How add OAuthIntrospectionConstants.ClientAuthenticationMethods.ClientSecretPost to configuration.IntrospectionEndpointAuthMethodsSupported
I tried to get first branch of expression in the method GetIntrospectionPayloadAsync (AspNet.Security.OAuth.Introspection\OAuthIntrospectionHandler.cs, https://github.com/aspnet-contrib/AspNet.Security.OAuth.Extensions/blob/dev/src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs) but my PDB contain only second case. As I understand, I should add ClientSecretPost in IntrospectionEndpointAuthMethodsSupported, but can't find where I should do it. (use Core 1.0)
Could you please explain where I should add this option?
// If the introspection endpoint provided by the authorization server supports
// client_secret_post, flow the client credentials as regular OAuth2 parameters.
// See https://tools.ietf.org/html/draft-ietf-oauth-discovery-05#section-2
// and https://tools.ietf.org/html/rfc6749#section-2.3.1 for more information.
if (configuration.IntrospectionEndpointAuthMethodsSupported.Contains(OAuthIntrospectionConstants.ClientAuthenticationMethods.ClientSecretPost))
{
parameters[OAuthIntrospectionConstants.Parameters.ClientId] = Options.ClientId;
parameters[OAuthIntrospectionConstants.Parameters.ClientSecret] = Options.ClientSecret;
}
// Otherwise, assume the authorization server only supports basic authentication,
// as it's the only authentication method required by the OAuth2 specification.
// See https://tools.ietf.org/html/rfc6749#section-2.3.1 for more information.
else
{
var credentials = Convert.ToBase64String(Encoding.ASCII.GetBytes($"{Options.ClientId}:{Options.ClientSecret}"));
request.Headers.Authorization = new AuthenticationHeaderValue(OAuthIntrospectionConstants.Schemes.Basic, credentials);
}
UPD authorization service startup:
app.UseOpenIdConnectServer(options =>{
options.Provider = new AuthorizationProvider();
options.TokenEndpointPath = "/connect/token";
options.LogoutEndpointPath = "/connect/logout";
options.UserinfoEndpointPath = "/connect/userinfo";
options.IntrospectionEndpointPath = "/connect/introspect";
options.RevocationEndpointPath = "/connect/revoke";
options.ApplicationCanDisplayErrors = openIdOptions.Value.ApplicationCanDisplayErrors;
options.AllowInsecureHttp = openIdOptions.Value.AllowInsecureHttp;
options.AccessTokenLifetime = openIdOptions.Value.AccessTokenLifetime;
stratup api:
branch.UseOAuthIntrospection(options =>
{
options.ClientId = openIdConnectOptions.Value.ClientId;
options.ClientSecret = openIdConnectOptions.Value.ClientSecret;
options.Authority = openIdConnectOptions.Value.Authority;
options.AutomaticAuthenticate = true;
options.AutomaticChallenge = true;
});
introspection_endpoint_auth_methods_supported is returned by the authorization server as part of the discovery document (assuming it supports the OAuth2 discovery draft).
This property is supported by both the aspnet-contrib OpenID Connect server middleware and OpenIddict.
If your authorization server doesn't support this property, you can configure the introspection handler not to use discovery and force it to use the static configuration of your choice:
services.AddAuthentication(options =>
{
options.DefaultScheme = OAuthIntrospectionDefaults.AuthenticationScheme;
})
.AddOAuthIntrospection(options =>
{
options.Audiences.Add("resource-server-1");
options.ClientId = "resource-server-1";
options.ClientSecret = "846B62D0-DEF9-4215-A99D-86E6B8DAB342";
options.Configuration = new OAuthIntrospectionConfiguration
{
IntrospectionEndpoint = "http://localhost:12345/connect/introspect",
IntrospectionEndpointAuthMethodsSupported =
{
OAuthIntrospectionConstants.ClientAuthenticationMethods.ClientSecretBasic,
OAuthIntrospectionConstants.ClientAuthenticationMethods.ClientSecretPost
}
};
});