Does IdentityServer4 have API to validate an access token?

1
votes

I have an Identity Server which is built by using IdentityServer4.

I have 2 applications (1 .NET, 1 PHP) accessing resource each other and using this Identity Server to validate access token in request header.

In Identity Server application I add a client config as below

clients.Add(
            new Client
            {
                ClientId = "myClientId",
                ClientName = "My Client Name",
                ClientSecrets = new List<Secret>
                {
                    new Secret("secret".Sha256())
                },
                AllowedGrantTypes = GrantTypes.ClientCredentials,
                AllowedScopes = new List<string>
                {
                    "php.es.api"
                }
            });

From .NET application I can get access token easily by calling method RequestClientCredentialsAsync with scope "php.es.api". Then add this bearer token and send request to PHP API.

The problem is I don't know whether IdentityServer4 has API so that PHP application can call it to authenticate the access token. I google and don't find any document mentions about this API.

Do I have to write new API in Identity Server application for PHP or other applications not .NET to validate token?

.NET application access resource from PHP application as below.

IdentityServer4

1
c#php.netidentityserver4

1 Answers

1
votes

There is a standard endpoint for this called the introspection endpoint and it is supported by IdentityServer4. Your best bet is to find an oauth client in PHP that does this. If you are using self-contained bearer tokens you can validate tokens without the need for back-channel communication because the bearer tokens are signed by your provider and your provider has its keys listed in the discovery document required to validate the tokens (/.well-known/openid-configuration). I am not too familiar with PHP to point you in the right direction as to what cool libraries there might be out there