Do IdentityServer4 API Resources require a secret?

Question

Does not having a secret defined for an IdentityServer4 API Resource introduce a security vulnerability?

I'm a little confused on the Introspection Endpoint, when it is used, and whether or not someone could use the Introspection endpoint to bypass Authorization and access an API without a defined secret (by a POST with just the API name as a parameter).

Is this possible? Or is the introspection endpoint only authorized through defined clients that use something like the Client Credential Grant?

Answer 1

An API Resource requires a Client Secret when you are using the Authorization Code Flow as its sending claims on the back channel.

If you are using Reference tokens you will also require a Client Secret, as the access token is never presented to the client, but instead the reference token is passed from the client to the api resource, and then onto the identity server in exchange for the access token.

It really depends on the client and the flow.

Answer 2

The introspection endpoint will only validate a posted token, it shouldn't accept an API name in its request.

It can be used to validate reference tokens (or JWTs if the consumer does not have support for appropriate JWT or cryptographic libraries). The introspection endpoint requires authentication using a scope secret.

http://docs.identityserver.io/en/release/endpoints/introspection.html

This shouldn't be an endpoint you need to implement, it is included by identity server in the same way as the '.well-known/openid-configuration'.

A use case for this endpoint would be an API being passed a token and wanting to confirm its genuine and still valid (not expired or revoked), the response would include the claims associated with the token (users claims with the tokens scope taken into consideration)

For introspection security considerations see the RFC 7662 Section 4