I am trying to introspect token recieved from okta inside .net core api, but keep getting "token is not active". With the setup you see bellow I am able to retrieve identity from token.(basic okta auth schema)
service.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = OktaDefaults.ApiAuthenticationScheme;
options.DefaultChallengeScheme = OktaDefaults.ApiAuthenticationScheme;
options.DefaultSignInScheme = OktaDefaults.ApiAuthenticationScheme;
})
.AddOktaWebApi(new OktaWebApiOptions()
{
OktaDomain = configuration["Authentication:Okta:OktaDomain"],
AuthorizationServerId = configuration["Authentication:Okta:AuthorizationServerId"],
Audience = configuration["Authentication:Okta:Audience"]});
But I need to set up authentication with "Introspection" schema here is my configuration:
service.AddAuthentication(auth =>
{
auth.DefaultAuthenticateScheme = "Introspection";
auth.DefaultChallengeScheme = "Introspection";
auth.DefaultSignInScheme = "Introspection";
})
.AddOAuth2Introspection("Introspection", options =>
{
options.Authority = configuration["Authentication:Okta:Authority"];
options.ClientId = configuration["Authentication:Okta:ClientId"];
options.TokenRetriever = request =>
{
string token = "";
if (request.Headers.ContainsKey("Authorization"))
{
var parts = request.Headers["Authorization"].ToString().Split(" ");
token = parts[1];
return token;
}
if (request.Query.ContainsKey("access_token"))
{
token = request.Query["access_token"];
}
if (request.Cookies.ContainsKey("access_token"))
{
token = request.Cookies["access_token"];
}
return token;
};
});
Does anyone know what could be the reason?
CodePudding user response:
Okay, I`v found the problem but have no idea how to solve it for now, so the auth handler on back makes a request by wrong url, it does not specify default as query param. It should be like this: https://domain/oauth2/default/v1/introspect But instead it looks like this: https://domain/oauth2/v1/introspect
CodePudding user response:
I found the solution. There is a IntrospectionEndpoint property on IntrospectionOptions where you can specify full path including the authenticationServerID. Also need to add that for some authServer there no authServID at all and you can use authority where you just specifying domain( https://domain) and all the rest is done by introspectionHandler