In my last post I described the value of reference tokens and how the OAuth 2.0 token introspection spec (aka rfc7662) gives us a standard way of using them.
Over the christmas break I worked on an ASP.NET 5-based middleware for token introspection – it is pretty simple to use:
app.UseOAuth2IntrospectionAuthentication(options =>
{
options.AutomaticAuthenticate = true;
options.ScopeName = "api1";
options.ScopeSecret = "secret";
options.Authority = "https://identityserver.io";
});
If your token issuer supports discovery, all you need to do is to pass in the base URL – the token introspection endpoint is then found via metadata (there is also a way to explicitly pass in the endpoint address).
ScopeName and ScopeSecret are used to authenticate against the introspection endpoint (you can also use an HTTP message handler if you need more control over the wire format).
The result will – as usual – get turned into a claims principal and your pipeline/business logic will have access to the claims.
The token introspection spec is quite new – but needless to say, this works with IdentityServer.
PS. This is the first beta version – there is definitely room for improvement. One thing that is missing right now is caching – but I will get to that soon. Please use github to give feedback. thanks!
leastprivilege.com 