Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

oidc introspection not working

See original GitHub issue

Hi Travis,

I would like to use the oidc access token introspection feature for a project. But it is not working when using a discover_url. In the eas log I this error message:

{"message":"issuer does not support introspection","level":"error","service":"external-auth-server"}

In our oidc metadata there is an “introspection_endpoint” provided. This is according correct to https://tools.ietf.org/html/rfc8414 .

I assume it is caused by this line: https://github.com/travisghansen/external-auth-server/blob/master/src/plugin/oauth/index.js#L1254

I guess it should be

      if (!issuer.metadata.introspection_endpoint) {

Instead of:

      if (!issuer.metadata.token_introspection_endpoint) {

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:6 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
travisghansencommented, Feb 18, 2021

@Electrofenster strictly speaking jwt can be used outside of oauth/oidc so it not necessarily implied those are being used (and by extension the introspection feature of the specs) when using basic jwt. It could be added however to the project to support that. Let’s open another ticket to get your requests sorted out. It’s good timing because I’ve got some other minor tweaks to make to the project upcoming 😃

0reactions
Electrofenstercommented, Feb 18, 2021

@travisghansen why does the jwt plugin don’t use the introspection endpoint to validate that the accessToken is still valid. When I logout all my sessions in keycloak for the previously authenticated user the accessToken is still valid. I think that’s because the jwt plugin don’t uses the introspection endpoint to validate the accessToken?

Also I don’t get the X-Userinfo - Header with the jwt-plugin 😦

Read more comments on GitHub >

github_iconTop Results From Across the Web

OIDC token introspection fails due to path since 1.7 #11460
The token introspection of the connected OIDC provider (Google Auth in my example) is not configured/discovered correctly anymore, ...
Read more >
Invoking the Introspection Endpoint for OpenID Connect - IBM
The introspection endpoint enables holders of access tokens to request a set of metadata about an access token from the OpenID Connect Provider...
Read more >
Support for ID tokens in introspection endpoint - Bitbucket
Introspection endpoint is defined in the OAuth 2.0 spec, but not really covered in the OpenID Connect spec. Some time ago check ID...
Read more >
Token Introspection Endpoint - OAuth 2.0 Simplified
This is a boolean value of whether or not the presented token is currently active. The value should be “true” if the token...
Read more >
Spring security introspection not working - Stack Overflow
The problem is with the WSO2 Identity Server's certificate. You need to import the it into java's cacerts file (inside lib/security).
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Support introspection of access token in jwt plugin

Next page

Suggestion: multistage Docker builds