Can't get access to introspect

Till · March 26, 2018, 4:20pm

Hi, I’m desperately trying to get access to the /oauth2/introspect api. I’m currently using postman and created a client for this:
{
“id”: “tills-postman”,
“client_name”: “Tills Postman”,
“redirect_uris”: [
“https://www.getpostman.com/oauth2/callback”
],
“grant_types”: [
“client_credentials”
],
“response_types”: [
“token”
],
“scope”: “hydra.consent hydra.clients hydra.policies hydra.*”,
“owner”: “”,
“policy_uri”: “”,
“tos_uri”: “”,
“client_uri”: “”,
“logo_uri”: “”,
“contacts”: null,
“public”: false
}

So I created this policy to get instrospection to work:
{
“id”: “accesstoken_introsp-policy”,
“description”: “Can introspect tokens”,
“subjects”: [
“tills-postman”
],
“effect”: “allow”,
“resources”: [
“rn:hydra:oauth2:tokens”
],
“actions”: [
“introspect”
],
“conditions”: {}
}

But whenever I call the /oauth2/introspect rest endpoint I get the following error in the console:
level=error msg=“An error occurred” error=“Validator returned error A validator returned an error: The request could not be authorized: Token is inactive because it is malformed, expired or otherwise invalid”

The token I’m using to authenticate is working for other endpoints like /clients or /policies. What is it I’m missing here?

Thanks in advance.

hackerman · March 26, 2018, 4:56pm

What does the request look like (curl)?

pnicolcev-tulipretai · March 27, 2018, 4:58am

The token I’m using to authenticate is working for other endpoints like /clients or /policies. What is it I’m missing here?

Does your client have the hydra.introspect scope?

Till · March 27, 2018, 6:28am

Hi, thanks for your answers.
The curl command should look like this:
curl --request POST -k -H “Authorization:bearer z-anOmDU7q0QjsVuGAo13Ab-q7ZNZJPzRqDAiaqrsbY.YIiJvJ6SvLG2FblenlkBMpwTqMyRT50z8_VQ1DViceY” -F ‘token=z-anOmDU7q0QjsVuGAo13Ab-q7ZNZJPzRqDAiaqrsbY.YIiJvJ6SvLG2FblenlkBMpwTqMyRT50z8_VQ1DViceY’ https://192.168.162.168:9001/oauth2/introspect

I added the hydra.* scope which seems to work for hydra.clients and hydra.policies. Just to be sure I added the hydra.introspect scope to the client and requested a token with this scope, but still it won’t authorize.

pnicolcev-tulipretai · March 27, 2018, 6:41pm

Are you introspecting an access token or a refresh token? I seem to remember this happening with refresh tokens.

Till · March 28, 2018, 7:34am

Hi, I’m trying to introspect my own token which is working fine for clients or policies.

Till · March 28, 2018, 7:58am

I tried a bit more and I can validate the token with the binary with admin credentials.

./hydra token validate fcIpMKC4qKPxX5aRCvI1WYeLE-z1Kiat2B3YTbmBLWs.RfA7puDRyZuX7Cink6-cj1aAdP_5Ylr4e1nYbPJR_OE --skip-tls-verify
{
    "active": true,
    "aud": "admin",
    "client_id": "admin",
    "exp": 1522226359,
    "iat": 1522222759,
    "iss": "https://localhost:9001",
    "scope": "hydra.*",
    "sub": "admin"
}

But when I’m trying to verify this token using the admin token it won’t work through curl
curl --request POST -k -H "Authorization:bearer fcIpMKC4qKPxX5aRCvI1WYeLE-z1Kiat2B3YTbmBLWs.RfA7puDRyZuX7Cink6-cj1aAdP_5Ylr4e1nYbPJR_OE" -F 'token=fcIpMKC4qKPxX5aRCvI1WYeLE-z1Kiat2B3YTbmBLWs.RfA7puDRyZuX7Cink6-cj1aAdP_5Ylr4e1nYbPJR_OE' https://192.168.162.168:9001/oauth2/introspect {"active":false}

edit:
Further random trying revealed that you have to send the data as Content-Type: application/x-www-form-urlencoded and not as form-data as the documentation here suggests.

hackerman · March 29, 2018, 1:18pm

We should probably throw a more meaningful error message here… Can you open an issue for that, so i don’t forget? Thanks!

hackerman · May 25, 2018, 9:02am

5 posts were split to a new topic: Token Introspection does not work with a public OAuth2 Client

hackerman · May 25, 2018, 9:29am

A post was merged into an existing topic: Token Introspection does not work with a public OAuth2 Client