By: Steffen Templin user 03 Nov 2018 at 4:55 a.m. CDT

7 Responses

Hello, I am experiencing an issue with the token introspection endpoint. When using `client_secret_basic` authentication method for `/oxauth/restv1/introspection` endpoint, the response is always `401 Unauthorized`. The client credentials are valid though. If I use them to obtain a client credentials access token, everything works. ## Expected behavior This should work: ``` # 1. Obtain access token curl --insecure -v -u '<client-id>:<client-token>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=password&username=user&password=secret&scope=email user_name' https://login.example.com/oxauth/restv1/token 200 OK {"access_token":"1234",...} # 2. Introspect token curl --insecure -v -u '<client-id>:<client-token>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'token=1234&token_type_hint=access_token' https://login.example.com/oxauth/restv1/introspection 200 OK {"active":true,...} ``` ## Actual behavior The request fails: ``` # 1. Obtain access token curl --insecure -v -u '<client-id>:<client-token>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=password&username=user&password=secret&scope=email user_name' https://login.example.com/oxauth/restv1/token 200 OK {"access_token":"1234",...} # 2. Introspect token curl --insecure -v -u '<client-id>:<client-token>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'token=1234&token_type_hint=access_token' https://login.example.com/oxauth/restv1/introspection 401 Unauthorized {"error":"access_denied","error_description":"The resource owner or authorization server denied the request."} ``` It does work though, if the client uses bearer authentication for introspection: ``` # 1. Obtain access token curl --insecure -v -u '<client-id>:<client-token>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=password&username=user&password=secret&scope=email user_name' https://login.example.com/oxauth/restv1/token 200 OK {"access_token":"1234",...} # 2. Obtain client token curl --insecure -v -u '<client-id>:<client-token>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=client_credentials' https://login.example.com/oxauth/restv1/token 200 OK {"access_token":"abcd",...} # 3. Introspect token curl --insecure -v -H 'Authorization: Bearer abcd' -H 'Content-Type: application/x-www-form-urlencoded' -d 'token=1234&token_type_hint=access_token' https://login.example.com/oxauth/restv1/introspection 200 OK {"active":true,...} ``` The issue seems to be in https://github.com/GluuFederation/oxAuth/blob/c6f9caede63f9c12d222eb91dee4c2f48866609b/Server/src/main/java/org/xdi/oxauth/introspection/ws/rs/IntrospectionWebService.java#L174. The code tries to obtain an `AuthorizationGrant` for the authenticated client, but passes the base64 encoded client credentials as an access token to `authorizationGrantList.getAuthorizationGrantByAccessToken()`.

Ubuntu 16.04

closed

By Aliaksandr Samuseu staff 03 Nov 2018 at 7:41 a.m. CDT

Copy

Hi, Steffen. As far as I can remember, using bearer token in authorization header has been the correct way to access introspection endpoint in Gluu. So I'm not sure what is the issue here, could you elaborate? If you need some other method to authroize the request implemented, feel free to file an enhancement proposal at Github for oxAuth.

By Steffen Templin user 03 Nov 2018 at 11:12 a.m. CDT

Copy

Hi Aliaksandr, I was under the impression that this was meant to be covered by https://github.com/GluuFederation/oxAuth/issues/566. Maybe I am mistaken with that and my use case is even different. In that case I'm happy to open an enhancement request. In that case, would you accept a pull request? Maybe I could file it as such directly.

By William Lowe user 03 Nov 2018 at 1:51 p.m. CDT

Copy

yes a pull request would be excellent.

By Aliaksandr Samuseu staff 04 Nov 2018 at 10:14 a.m. CST

Copy

>I was under the impression that this was meant to be covered by https://github.com/GluuFederation/oxAuth/issues/566. Maybe I am mistaken with that and my use case is even different. It may be it, indeed, I missed this enhancement then. I see it was scheduled for 4.0, but was implemented at the beginning of the year, so it should be in the main code as of now, I guess. I'll ask Yuriy to have a look at this ticket.

By Yuriy Zabrovarnyy staff 05 Nov 2018 at 3:39 a.m. CST

Copy

Thanks Steffen for report. You are right, we have typo in 3.1.4 which you already found. It is fixed in 3.1.5. Also I've added automated test for this case, so we have it covered now. BR, Yuriy Z

By Steffen Templin user 05 Nov 2018 at 5:01 a.m. CST

Copy

Thank you very much, Yuri! I'm looking forward to 3.1.5 then.

By Aliaksandr Samuseu staff 05 Nov 2018 at 8:21 a.m. CST

Copy

Closing the ticket as resolved.

You need to Login in order to post an answer

Token introspection fails with HTTP Basic Auth

By: Steffen Templin user 03 Nov 2018 at 4:55 a.m. CDT

Answers

By Aliaksandr Samuseu staff 03 Nov 2018 at 7:41 a.m. CDT

By Steffen Templin user 03 Nov 2018 at 11:12 a.m. CDT

By William Lowe user 03 Nov 2018 at 1:51 p.m. CDT

By Aliaksandr Samuseu staff 04 Nov 2018 at 10:14 a.m. CST

By Yuriy Zabrovarnyy staff 05 Nov 2018 at 3:39 a.m. CST

By Steffen Templin user 05 Nov 2018 at 5:01 a.m. CST

By Aliaksandr Samuseu staff 05 Nov 2018 at 8:21 a.m. CST

Post an answer