ReferenceToken (scopes without secrets) with IdentityServer3

[lukasz-ciura]

Hi, We have legacy IdentityServer3 that uses ReferenceToken without Introspection endpoint (scopes does not have secrets) - we cannot modify this.

Our application use ASP.NET Core 2.0 and only IdentityServer4.AccessTokenValidation is available for us.

Is it possible to use authorization with ReferenceToken in our situation?

Can we somehow force our application (ASP.Net core 2.0) to use Access token validation endpoint where secrets for scopes are not required?

[leastprivilege]

No. The old token validation endpoint is not supported anymore. You could manually implement it of course.

[lukasz-ciura]

Thanks for quick response.

Is there any other way to avoid checking of secrets for scopes?

[leastprivilege]

The introspection endpoint requires authentication.