ApiSecret is Required for Client with AccesTokenType = Reference

IdentityServer / IdentityServer4.AccessTokenValidation

IdentityServer Access Token Validation for ASP.NET Core

Apache License 2.0

544 stars 214 forks source link

ApiSecret is Required for Client with AccesTokenType = Reference #45

Closed h2chch closed 7 years ago

h2chch commented 7 years ago

I have used the sample provided on https://github.com/IdentityServer/CrossVersionIntegrationTests to use IdentityServer4.AccessTokenValidation package validating the token issued by IdentityServer3. I noticed that for the client with AccessTokeType set to "Reference" type, the Scope needs to have ScopeSecrets set. Thus the API which validates the token is required to set ApiSecret. Why now the ScopeSecrets becomes mandatory for Reference type client?

leastprivilege commented 7 years ago

Because the new endpoint requires authentication.