IdentityServer3 icon indicating copy to clipboard operation
IdentityServer3 copied to clipboard

Published 20 hours ago verified publisher icon IdentityServer

Token introspection and multiple scopes

Open wziska opened this issue 9 years ago • 7 comments

Hi, Due to lack of security in token validation endpoint I decided to switch to introspection. But I have a problem configuring my Api authentication options (ClientId and ClientSecret fields) because I have 2 scopes defined in RequiredScopes (lest's say 'read' and 'readwrite'). If in the config I add ClientId of 'readwrite' scope and client of my Api has token generated for 'read' scope I'll get a little misleading error of inactive token because of this line. It of course works well if client requested 'readwrite' scope. Now I don't know which scope should be put into Api's IdentityServerBearerTokenAuthenticationOptions, because I don't know which scope client requested. Maybe I need a new scope only for introspection purposes? But then clients should always request this additional scope which seems cumbersome. Are there any other options?

Thanks, Wojtek

wziska avatar Aug 18 '16 15:08 wziska

By default - a scope can only see its own scope - but there is a setting on the Scope definition (AllowUnrestrictedIntrospection) that you can use to change that behavior.

https://identityserver.github.io/Documentation/docsv2/configuration/scopesAndClaims.html

leastprivilege avatar Aug 19 '16 10:08 leastprivilege

Yes, I've tried enabling this setting already, but it doesn't solve my problem, because I still need to authenticate with correct scope - the one which is included in the token. If defined ClientId scope is different one, I'll get this "inactive token" error. As I understand this setting only allows to see other scopes, but it doesn't change authentication.

wziska avatar Aug 19 '16 10:08 wziska

I see the problem.

Right now we don't have a solution for that besides defining an additional scope.

leastprivilege avatar Aug 20 '16 08:08 leastprivilege

That's what I do - have an explicit additional "master/introspection" scope.

Peperud avatar Aug 25 '16 23:08 Peperud

@leastprivilege even if we define a new scope only for introspection, how it will resolve this issue? For example, there are two scopes - "read" and "readwrite" and one for introspection i.e. "introspect" Client got the access token for "readwrite" and "introspect" scopes. When client requests for a resource (API) let say "api/account", Resource Server will introspect token with "introspect" scope and will get subject and active in response of introspect endpoint. How Resource Server will identify the other scopes in the access token (i.e. reference token)? Resource Server needs this information to allow access to client for API "api/account".

SuyalK avatar Jan 10 '17 05:01 SuyalK

There's a flag on the scope - AllowUnrestrictedIntrospection - that should fix your problem.

leastprivilege avatar Jan 10 '17 06:01 leastprivilege

Thanks @leastprivilege It fixed my problem.

SuyalK avatar Jan 10 '17 19:01 SuyalK