Fosite: Token introspect [help needed]

ezerw · October 5, 2020, 3:50am

Hi,
I’m trying to setup an internal endpoint to introspect tokens but it seems that is not possible for public clients as they have no secret.

I’ve tried to check what Hydra does but couldn’t find where the NewIntrospectionRequest is called or how this is implemented as in the docs for hydra doesn’t require Authorization headers. (https://www.ory.sh/hydra/docs/guides/oauth2-token-introspection)

Ideally I will put this not through the API and to be an RPC call instead but not able to figure out how to implement it.

Did anyone did this? Any ideas on how get this to work without authorization?

rhinmass · October 8, 2020, 10:08pm

Introspect is called on the admin server, which must be protected. There is no auth for the admin server.

ezerw · October 8, 2020, 11:42pm

Fosite NewIntrospectionRequest requires auth headers to do the introspection (check here). Maybe you’re talking about hydra?

I ended up implementing my own introspection based on hydra (look here)