[mitreid-connect] How can I confirm that a client's token is genuine?
Justin Richer
jricher at mit.edu
Tue Dec 13 20:40:26 EST 2016
Use token introspection. It’s defined in RFC7662 and supported on /introspect on the server.
You’ll need to register the wrapper for your REST API on the server as a protected resource. You can either do this dynamically using the existing UI or you can do it in the admin UI and check “allow token introspection” in the config.
One caveat: by default, the server will only let the resource know about scopes associated with the token based on which scopes the resource is registered with. This is to limit information leakage to resources about a token’s potential targets. So if you’ve got a token with scopes A, B, C, and a resource server with scopes A, B, then introspecting that token from that resource will yield A, B even though the token itself also has C.
This behavior can be overridden by replacing the introspection services.
— Justin
> On Dec 13, 2016, at 9:57 AM, William Hadden1 <WilHadden at uk.ibm.com> wrote:
>
> Hi,
>
> Sorry for the stupid questions.
>
> I want to be able to write a tomcat servlet which will sit in front of our REST APIs and accept an OAuth access token from a client and be able to confirm with the issuing OAuth server that it is indeed a valid token. Also as these client are autonomous I am using client credentials flow to create the token.
>
> Currently I am able to create the token, but how should I query the OAuth server to authenticate the token from my servlet?
>
> Thanks
> Wil
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
>
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20161213/3ab88f03/attachment-0001.html
More information about the mitreid-connect
mailing list