CODEWITHSUNDEEP
djangopython-3.xoauth-2.0django-rest-frameworkdjango-oauth
Bryan
Bryan

Reputation: 15166

Introspection endpoint is not getting called

I am looking to create an API using the Django REST Framework which will authenticate using a separate authentication server by means of its introspection endpoint. The authorization flow should look something like the following.

  1. The client provides either user credentials or a refresh token to the token endpoint on our authentication server.
  2. If the provided credentials or refresh token are valid, the authentication server responds with an access token and a refresh token.
  3. The client then sends the access token to the API when requesting a resource.
  4. The API verifies the provided access token using the introspection endpoint on our authentication server.
  5. The authentication server responds letting the API know if the access token is valid.
  6. If the access token is valid, the API responds to the client with the requested resources.

Step 4 is the part I'm after, and the Django OAuth Toolkit looks like it provides an option for exactly this. In the section about setting up a separate resource server it states that it allows the application to verify access tokens by use of an introspection endpoint.

So I followed the setup for the Django OAuth Toolkit, and pointed the RESOURCE_SERVER_INTROSPECTION_URL toward the introspection endpoint on our authentication server. Then I acquired an access token from our authentication server and provided it to the API as an Authorization header, but I get the following response.

Content-Type: application/json
WWW-Authenticate: Bearer realm="api",error="invalid_token",error_description="The access token is invalid."
Vary: Accept
Allow: GET, HEAD, OPTIONS
Content-Length: 58

{
    "detail": "Authentication credentials were not provided."
}

If I don't provide a token I get the same response body, but no WWW-Authenticate header. The strange part is that the introspection endpoint never receives a POST request, which it should be sending to verify the access token.

So did I misread the documentation, or am I doing something wrong? Why isn't this working as I expect?

Upvotes: 2

Views: 366

Answers (0)

Related Questions