0

We are trying to integrate with another department, each of us have an instance of IdentityServer.

They want to consume our APIs via access_tokens generated from their instance of IdentityServer.

(Our IdentityServer & Our API):

[IdentityServer-A] <--> [API-A]

(Their IdentityServer & Their API):

[IdentityServer-B] --(generate access_tokens)--> [Website-B] --> [API-A]

When I run above scenario

IdentityServer-A logs this error

IdentityServer4.Validation.TokenValidator Invalid reference token.

I can understand this error because this is within IdentityServer-B is an invalid reference token because it is generated from IdentityServer-B.

But the question is how would I trust reference tokens generated from IdentityServer-A in IdentityServer-B?

Abdullah Hashim
  • 11
  • 3
  • Can IS4-B add your API as a resource which it is going to protect. And then you can add IS4-B as a identity provider inside your IS4-A? This will facilitate a SSO kind of workflow using OIDC. What say? – Ashish Deora Jul 24 '21 at 17:26
  • You can't use openidconnect, but you have to use `AddOAuth`. Then you can add as many identity providers as you wish. [I created a sample here](https://github.com/PieterjanDeClippel/SSO). You'll have to import the bacpac files first. – Pieterjan Dec 21 '21 at 20:37

1 Answers1

0

The only straightforward solution seems to be switching to jwt. With reference tokens it's hardly possible as the reference token even does not carry any information about it's issuer.

An alternative could be to share the token store among the IdSrv instances. Another one is to implement in your [IdentityServer-A] a fallback call to [IdentityServer-B].

d_f
  • 4,599
  • 2
  • 23
  • 34