By: kesavan dhilip user 09 Jan 2018 at 7:20 a.m. CST

7 Responses
kesavan dhilip gravatar

Hi Team,

I need to validate the access token via /introspection endpoint in gluu

Request URL = /oxauth/restv1/introspection

Header = Authorization:Basic QCEzQzJDLjJFRDguQkE0Qy5EOUREITAwMDEhNDFBNy5FOUJCITAwMDghMjYzNC44OEUyLjBGQzAuRkQxQjo0MjFkOWUzOS1iOTUwLTQ4YjItYWQ1NS02M2E0MDZiZjM0NGQ=, Content-Type:application/x-www-form-urlencoded

Authorization = Type - Basic Auth, username - client_id, password - client_sceret

Request params = token - 8a3649dd-2a4a-42d4-a6cd-6da390269a3a(access token), token_type_hint - access_token

But I couldn't able to get the success response, always I getting error response like

""" { "error": "access_denied", "error_description": "The resource owner or authorization server denied the request." }

"""

Any one pls help me out to sort out that above issue.

By Thomas Gasmyr Mougang staff 09 Jan 2018 at 3:59 p.m. CST

Thomas Gasmyr Mougang gravatar

Hi dhilip,

Can you provide oxauth.log?

By Thomas Gasmyr Mougang staff 10 Jan 2018 at 12:30 p.m. CST

Thomas Gasmyr Mougang gravatar

Hi dhilip,

Introspection end point is protected by access_token with scope uma_protection.

So to query introspection endpoint just make sure you put in Authorization header token with uma_protection.

Let say you have a regular OIDC setup and you want to introspect tokens issued during its flows. All you need to do is just request one additional scope uma_protection from oxAuth and also add it to the client's.

Let me known if you need more help.

By William Lowe staff 11 Jan 2018 at 3:47 p.m. CST

William Lowe gravatar

Closing this ticket due to inactivity.

If you need additional assistance, please comment on the ticket and we can re-open.

Thanks,
Will

By David Avendasora user 13 Feb 2018 at 12:10 p.m. CST

David Avendasora gravatar

I'm trying to do exactly what the original poster outlined and getting the same error - no surprise.

However, I don't understand when you say:

Introspection end point is protected by access_token with scope uma_protection.

Let say you have a regular OIDC setup and you want to introspect tokens issued during its flows. All you need to do is just request one additional scope uma_protection from oxAuth and also add it to the client's.

What access_token are you referring to? Do you mean that the access_token that I'm trying to validate?

If so, that means that it will be included in both:

  • The Body, as the value of the token parameter (as specfied in RFC7662)
  • The Authorization header, as the access_token parameter of a JSON Bearer Token, along with the uma_protection scope)

when calling the OAuth 2 introspection endpoint to validate it?

That really doesn't make sense to me. (How would I validate a refresh_token?) I figured I'd try it, though just in case:

I did the following:

  1. Added the uma_protection scope to my OIDC Client in oxTrust
  2. Used the client to authenticate a user using the authorization_code Grant Type
  3. Took the resulting access_token value: 6ed2a554-baa5-4868-b02b-05a33c90c634:
  4. Created a JSON object, including the same set of scopes assigned to the OIDC Client in oxTrust:
{
    "access_token":"6ed2a554-baa5-4868-b02b-05a33c90c634",
    "token_type":"Bearer",
    "scope":"openid profile uma_protection user_name",
    "expires_in":"3600"
}
  1. Base64-Encode it to create a Bearer Token:
Bearer eyJhY2Nlc3NfdG9rZW4iOiI2ZWQyYTU1NC1iYWE1LTQ4NjgtYjAyYi0wNWEzM2M5MGM2MzQiLCJ0b2tlbl90eXBlIjoiQmVhcmVyIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSB1bWFfcHJvdGVjdGlvbiB1c2VyX25hbWUiLCJleHBpcmVzX2luIjoiMzYwMCJ9
  1. Added the token and token_type_hint parameters to the Request body:
token=6ed2a554-baa5-4868-b02b-05a33c90c634&token_type_hint=access_token

Which resulted in the following HTTP request:

POST /oxauth/restv1/introspection HTTP/1.1
Authorization: Bearer eyJhY2Nlc3NfdG9rZW4iOiI2ZWQyYTU1NC1iYWE1LTQ4NjgtYjAyYi0wNWEzM2M5MGM2MzQiLCJ0b2tlbl90eXBlIjoiQmVhcmVyIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSB1bWFfcHJvdGVjdGlvbiB1c2VyX25hbWUiLCJleHBpcmVzX2luIjoiMzYwMCJ9
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: iam.my.org
Connection: close
User-Agent: Paw/3.1.5 (Macintosh; OS X/10.12.6) GCDHTTPRequest
Content-Length: 71

token=6ed2a554-baa5-4868-b02b-05a33c90c634&token_type_hint=access_token

Unfortunately, that dind't work either. I still end up with the same error: {"error":"access_denied","error_description":"The resource owner or authorization server denied the request."}

Any idea what I'm doing wrong?

