Identityserver4: How to Properly Validate an Access Token that was Issued by Identity Server 4

Created on 21 Sep 2016  路  6Comments  路  Source: IdentityServer/IdentityServer4

Given an accessToken, what is the correct way of validating an accessToken? I am trying to use Identity Server for custom authentication of Azure App Service. To do that, you must create a controller action and validate it using custom logic.

The code for custom validation is:

[MobileAppController]
public class AuthController : ApiController
{
    public HttpResponseMessage Post(string accessToken)
    {
        // implementation below, not sure how to validate using Identity Server
        if (!this.IsAccessTokenValid(accessToken))
        {
            return this.Request.CreateUnauthorizedResponse();
        }

        JwtSecurityToken token = this.GetAuthenticationToken(accessToken);

        return this.Request.CreateResponse(HttpStatusCode.OK, new
        {
            Token = token.RawData,
            Username = username
        });
    }

    private bool IsAccessTokenValid(string accessToken)
    {
        // this is where we would do checks agains a database

        return true;
    }
}

I am not sure what I should do in IsAccessTokenValid to validate a given accessToken. I dissected the code for IdentityServer4.AccessTokenValidation and it seems it uses JwtSecurityTokenHandler to validate accessTokens. So is this code sufficient to validate a token?

private bool IsAccessTokenValid(string accessToken)
{
    try
    {
        var handler = new JwtSecurityTokenHandler();
        handler.ValidateToken(accessToken);
        return true;
    }
    catch 
    {
        return false;
    }
}

There seems to be a separate endpoint for token validation in Identity Server 3 called AccessTokenValidationController. Is there an equivalent endpoint for that in version 4? Thank you.

picture randalvance

Most helpful comment

Check out the Introspection Endpoint. This implements RFC 7662:

...method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token.

picture scottbrady91 on 21 Sep 2016
👍2

All 6 comments

Check out the Introspection Endpoint. This implements RFC 7662:

...method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token.

scottbrady91 picture scottbrady91 on 21 Sep 2016
👍2

Thanks a lot. Will check that out.

randalvance picture randalvance on 21 Sep 2016

The docs say:

... or JWTs if the consumer does not have support for appropriate JWT or cryptographic libraries

So, is it possible to validate a JWT token (not a reference token) in a more traditional way (e.g. with using JwtSecurityTokenHandler.ValidateToken() or like here)?

AKlaus picture AKlaus on 1 Mar 2018

yes

brockallen picture brockallen on 1 Mar 2018
😄1

Hi, I want to use IdentityServer 4 with SharePoint 2013 and have it integrated with another home built application which uses its owm mechanism of authentication and authorization. Is it possible that Identity Server receives a POST request from that application having username and role and generate a token which is then passed to SharePoint 2013 for Single Sign On login without validating against any user store?

paramdeepsinghsaini picture paramdeepsinghsaini on 20 Jul 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 13 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mackie1001 picture mackie1001  路  3Comments
osmankibar picture osmankibar  路  3Comments
nukec picture nukec  路  3Comments
osudude picture osudude  路  3Comments
user1336 picture user1336  路  3Comments