By: kesavan dhilip user 09 Jan 2018 at 7:20 a.m. CST

7 Responses
kesavan dhilip gravatar
Hi Team, I need to validate the access token via /introspection endpoint in gluu Request URL = /oxauth/restv1/introspection Header = Authorization:Basic QCEzQzJDLjJFRDguQkE0Qy5EOUREITAwMDEhNDFBNy5FOUJCITAwMDghMjYzNC44OEUyLjBGQzAuRkQxQjo0MjFkOWUzOS1iOTUwLTQ4YjItYWQ1NS02M2E0MDZiZjM0NGQ=, Content-Type:application/x-www-form-urlencoded Authorization = Type - Basic Auth, username - client_id, password - client_sceret Request params = token - 8a3649dd-2a4a-42d4-a6cd-6da390269a3a(access token), token_type_hint - access_token But I couldn't able to get the success response, always I getting error response like """ { "error": "access_denied", "error_description": "The resource owner or authorization server denied the request." } """ Any one pls help me out to sort out that above issue.

By Thomas Gasmyr Mougang staff 09 Jan 2018 at 3:59 p.m. CST

Thomas Gasmyr Mougang gravatar
Hi dhilip, Can you provide oxauth.log?

By Thomas Gasmyr Mougang staff 10 Jan 2018 at 12:30 p.m. CST

Thomas Gasmyr Mougang gravatar
Hi dhilip, Introspection end point is protected by access_token with scope **uma_protection**. So to query introspection endpoint just make sure you put in Authorization header token with **uma_protection**. Let say you have a regular OIDC setup and you want to introspect tokens issued during its flows. All you need to do is just request one additional scope uma_protection from oxAuth and also add it to the client's. Let me known if you need more help.

By William Lowe staff 11 Jan 2018 at 3:47 p.m. CST

William Lowe gravatar
Closing this ticket due to inactivity. If you need additional assistance, please comment on the ticket and we can re-open. Thanks, Will

By David Avendasora user 13 Feb 2018 at 12:10 p.m. CST

David Avendasora gravatar
I'm trying to do **exactly** what the original poster outlined and getting the same error - no surprise. However, I don't understand when you say: > Introspection end point is protected by access_token with scope uma_protection. > >Let say you have a regular OIDC setup and you want to introspect tokens issued during its flows. All you need to do is just request one additional scope uma_protection from oxAuth and also add it to the client's. What access_token are you referring to? Do you mean that the access_token that I'm trying to validate? If so, that means that it will be included in both: - The Body, as the value of the `token` parameter (as specfied in [RFC7662](https://tools.ietf.org/html/rfc7662)) - The `Authorization` header, as the `access_token` parameter of a JSON Bearer Token, along with the `uma_protection` scope) when calling the OAuth 2 introspection endpoint to validate it? That really doesn't make sense to me. (How would I validate a `refresh_token`?) I figured I'd try it, though just in case: I did the following: 1. Added the `uma_protection` scope to my OIDC Client in oxTrust 1. Used the client to authenticate a user using the `authorization_code` Grant Type 1. Took the resulting access_token value: `6ed2a554-baa5-4868-b02b-05a33c90c634`: 1. Created a JSON object, including the same set of scopes assigned to the OIDC Client in oxTrust: ``` { "access_token":"6ed2a554-baa5-4868-b02b-05a33c90c634", "token_type":"Bearer", "scope":"openid profile uma_protection user_name", "expires_in":"3600" } ``` 1. Base64-Encode it to create a Bearer Token: ``` Bearer eyJhY2Nlc3NfdG9rZW4iOiI2ZWQyYTU1NC1iYWE1LTQ4NjgtYjAyYi0wNWEzM2M5MGM2MzQiLCJ0b2tlbl90eXBlIjoiQmVhcmVyIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSB1bWFfcHJvdGVjdGlvbiB1c2VyX25hbWUiLCJleHBpcmVzX2luIjoiMzYwMCJ9 ``` 1. Added the `token` and `token_type_hint` parameters to the Request body: ``` token=6ed2a554-baa5-4868-b02b-05a33c90c634&token_type_hint=access_token ``` Which resulted in the following HTTP request: ``` POST /oxauth/restv1/introspection HTTP/1.1 Authorization: Bearer eyJhY2Nlc3NfdG9rZW4iOiI2ZWQyYTU1NC1iYWE1LTQ4NjgtYjAyYi0wNWEzM2M5MGM2MzQiLCJ0b2tlbl90eXBlIjoiQmVhcmVyIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSB1bWFfcHJvdGVjdGlvbiB1c2VyX25hbWUiLCJleHBpcmVzX2luIjoiMzYwMCJ9 Content-Type: application/x-www-form-urlencoded; charset=utf-8 Host: iam.my.org Connection: close User-Agent: Paw/3.1.5 (Macintosh; OS X/10.12.6) GCDHTTPRequest Content-Length: 71 token=6ed2a554-baa5-4868-b02b-05a33c90c634&token_type_hint=access_token ``` Unfortunately, that dind't work either. I still end up with the same error: ```{"error":"access_denied","error_description":"The resource owner or authorization server denied the request."}``` Any idea what I'm doing wrong? Oh, and just FYI, the `/oxauth/restv1/introspection` endpoint isn't documented in [Gluu's OIDC docs](https://gluu.org/docs/ce/3.1.1/api-guide/openid-connect-api/) at all.

