Thinktecture Identity Server 3: Client Secrets to protect WEB APIs from unauthorized access

Question

I am using the JS application walk through code sample and trying to understand how can I ensure the system is secured.

AFAIK, the secrets provided at the scopes on the identity server have to be validated after token is passed to Resource API Server to allow access.

So, on the identity server we set a secret for our "api" resource scope like:

      new Scope
            {
                Name = "api",
                DisplayName = "Access to API",
                Description = "This will grant you access to the API",
                ScopeSecrets = new List<Secret>
                {
                    new Secret("api-secret".Sha256())
                },
                Type = ScopeType.Resource
            },

While on the resource APIs we have to validate that this token was granted by a trusted issuer:

  // Wire token validation
        app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
        {
            Authority = "https://localhost:44300",

            ClientId = "api",
            //ClientSecret = "api-secret",
            ClientSecret = "api-secret-changed",

            RequiredScopes = new[] { "api" }
        });

However, I have changed the ClientSecret as in the code, but the user is still authenticated and I can access all the claims.

So, how does secret mechanism for the token validation works?

Do we need to provide also a secret at the Client Level in addition to that provided to the Scope API?

Answer 1

The secret on the scope is used for communication with the introspection endpoint.

Introspection is used either if the token is a reference token, or if the validation mode is explicitly set to ValidationEndpoint on the token validation middleware.