I can't get IdentityModel to validate if the token still has a valid session. Here's my client code. _http is an instance of HttpClient.

Don't judge me on using username/password in this instance. It's with a trusted application and I'm starting off with the easier scenario first with plans to move on to the hybrid model next.

var discovery ??= await _http.GetDiscoveryDocumentAsync("http://localhost:5000");
var response = await _http.RequestPasswordTokenAsync(new PasswordTokenRequest
            {
                Address = discovery.TokenEndpoint,
                ClientId = ClientId,
                ClientSecret = ClientSecret,
                Scope = "api1",
                UserName = "test",
                Password = "test"
            }); // This succeeds while returning an AccessToken
var introspectionResponse = await _http.IntrospectTokenAsync(new TokenIntrospectionRequest
            {
                Address = discovery.IntrospectionEndpoint,
                ClientId = ClientId,
                ClientSecret = ClientSecret,
                Token = response.AccessToken
            }); // This fails with an unauthenticated error

CodePudding user response：

My best guess here is that it must be a reference token flow. It is a bit confusing. And the confusion here is ClientId and ClientSecret.

1. The ClientId and ClientSecret that you have supplied while creating the AccessToken are end-user's ClientId and ClientSecret.

2. The ClientId and ClientSecret that you have supplied while introspecting the AccessToken should be your resource's Name and It's Secret, not the end-users ClientId and ClientSecret.

In IdentityServer, The Client of an introspection endpoint is an API or Resource, not the end-user. Read the full docs here.

In your case, Pass the api1 as ClientId and Secret of api1 as ClientSecret while introspecting the AccessToken. It should work.