By kesavan dhilip user 14 Feb 2018 at 12:30 a.m. CST

kesavan dhilip gravatar
Hi David, URL : {baseurl}/oxauth/restv1/introspection Method: POST Header: Authorization:Bearer bf6d4b7a-a4a5-4738-8b69-3db02f45684e Content-Type:application/x-www-form-urlencoded Request: token:bf6d4b7a-a4a5-4738-8b69-3db02f45684e token_type_hint:access_token scope:uma_protection Response: { "active": true, "scopes": [ "openid", "profile", "uma_protection", "externalId", "email" ], "client_id": "xxxx", "username": "kesavan", "token_type": "bearer", "exp": 1518588745545, "iat": 1518588445545, "sub": null, "aud": "xxx", "iss": "", "jti": null, "acr_values": null } I got a success response. before i am also getting error response like access denied I found the issue, our main issue is we are not using access token as bearer in authorizatiion header and also use scope = uma_protection use Both Bearer token and input reguest token as same Thanks Kesavan

By David Avendasora user 14 Feb 2018 at 9:27 a.m. CST

David Avendasora gravatar
Thanks Keasavan!!! Wow, I had _really_ over-complicated things. I now have [OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) working as expected, but **only** for **active** `access_token`s. Because OXAuth's Introspection endpoint's Authentication header requires an access_token, and the Resource Server (an OIDC Client) does not have one, I can only authenticate using the Resource Owner (RO)'s access_token. The **Resource Server** is the one asking for introspection of the *RO*'s access_token. Therefore, commandeering the RO's token to make the request is certainly not the Right Way™ to do it. It could be argued that the RO should not have access to the introspection endpoint at all. Since the Resource Owner's access_token is the token I'm trying to introspect I will never get a `200` response containing `"active":false`. I will only ever get a `401` error response. Getting a 401 in this situation _should_ mean that Resource Server isn't authenticated, not that the RO's token is expired/revoked/etc. What would be a correct way to provide my Resource Server with an access_token to use when calling the OAuth 2.0 introspection endpoint? Should I setup a user representing each Resource Server and have them authenticate themselves? Thanks! Dave

By David Avendasora user 15 Feb 2018 at 10:02 a.m. CST

David Avendasora gravatar
[This post](https://support.gluu.org/access-management/4393/oauth2-client-credentials-grant-how-do-i-validate-the-token/) by Andrew Beak provides the answer to my question: >What would be a correct way to provide my Resource Server with an access_token to use when calling the OAuth 2.0 introspection endpoint? Depending on Your OIDC client's setting for "Authentication method for the Token Endpoint", submit one of the two following requests to the `oxauth/token` endpoint: - client_secret_basic: ``` POST /oxauth/restv1/token HTTP/1.1 Authorization: Basic QCE2MURELkQxMkEuOTBDNy5DNkFFITAwMDEhM0Q4QS45NDQxITAwMDghNzIzOS4xMTY5LjhGNjQuRkEzODpNeVNlY3VyZVBhc3N3b3JkIQ== Content-Type: application/x-www-form-urlencoded; charset=utf-8 Host: iamdev1.ncmecad.net Connection: close User-Agent: Paw/3.1.5 (Macintosh; OS X/10.12.6) GCDHTTPRequest Content-Length: 58 Body: scope=uma_protection&grant_type=client_credentials ``` - client_secret_post: ``` POST /oxauth/restv1/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 Host: iamdev1.ncmecad.net Connection: close User-Agent: Paw/3.1.5 (Macintosh; OS X/10.12.6) GCDHTTPRequest Content-Length: 176 Body: scope=uma_protection&grant_type=client_credentials&client_id=%40%2161DD.D12A.90C7.C6AE%210001%213D8A.9441%210008%217239.1169.8F64.FA38&client_secret=MySecurePassword%21 ``` Which will provide an `application/json` response something like: ``` { "access_token": "1f70db91-11ac-40c1-908a-70e89db4b9a8", "token_type": "bearer", "expires_in": 299, "scope": "uma_protection" } ```