0

Please find below the steps I applied in order to generate Reference Token instead of JWT:

  1. In the [Clients] table, I updated property [AccessTokenType] = 1. Please note that this is the client configured to be used from Angular Frontend app. Clients Table

ClientScopes Table

OIDC client configuration (Angular App)

"IdentityGuardsConfig": {
"oidcSettings": {
  "authority": "http://localhost:5000",
  "client_id": "local_spa",
  "redirect_uri": "http://localhost:4200/#/identity-guards/auth-callback#",
  "post_logout_redirect_uri": "http://localhost:4200",
  "response_type": "id_token token",
  "scope": "openid profile inspection_profile",
  "filterProtocolClaims": true,
  "loadUserInfo": true,
  "automaticSilentRenew": true,
  "silent_redirect_uri": "http://localhost:4200/#/identity-guards/silent-refresh#"
},

2- Since API (/connect/introspect) is secure, I had to create API Resource and API Secret (as per this thread). Also as per the thread, I had to assign the exact scopes requested from Frontend client (3 scopes ==> opened, profile, inspection_profile)

ApiResources Table ApiSecrets Table ApiScopes Table

After applying the above configuration, IdentityServer service is returning reference token, also the reference token is being persisted in [PersistedGrants] table PersistedGrants Table

To validate the reference token, I was able to do that by hitting (/connect/introspect) API from Postman (below is the converted cURL request)

curl --location --request POST 'http://localhost:5000/connect/introspect' \
--header 'Authorization: Basic bG9jYWxfc3BhOlBAc3N3MHJk' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=f007eff8fc2a3d8d9af7cb605b93b78d7004880d24356acebf928dae5a48dd8e'

Below is the response I recived for the above cURL request:

{
"iss": "http://localhost:5000",
"nbf": 1640694748,
"exp": 1640698348,
"aud": "http://localhost:5000/resources",
"client_id": "local_spa",
"sub": "f6a5ccec-9d70-4c7c-ab50-7a932f685cac",
"auth_time": 1640694748,
"idp": "local",
"amr": "pwd",
"email": "admin@isp.com",
"name": "admin@isp.com",
"given_name": "admin",
"phone_number": "0506198339",
"role": "SystemAdmin",
"preferred_username": "admin@isp.com",
"active": true,
"scope": "openid profile inspection_profile"
}

However, when I tried to access (/.well-known/openid-configuration) Iā€™m getting the below exception:

An unhandled exception occurred while processing the request. Exception: Found identity scopes and API scopes that use the same names. This is an invalid configuration. Use different names for identity scopes and API scopes. Scopes found: openid, profile, inspection_profile IdentityServer4.Stores.IResourceStoreExtensions.Validate(IEnumerable identity, IEnumerable apiResources) in IResourceStoreExtensions.cs, line 60

asalhani
  • 145
  • 1
  • 1
  • 8

2 Answers2

0

I think the error message explains pretty well what the problem is.

Found identity scopes and API scopes that use the same names. This is an invalid configuration. Use different names for identity scopes and API scopes.

You need to make sure the IdentityResource and ApiScope names are not the same.

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • Then if I removed [openid profile inspection_profile] scopes from ApiScope, the (/connect/introspect) endpoint will not work because initially when the reference token generated, it requested the previous 3 scopes. So I'm missing something here? ā€“ asalhani Dec 29 '21 at 06:51
  • 1
    see my answer here, https://stackoverflow.com/questions/63811157/apiresource-vs-apiscope-vs-identityresource/63812939#63812939 APIScope should not contain "openid profile or introspection_profile", they are only meant to be used in IdentityResources. ā€“ Tore Nestenius Dec 29 '21 at 08:33
0

@Tore Nestenius You were correct. As adivsed I moved [inspection_profile] scope from [IdentityResources] to [ApiResources]. Also for all custom claim that I already have in [IdentityClaims], I re-linked them to the [openid] profile.

asalhani
  • 145
  • 1
  • 1
  • 8