CODEWITHSUNDEEP
.netidentityserver4openid-connect
Ong Ming Soon
Ong Ming Soon

Reputation: 1241

Introspection of token using offline_access scope in identityserver4

I managed to introspect the access token when using the scope define by myself. I just need to post to the endpoint with basic authorization with username is my scope name and password is my scope api secret. But offline_access is a default scope define by the IdentityServer, how do i introspect it? Is there any way i can customize the offline_access scope with a api secret? I need to use offline_access because only this scope able to provide me refresh token.

Upvotes: 1

Views: 1788

Answers (2)

Ong Ming Soon
Ong Ming Soon

Reputation: 1241

I found a way to introspect the offline_access scope token. I hope this may help someone who stuck like me. Let said my code 

    public static IEnumerable<ApiResource> GetApis()
    {
        return new List<ApiResource>
        {
            new ApiResource("api1", "My API")
            {
                ApiSecrets = { new Secret("secret".Sha256()) }
            }
        };
    }

and my client code is

    public static IEnumerable<Client> GetClients()
    {
        return new List<Client>
        {
            // resource owner password grant client
            new Client
            {
                ClientId = "ro.client",
                AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,

                ClientSecrets =
                {
                    new Secret("secret".Sha256())
                },
                AllowedScopes = new List<string>
                {
                    "api1",
                   IdentityServerConstants.StandardScopes.OfflineAccess,
                },
                AllowOfflineAccess = true,
                AccessTokenType = AccessTokenType.Reference, // revocation endpoint work with reference access token only
            }
        };
    }

When requesting for an access token , include both api1 and offline_access together, http://localhost:5000/connect/token

When requesting for an refresh token, http://localhost:5000/connect/token

When doing introspection,take note that the username api1 and password secret will be use during basic authorization http://localhost:5000/connect/introspect

When doing revocation of reference token or refresh token,take note that the username ro.client and password secret will be use during basic authorization, http://localhost:5000/connect/revocation

http://localhost:5000/connect/revocation

Upvotes: 1

Shantanu
Shantanu

Reputation: 554

you can create a refresh token like this.

create you claims.

var issuer = HttpContext.GetIdentityServerIssuerUri();

                var tokenObj = new Token
                {
                    Issuer = issuer,
                    CreationTime = DateTime.UtcNow,
                    Lifetime = client.AccessTokenLifetime,
                    ClientId = "9a7519a1e0224b18bb28d0fe0a00d038",
                    Claims = claims,
                    AccessTokenType = AccessTokenType.Reference,
                };

var client = _clientStore.FindClientByIdAsync("{clientId}").Result;

var refereshToken = _refreshTokenService.CreateRefreshTokenAsync(claimsPrincipal, tokenObj, client).Result;

IRefreshTokenService _refreshTokenService; IClientStore _clientStore;

both of these are injected in constructor.

Upvotes: 0

Related Questions