By: Andrew Beak user 08 Aug 2017 at 7:41 a.m. CDT

2 Responses
Andrew Beak gravatar
Hi, I want to use the client credentials grant for some communication that does not directly involve a user. I'm able to call /oxauth/seam/resource/restv1/oxauth/token and receive an access token. The manual page says that client_credentials is a valid grant_type and I do indeed receive a token. I can't work out how my Resource Provider would be able to verify that the token being given to it is valid. I would expect to use Token Introspection ( When I call the endpoint with the access token as a bearer token and supplying the "token" in the body (I'm not using the optional token_type_hint parameter) I get an error: ``` POST /oxauth/seam/resource/restv1/introspection HTTP/1.1 Host: gluu.local Authorization: Bearer 1e4b41eb-fb99-4280-aafa-019bf4547be8 Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache token=1e4b41eb-fb99-4280-aafa-019bf4547be8 ``` This returns: ``` { "error": "access_denied", "error_description": "The resource owner or authorization server denied the request." } ``` The manual for an older version (2.4.4) of Gluu has documentation for the OAuth2 flows but these pages are removed in Gluu. Neither the old manual page nor the OpenID connect page mention token introspection. I can't work out why the request is being denied. Is there perhaps a manual page on how to validate a token that a client passes you? Google isn't terribly helpful in finding this information for Gluu.

By Andrew Beak user 08 Aug 2017 at 8:09 a.m. CDT

Andrew Beak gravatar
Requesting the access token with scope 'uma_protection' lets you present it as a bearer token for introspection. Here is the request for the token: ``` POST /oxauth/seam/resource/restv1/oxauth/token HTTP/1.1 Host: gluu.local Authorization: Basic QCFEQTQ2LkQ1QjQuRTk3Ri5EMTdDITAwMDEhRjBDOC4wNjA1ITAwMDghOTM4MC44QzM0LkQxQ0EuMzgzQjpwYXNzd29yZA== Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache grant_type=client_credentials& ```

By William Lowe user 08 Aug 2017 at 9:07 a.m. CDT

William Lowe gravatar
Nice work, Andrew. Thanks for adding this to the forum.