(ClientID:ClientSecret)>' \
41-
--data-urlencode 'token={access_token}'
24+
```toml
25+
[resource_access_control.introspect]
26+
scopes = []
4227
```
4328

44-
=== "Request sample"
45-
46-
```bash
47-
curl --location --request POST '{{ product_url_sample }}/oauth2/introspect' \
48-
--header 'Content-Type: application/x-www-form-urlencoded' \
49-
--header 'Cookie: atbv=646b0ed2-c501-4b17-9251-94112013a718' \
50-
--header 'Authorization: Basic V3NvcTh0NG5IVzgwZ1NuUGZ5RHZSYmlDX19FYTp6MEM3OXpsb3B4OGk3QnlPdzhLMTVBOWRwbFlh' \
51-
--data-urlencode 'token=94e325b7-77c8-32c2-a6ff-d7be430bf785'
52-
```
29+
!!! warning "Not recommended for production"
30+
Removing all scope requirements allows any authenticated user or application to call the introspection endpoint.
31+
32+
## Invoke the introspection endpoint
33+
34+
The resource server can authenticate to the introspection endpoint using one of the following methods.
35+
36+
### With user credentials
5337

54-
{% endif %}
38+
By default, the introspection endpoint supports basic authentication with user credentials.
5539

56-
{% if product_name == "WSO2 Identity Server" %}
5740
=== "Request format"
5841

5942
```bash
60-
curl --location --request POST {{product_url_format}}/oauth2/introspect \
43+
curl --location --request POST https://localhost:9443/oauth2/introspect \
6144
--header 'Content-Type: application/x-www-form-urlencoded' \
6245
--header 'Authorization: Basic <Base64Encoded(Username:Password)>' \
6346
--data-urlencode 'token={access_token}'
@@ -66,102 +49,106 @@ Unlike JWT tokens, opaque tokens are non-transparent. This means that the author
6649
=== "Request sample"
6750

6851
```bash
69-
curl --location --request POST '{{ product_url_sample }}/oauth2/introspect' \
52+
curl --location --request POST https://localhost:9443/oauth2/introspect \
7053
--header 'Content-Type: application/x-www-form-urlencoded' \
7154
--header 'Authorization: Basic YWRtaW46YWRtaW4=' \
7255
--data-urlencode 'token=94e325b7-77c8-32c2-a6ff-d7be430bf785'
7356
```
7457

75-
{% endif %}
58+
!!! warning "Avoid using high-privileged credentials"
59+
Don't use super administrator or highly privileged user credentials when invoking the introspection endpoint.
60+
Instead, create a user with the least privileges required to call the API.
7661

77-
!!! warning "Avoid using super admin credentials for API authentication"
62+
### With client credentials
7863

79-
When invoking APIs using basic authentication, never use the super admin or any high-privileged user credentials. Instead, create a user with the least privileges required to invoke the API and use that user's credentials.
64+
By default, {{product_name}} only supports basic authentication with user credentials. You can enable client authentication and allow applications to call the introspection endpoint using their client ID and client secret.
8065

81-
{% if product_name == "WSO2 Identity Server" %}
66+
1. To enable authentication with client credentials, add the following configuration to `<IS_HOME>/repository/conf/deployment.toml`.
8267

83-
!!! note
84-
Enable the following in `<IS_HOME>/repository/conf/deployment.toml` to use client ID- client secret based authentication for this endpoint.
85-
By default, the endpoint uses username-password authentication.
86-
87-
``` toml
68+
```toml
8869
[[resource.access_control]]
8970
context="(.*)/oauth2/introspect(.*)"
90-
http_method = "all"
91-
secure = true
71+
http_method="all"
72+
secure=true
9273
allowed_auth_handlers="BasicClientAuthentication"
9374
```
9475

76+
2. Invoke the endpoint using the client ID and client secret.
77+
78+
!!! info
79+
80+
Ensure that the application can request this scope. Learn more about [authorizing applications to consume API resources]({{base_path}}/guides/authorization/api-authorization/api-authorization/#authorize-apps-to-consume-api-resources/).
81+
9582
=== "Request format"
9683

9784
```bash
98-
curl --location --request POST {{product_url_format}}/oauth2/introspect \
85+
curl --location --request POST https://localhost:9443/oauth2/introspect \
9986
--header 'Content-Type: application/x-www-form-urlencoded' \
100-
--header 'Authorization: Basic <Base64Encoded(ClientID:ClientSecret)>' \
87+
--user '<client_id>:<client_secret>' \
10188
--data-urlencode 'token={access_token}'
10289
```
10390

