leastprivilege
commented
7 years ago The introspection endpoint might have all the eventing you need:
By not setting a client id / secret on the validation MW, you are using a legacy validation endpoint. When you set the id and secret - you start using introspection. Give it a try.
johnny-chan
Hi,
I have a WebApi that is configured to use the "UseIdentityServerBearerTokenAuthentication"
appBuilder.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions { Authority = configurationManager.SecurityTokenServiceAuthority, ValidationMode = ValidationMode.ValidationEndpoint, RequiredScopes = configurationManager.RequiredScopes })
and i have a Security Token Service configured to listen out for failed events
EventsOptions = new EventsOptions() { RaiseErrorEvents = true, RaiseFailureEvents = true, }
When an unauthorised request is made to the the WebApi (i.e access token has invalid scope), is there a way for the Security Token Service to register the unauthorised failed event so that i subsequently raise a security event, using a custom event service.
Or is this not designed for this?