What's the right way to call Introspect endpoint in Microsoft IdentityServer 4

Question

I'm able using postman to get an access token from Microsoft Identity Server 4.

This the response:

Now i would like to authenticate the token using the introspection endpoint, but the return is 401 unhautorized, maybe is missing some data into the request to introspect endpoint?

this helped me. https://stackoverflow.com/questions/42126909/how-to-correctly-use-the-introspection-endpoint-with-identity-server-4 — FDB, Jul 02 '20 at 08:42

score 4 · Accepted Answer · answered Jul 02 '20 at 14:33

4

To access the token introspection enpoint in Postman, I use:

POST to https://localhost:6001/connect/introspect
Add the Authorization header, with the value "Basic cGF5bWVudDpteWFwaXNlY3JldA==". Where the secret is the apiname/secret. In my case it is payment and myapisecret as password.
Add a body x-www-form-urlencoded, with a key named token and the value is my access token.

That should be all.

answered Jul 02 '20 at 14:33

Tore Nestenius

16,431
5
30
40

1

yes, using https://demo.identityserver.io/ i can validate the token, but using the same procedure on my local identity server i get 401 unhautorized. this the IS log: [17:29:09 Debug] IdentityServer4.Validation.HashedSharedSecretValidator No shared secret configured for client. [17:29:09 Debug] IdentityServer4.Validation.SecretValidator Secret validators could not validate secret [17:29:09 Error] IdentityServer4.Validation.ApiSecretValidator API validation failed. [17:29:09 Error] IdentityServer4.Endpoints.IntrospectionEndpoint API unauthorized to call introspection endpoint. aborting. – FDB Jul 02 '20 at 15:33
1

have you set the ApiSecrets in your ApiResource? you use the APIResource name and secret to create the basic authentication against the token introspection endpoint. – Tore Nestenius Jul 03 '20 at 08:25
yes I solved it, but there not documentation about it, i had to add a record into the table ApiSecrets (i started from the m$ sample where configuration is stored into sql server database). to format cirrectly the secret need to write some line of code using the class Secret of IdentityServer assembly. also i wuold like to know if that string can be decrypted. K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= – FDB Jul 03 '20 at 15:31
The secret is hashed in IdentityServer, so it should be very hard to brute-force. But the authorize header string is of course not secure, but that's not so important. – Tore Nestenius Jul 04 '20 at 09:31

What's the right way to call Introspect endpoint in Microsoft IdentityServer 4

1 Answers1