Oh, and just FYI, the /oxauth/restv1/introspection endpoint isn't documented in Gluu's OIDC docs at all.

By kesavan dhilip user 14 Feb 2018 at 12:30 a.m. CST

kesavan dhilip gravatar

Hi David,

URL : {baseurl}/oxauth/restv1/introspection Method: POST

Header:

Authorization:Bearer bf6d4b7a-a4a5-4738-8b69-3db02f45684e Content-Type:application/x-www-form-urlencoded

Request:

token:bf6d4b7a-a4a5-4738-8b69-3db02f45684e token_type_hint:access_token scope:uma_protection

Response:

{ "active": true, "scopes": [ "openid", "profile", "uma_protection", "externalId", "email" ], "client_id": "xxxx", "username": "kesavan", "token_type": "bearer", "exp": 1518588745545, "iat": 1518588445545, "sub": null, "aud": "xxx", "iss": "", "jti": null, "acr_values": null }

I got a success response. before i am also getting error response like access denied

I found the issue, our main issue is we are not using access token as bearer in authorizatiion header and also use scope = uma_protection

use Both Bearer token and input reguest token as same

Thanks Kesavan

By David Avendasora user 14 Feb 2018 at 9:27 a.m. CST

David Avendasora gravatar

Thanks Keasavan!!!

Wow, I had really over-complicated things. I now have OAuth 2.0 Token Introspection working as expected, but only for active access_tokens.

Because OXAuth's Introspection endpoint's Authentication header requires an access_token, and the Resource Server (an OIDC Client) does not have one, I can only authenticate using the Resource Owner (RO)'s access_token.

The Resource Server is the one asking for introspection of the RO's access_token. Therefore, commandeering the RO's token to make the request is certainly not the Right Way™ to do it. It could be argued that the RO should not have access to the introspection endpoint at all.

Since the Resource Owner's access_token is the token I'm trying to introspect I will never get a 200 response containing "active":false. I will only ever get a 401 error response. Getting a 401 in this situation should mean that Resource Server isn't authenticated, not that the RO's token is expired/revoked/etc.

What would be a correct way to provide my Resource Server with an access_token to use when calling the OAuth 2.0 introspection endpoint? Should I setup a user representing each Resource Server and have them authenticate themselves?

Thanks!

Dave

By David Avendasora user 15 Feb 2018 at 10:02 a.m. CST

David Avendasora gravatar

This post by Andrew Beak provides the answer to my question:

What would be a correct way to provide my Resource Server with an access_token to use when calling the OAuth 2.0 introspection endpoint?

Depending on Your OIDC client's setting for "Authentication method for the Token Endpoint", submit one of the two following requests to the oxauth/token endpoint:

  • client_secret_basic:
POST /oxauth/restv1/token HTTP/1.1
Authorization: Basic QCE2MURELkQxMkEuOTBDNy5DNkFFITAwMDEhM0Q4QS45NDQxITAwMDghNzIzOS4xMTY5LjhGNjQuRkEzODpNeVNlY3VyZVBhc3N3b3JkIQ==
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: iamdev1.ncmecad.net
Connection: close
User-Agent: Paw/3.1.5 (Macintosh; OS X/10.12.6) GCDHTTPRequest
Content-Length: 58
Body:
scope=uma_protection&grant_type=client_credentials
  • client_secret_post:
POST /oxauth/restv1/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: iamdev1.ncmecad.net
Connection: close
User-Agent: Paw/3.1.5 (Macintosh; OS X/10.12.6) GCDHTTPRequest
Content-Length: 176
Body:
scope=uma_protection&grant_type=client_credentials&client_id=%40%2161DD.D12A.90C7.C6AE%210001%213D8A.9441%210008%217239.1169.8F64.FA38&client_secret=MySecurePassword%21

Which will provide an application/json response something like:

{
  "access_token": "1f70db91-11ac-40c1-908a-70e89db4b9a8",
  "token_type": "bearer",
  "expires_in": 299,
  "scope": "uma_protection"
}