10491
=== "Request sample"
10592

10693
```bash
107-
curl --location --request POST '{{ product_url_sample }}/oauth2/introspect' \
94+
curl --location --request POST https://localhost:9443/oauth2/introspect \
10895
--header 'Content-Type: application/x-www-form-urlencoded' \
109-
--header 'Cookie: atbv=646b0ed2-c501-4b17-9251-94112013a718' \
110-
--header 'Authorization: Basic V3NvcTh0NG5IVzgwZ1NuUGZ5RHZSYmlDX19FYTp6MEM3OXpsb3B4OGk3QnlPdzhLMTVBOWRwbFlh' \
96+
--user 'iieV1ARKSmFCImV0XvKS4sPfWfEa:oMw72n4Gr3gSp8RGCw6dM1EjSqYa' \
11197
--data-urlencode 'token=94e325b7-77c8-32c2-a6ff-d7be430bf785'
11298
```
11399

114-
{% endif %}
100+
## Introspection responses
115101

116-
### User access token response
102+
The authorization server responds to the introspection request with a JSON object containing metadata about the token. The responses change slightly based on the token type.
117103

118-
User access tokens are tokens generated through user interactions, such as logging in by entering credentials. The access token represents the user and the user's permissions.
104+
### User tokens
119105

120-
The following response will be returned for the provided user access token:
106+
WSO2 Identity Server issues user access tokens during user interactions, such as when users sign in. An access token represents the user and their permissions.
121107

122-
```json
123-
{
124-
"aut": "APPLICATION_USER",
125-
"nbf": 1629961093,
126-
"scope": "openid profile",
127-
"active": true,
128-
"token_type": "Bearer",
129-
"exp": 1629968693,
130-
"iat": 1629961093,
131-
"client_id": "Wsoq8t4nHW80gSnPfyDvRbiC__Eb",
132-
"username": "{{ username }}"
133-
}
134-
```
108+
For a provided user token, the response looks like the following:
135109

136-
The following response will be returned for the provided refresh token:
110+
=== "Access token"
137111

138-
```json
139-
{
140-
"nbf": 1629961093,
141-
"scope": "openid profile",
142-
"active": true,
143-
"token_type": "Refresh",
144-
"exp": 1630047493,
145-
"iat": 1629961093,
146-
"client_id": "Wsoq8t4nHW80gSnPfyDvRbiC__Ea",
147-
"username": "{{ username }}"
148-
}
149-
```
112+
```json
113+
{
114+
"aut": "APPLICATION_USER",
115+
"nbf": 1629961093,
116+
"scope": "openid profile",
117+
"active": true,
118+
"token_type": "Bearer",
119+
"exp": 1629968693,
120+
"iat": 1629961093,
121+
"client_id": "Wsoq8t4nHW80gSnPfyDvRbiC__Eb",
122+
"username": "admin@carbon.super"
123+
}
124+
```
150125

151-
If the token you used is invalid, you will get the following response:
126+
=== "Refresh token"
127+
128+
```json
129+
{
130+
"nbf": 1629961093,
131+
"scope": "openid profile",
132+
"active": true,
133+
"token_type": "Refresh",
134+
"exp": 1630047493,
135+
"iat": 1629961093,
136+
"client_id": "Wsoq8t4nHW80gSnPfyDvRbiC__Ea",
137+
"username": "admin@carbon.super"
138+
}
139+
```
152140

153-
```json
154-
{'active':false}
155-
```
141+
=== "Invalid token"
156142

157-
!!! note
158-
See the [OAuth2.0 introspection request](https://datatracker.ietf.org/doc/html/rfc7662#section-2.1){:target="_blank"} for details.
143+
```json
144+
{"active":false}
145+
```
159146

160-
### Application access token response
147+
### Application tokens
161148

162-
Application access tokens are tokens obtained through grant types like the [client_credentials]({{base_path}}/references/grant-types/#client-credentials-grant) grant, without any user involvement. Unlike user-bound tokens, application access tokens represent the application itself rather than an individual user.
149+
Applications receive application tokens through grant types like the client credentials grant, which don't involve any user interaction. These tokens represent the application itself rather than an individual user.
163150

164-
The introspection response for Application access Ttkens follows the format shown below:
151+
For a provided application token, the response looks like the following:
165152

166153
```json
167154
{
@@ -177,8 +164,8 @@ The introspection response for Application access Ttkens follows the format show
177164

178165
!!! warning "Deprecated behavior"
179166

180-
Previously, the introspection response for application access tokens included the `username` attribute, which contained the application owner's username. This attribute will no longer be included in the introspection response.
181-
182-
If your application's access tokens still return the response, it is likely that your application is out-of-date. If so, update your application through the {{product_name}} Console by navigating to the relevant application under the **Applications** section.
167+
Previously, the introspection response for application access tokens included the `username` attribute, which contained the username of the application owner. This attribute will no longer be included in the introspection response.
168+
169+
If your application's access tokens still return the response, it is likely that your application is out-of-date. If so, update your application through the WSO2 Identity Server Console by navigating to the relevant application under the Applications section.
183170

184-
Once updated, the `username` attribute will no longer be included in the introspection response. Therefore, before updating, ensure that your application does not rely on the `username` attribute and remove any such dependencies.
171+
Once updated, the username attribute will no longer be included in the introspection response. Therefore, before updating, ensure that your application does not rely on the username attribute and remove any such dependencies.

0 commit comments

Comments
 (0)