I can't get IdentityModel to validate if the token still has a valid session. Here's my client code. _http
is an instance of HttpClient
.
Don't judge me on using username/password in this instance. It's with a trusted application and I'm starting off with the easier scenario first with plans to move on to the hybrid model next.
var discovery ??= await _http.GetDiscoveryDocumentAsync("http://localhost:5000");
var response = await _http.RequestPasswordTokenAsync(new PasswordTokenRequest
{
Address = discovery.TokenEndpoint,
ClientId = ClientId,
ClientSecret = ClientSecret,
Scope = "api1",
UserName = "test",
Password = "test"
}); // This succeeds while returning an AccessToken
var introspectionResponse = await _http.IntrospectTokenAsync(new TokenIntrospectionRequest
{
Address = discovery.IntrospectionEndpoint,
ClientId = ClientId,
ClientSecret = ClientSecret,
Token = response.AccessToken
}); // This fails with an unauthenticated error
CodePudding user response:
My best guess here is that it must be a reference token flow. It is a bit confusing. And the confusion here is ClientId
and ClientSecret
.
The
ClientId
andClientSecret
that you have supplied while creating theAccessToken
are end-user'sClientId
andClientSecret
.The
ClientId
andClientSecret
that you have supplied while introspecting theAccessToken
should be your resource'sName
and It'sSecret
, not the end-usersClientId
andClientSecret
.
In IdentityServer
, The Client of an introspection endpoint is an API or Resource, not the end-user. Read the full docs here.
In your case, Pass the api1
as ClientId
and Secret of api1
as ClientSecret
while introspecting the AccessToken
. It should work.