New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Requesting introspection endpoint without api secret #2651

Closed
victorjonsson opened this Issue Sep 26, 2018 · 6 comments

Comments

Projects
None yet
2 participants
@victorjonsson

victorjonsson commented Sep 26, 2018

Hi there!

We have an API resource without secret. How is it that we can use services.AddIdentityServerAuthentication in our third party application but we're not able to request the retrospection endpoint, it responds with http status 401. My assumption is that AddIdentityServerAuthentication will request the retrospection endpoint to verify the jwt token, or am I wrong?

@brockallen

This comment has been minimized.

Show comment
Hide comment
@brockallen

brockallen Sep 26, 2018

Member

Introspection requires authentication, yes.

Member

brockallen commented Sep 26, 2018

Introspection requires authentication, yes.

@brockallen brockallen added the question label Sep 26, 2018

@victorjonsson

This comment has been minimized.

Show comment
Hide comment
@victorjonsson

victorjonsson Sep 26, 2018

But my question is then how the signature of the jwt token gets verified in the third party application?

victorjonsson commented Sep 26, 2018

But my question is then how the signature of the jwt token gets verified in the third party application?

@brockallen

This comment has been minimized.

Show comment
Hide comment
@brockallen

brockallen Sep 26, 2018

Member

If it's a JWT, introspection is not needed. The signature is validated by the API downloading the signing keys via discovery.

Member

brockallen commented Sep 26, 2018

If it's a JWT, introspection is not needed. The signature is validated by the API downloading the signing keys via discovery.

@victorjonsson

This comment has been minimized.

Show comment
Hide comment
@victorjonsson

victorjonsson Sep 26, 2018

Ah, okey! That was the missing piece of the puzzle.

/ thanks

victorjonsson commented Sep 26, 2018

Ah, okey! That was the missing piece of the puzzle.

/ thanks

@victorjonsson

This comment has been minimized.

Show comment
Hide comment
@victorjonsson

victorjonsson Sep 26, 2018

Does the signing keys get cached? Or will every request to the third party application end up in a request to the discovery endpoint as well?

victorjonsson commented Sep 26, 2018

Does the signing keys get cached? Or will every request to the third party application end up in a request to the discovery endpoint as well?

@brockallen

This comment has been minimized.

Show comment
Hide comment
@brockallen

brockallen Sep 26, 2018

Member

It's up to the component. Microsoft's caches for 24h.

Member

brockallen commented Sep 26, 2018

It's up to the component. Microsoft's caches for 24h.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment