By: Steffen Templin user 03 Nov 2018 at 4:55 a.m. CDT

7 Responses
Steffen Templin gravatar
Hello, I am experiencing an issue with the token introspection endpoint. When using `client_secret_basic` authentication method for `/oxauth/restv1/introspection` endpoint, the response is always `401 Unauthorized`. The client credentials are valid though. If I use them to obtain a client credentials access token, everything works. ## Expected behavior This should work: ``` # 1. Obtain access token curl --insecure -v -u '<client-id>:<client-token>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=password&username=user&password=secret&scope=email user_name' https://login.example.com/oxauth/restv1/token 200 OK {"access_token":"1234",...} # 2. Introspect token curl --insecure -v -u '<client-id>:<client-token>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'token=1234&token_type_hint=access_token' https://login.example.com/oxauth/restv1/introspection 200 OK {"active":true,...} ``` ## Actual behavior The request fails: ``` # 1. Obtain access token curl --insecure -v -u '<client-id>:<client-token>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=password&username=user&password=secret&scope=email user_name' https://login.example.com/oxauth/restv1/token 200 OK {"access_token":"1234",...} # 2. Introspect token curl --insecure -v -u '<client-id>:<client-token>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'token=1234&token_type_hint=access_token' https://login.example.com/oxauth/restv1/introspection 401 Unauthorized {"error":"access_denied","error_description":"The resource owner or authorization server denied the request."} ``` It does work though, if the client uses bearer authentication for introspection: ``` # 1. Obtain access token curl --insecure -v -u '<client-id>:<client-token>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=password&username=user&password=secret&scope=email user_name' https://login.example.com/oxauth/restv1/token 200 OK {"access_token":"1234",...} # 2. Obtain client token curl --insecure -v -u '<client-id>:<client-token>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=client_credentials' https://login.example.com/oxauth/restv1/token 200 OK {"access_token":"abcd",...} # 3. Introspect token curl --insecure -v -H 'Authorization: Bearer abcd' -H 'Content-Type: application/x-www-form-urlencoded' -d 'token=1234&token_type_hint=access_token' https://login.example.com/oxauth/restv1/introspection 200 OK {"active":true,...} ``` The issue seems to be in https://github.com/GluuFederation/oxAuth/blob/c6f9caede63f9c12d222eb91dee4c2f48866609b/Server/src/main/java/org/xdi/oxauth/introspection/ws/rs/IntrospectionWebService.java#L174. The code tries to obtain an `AuthorizationGrant` for the authenticated client, but passes the base64 encoded client credentials as an access token to `authorizationGrantList.getAuthorizationGrantByAccessToken()`.

By Aliaksandr Samuseu staff 03 Nov 2018 at 7:41 a.m. CDT

Aliaksandr Samuseu gravatar
Hi, Steffen. As far as I can remember, using bearer token in authorization header has been the correct way to access introspection endpoint in Gluu. So I'm not sure what is the issue here, could you elaborate? If you need some other method to authroize the request implemented, feel free to file an enhancement proposal at Github for oxAuth.

By Steffen Templin user 03 Nov 2018 at 11:12 a.m. CDT

Steffen Templin gravatar
Hi Aliaksandr, I was under the impression that this was meant to be covered by https://github.com/GluuFederation/oxAuth/issues/566. Maybe I am mistaken with that and my use case is even different. In that case I'm happy to open an enhancement request. In that case, would you accept a pull request? Maybe I could file it as such directly.

By William Lowe staff 03 Nov 2018 at 1:51 p.m. CDT

William Lowe gravatar
yes a pull request would be excellent.

By Aliaksandr Samuseu staff 04 Nov 2018 at 10:14 a.m. CST

Aliaksandr Samuseu gravatar
>I was under the impression that this was meant to be covered by https://github.com/GluuFederation/oxAuth/issues/566. Maybe I am mistaken with that and my use case is even different. It may be it, indeed, I missed this enhancement then. I see it was scheduled for 4.0, but was implemented at the beginning of the year, so it should be in the main code as of now, I guess. I'll ask Yuriy to have a look at this ticket.

By Yuriy Zabrovarnyy staff 05 Nov 2018 at 3:39 a.m. CST

Yuriy Zabrovarnyy gravatar
Thanks Steffen for report. You are right, we have typo in 3.1.4 which you already found. It is fixed in 3.1.5. Also I've added automated test for this case, so we have it covered now. BR, Yuriy Z

By Steffen Templin user 05 Nov 2018 at 5:01 a.m. CST

Steffen Templin gravatar
Thank you very much, Yuri! I'm looking forward to 3.1.5 then.

By Aliaksandr Samuseu staff 05 Nov 2018 at 8:21 a.m. CST

Aliaksandr Samuseu gravatar
Closing the ticket as resolved.