问题描述
根据本文档
因此,我如何使用验证令牌API https://developers.onelogin.com/openid-connect/api/validate-session ,因为它支持基本身份验证
或 POST
,但不支持 None(PCKE)
我找不到与此相关的任何信息.
注意::我尝试使用基本身份验证请求,但没有使用+ client_id,client_secret作为参数,但是无法正常工作.
响应401未经授权
{错误":"invalid_client","error_description":客户端身份验证失败"}
我正在将OIDC与PKCE结合使用,并且设法调用了 https://openid-connect.onelogin.com/oidc/token/introspection 端点,其中包含通过授权代码流检索的令牌:
$ curl -i -d"token = ...& token_type_hint = access_token& client_id = ..." https://openid-connect.onelogin.com/oidc/token/introspectionHTTP/1.1 200 OK缓存控制:无缓存,无存储内容长度:304内容类型:application/json;字符集= utf-8日期:2019年4月25日,星期四,格林尼治标准时间语法:无快取X-Powered-By:快递Set-Cookie:ol_oidc_canary_040819 = false;路径=/;domain = .onelogin.com{"active":true,"sub":"...","client_id":"...","exp":1558819177,"iat":1556227177,"sid":"...","iss:" https://openid-connect.onelogin.com/oidc," jti:" ...," scope:" openid个人资料电子邮件}
从身份验证代码流 https://developers.onelogin.com/openid-connect/api/authorization-code-grant 起作用,并且仅 access_token
过期后返回 {"active":false}
.
确保未设置 Authorization
标头,而仅在有效负载中设置 client_id
.
According to this documenthttps://developers.onelogin.com/openid-connect/guides/auth-flow-pkce
Token Endpoint for PCKE flow is None (not Basic or POST)
So, how can I use the validation token API https://developers.onelogin.com/openid-connect/api/validate-session because it supports Basic authentication
or POST
but not for None (PCKE)
I can't find any information relate to this.
NOTE: I have tried to request with Basic authentication and without + client_id, client_secret as a parameter but not working.
response 401 Unauthorized
{
"error": "invalid_client",
"error_description": "client authentication failed"
}
I'm using OIDC with PKCE, and I managed to call the https://openid-connect.onelogin.com/oidc/token/introspection endpoint with a token retrieved via the authorization code flow:
$ curl -i -d "token=...&token_type_hint=access_token&client_id=..." https://openid-connect.onelogin.com/oidc/token/introspection
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Content-Length: 304
Content-Type: application/json; charset=utf-8
Date: Thu, 25 Apr 2019 23:37:42 GMT
Pragma: no-cache
X-Powered-By: Express
Set-Cookie: ol_oidc_canary_040819=false; path=/; domain=.onelogin.com
{"active":true,"sub":"...","client_id":"...","exp":1558819177,"iat":1556227177,"sid":"...","iss":"https://openid-connect.onelogin.com/oidc","jti":"...","scope":"openid profile email"}
Both the access_token
and refresh_token
returned from the auth code flow https://developers.onelogin.com/openid-connect/api/authorization-code-grant worked, and the access_token
only returned {"active":false}
after it expired.
Make sure you are not setting the Authorization
header, and only set your client_id
in the payload.
这篇关于如何验证OAuth2 + PCKE流的访问令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!