search

IdentityServer / IdentityServer3

OpenID Connect Provider and OAuth 2.0 Authorization Server Framework for ASP.NET 4.x/Katana
https://identityserver.github.io/Documentation/
Apache License 2.0
2.01k stars 764 forks source link

Reference token introspection in Owin validation middleware UseIdentityServerBearerTokenAuthentication #2555

Closed binarymist closed 8 years ago

binarymist commented 8 years ago

In working through: http://leastprivilege.com/2015/11/25/reference-tokens-and-introspection/ and tailing on this thread: https://github.com/IdentityServer/IdentityServer3/issues/2130

It doesn't seem to matter if I change the ClientSecret to something invalid on any "resource server" (micorservices in our case)(different than that specified in the ScopeSecrets of the scope of a particular microservice). The microservice is still authorised as long as my token is valid, so what exactly does the following code do?

app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions { Authority = "https://localhost:44333/core", RequiredScopes = new[] { "api1" },

ClientId = "api1", ClientSecret = "secret" // It makes no difference what this is set to. });

Some context: We were using JWTs but realised that we needed to use reference tokens in order to invalidate user sessions.

leastprivilege commented 8 years ago

I can't repro that with our host and the clients sample (e.g. the MVC manual code flow client).

I am sure you have logging turned on - right?

A successful request (with correct scope secret) must produce output like this:

[06:53:23 INF] Start introspection request
[06:53:23 DBG] Start scope validation
[06:53:23 DBG] Start parsing Basic Authentication secret
[06:53:23 DBG] Parser found secret: BasicAuthenticationSecretParser
[06:53:23 INF] Secret id found: write
[06:53:23 DBG] Cache hit: write
[06:53:23 DBG] Secret validator success: HashedSharedSecretValidator
[06:53:23 INF] Scope validation success
[06:53:23 INF] Start access token validation
[06:53:23 DBG] Cache hit: codeclient

whereas an invalid scope secret produces

[06:53:49 INF] Start introspection request
[06:53:49 DBG] Start scope validation
[06:53:49 DBG] Start parsing Basic Authentication secret
[06:53:49 DBG] Parser found secret: BasicAuthenticationSecretParser
[06:53:49 INF] Secret id found: write
[06:53:49 DBG] Cache hit: write
[06:53:49 DBG] No matching hashed secret found.
[06:53:49 INF] Secret validators could not validate secret
[06:53:49 INF] Scope validation failed.
[06:53:49 WRN] Scope unauthorized to call introspection endpoint. aborting.
binarymist commented 8 years ago

No I haven't got logging on. What's the best resource for info on how to do that? Thanks.

leastprivilege commented 8 years ago

Check the docs — cheers Dominick Baier

mohanr commented 8 years ago

I just added this in my startup.

       `

                          using Serilog;

                          Log.Logger = new LoggerConfiguration()
                            .MinimumLevel.Verbose()
                            .WriteTo.Trace()
                            .CreateLogger();

`

and this in my web config.

                           `
                           <system.diagnostics>
<trace autoflush="true">
  <listeners>
    <add name="TextWriter" type="System.Diagnostics.TextWriterTraceListener" initializeData="Trace.log" />
  </listeners>
</trace>

</system.diagnostics>

`

binarymist commented 8 years ago

2016-02-15 11:10:38.844 +13:00 [Information] Start introspection request 2016-02-15 11:10:38.844 +13:00 [Information] Start introspection request 2016-02-15 11:10:38.856 +13:00 [Debug] Start scope validation 2016-02-15 11:10:38.856 +13:00 [Debug] Start scope validation 2016-02-15 11:10:38.860 +13:00 [Debug] Start parsing for X.509 certificate 2016-02-15 11:10:38.865 +13:00 [Debug] Start parsing for X.509 certificate 2016-02-15 11:10:38.871 +13:00 [Debug] client_id is not found in post body 2016-02-15 11:10:38.890 +13:00 [Debug] client_id is not found in post body 2016-02-15 11:10:38.897 +13:00 [Debug] Start parsing for secret in post body 2016-02-15 11:10:38.901 +13:00 [Debug] Start parsing for secret in post body 2016-02-15 11:10:38.906 +13:00 [Debug] No secret in post body found 2016-02-15 11:10:38.910 +13:00 [Debug] No secret in post body found 2016-02-15 11:10:38.917 +13:00 [Debug] Start parsing Basic Authentication secret 2016-02-15 11:10:38.922 +13:00 [Debug] Start parsing Basic Authentication secret 2016-02-15 11:10:38.931 +13:00 [Debug] Parser found secret: "BasicAuthenticationSecretParser" 2016-02-15 11:10:38.940 +13:00 [Debug] Parser found secret: "BasicAuthenticationSecretParser" 2016-02-15 11:10:38.952 +13:00 [Information] Secret id found: "service1" 2016-02-15 11:10:38.985 +13:00 [Information] Secret id found: "service1" 2016-02-15 11:10:39.005 +13:00 [Information] No scope with that name found. aborting 2016-02-15 11:10:39.022 +13:00 [Information] No scope with that name found. aborting 2016-02-15 11:10:39.078 +13:00 [Warning] Scope unauthorized to call introspection endpoint. aborting. 2016-02-15 11:10:39.094 +13:00 [Warning] Scope unauthorized to call introspection endpoint. aborting.

binarymist commented 8 years ago

Sorted this out, just a matter of changing configuration. Is a lot easier with logging on.

dkaminski commented 8 years ago

I was struggling with the API in the clients sample not working, failing on token introspection, always running into "secret validators could not validate secret" in the logs. Searching on that output brought me here, and I finally realized that there are no ScopeSecrets defined in any of the hosts in the samples repository. I'll work on submitting a PR for that.