1
votes

According to this document https://developers.onelogin.com/openid-connect/guides/auth-flow-pkce

Token Endpoint for PCKE flow is None (not Basic or POST)

enter image description here

So, how can I use the validation token API https://developers.onelogin.com/openid-connect/api/validate-session because it supports Basic authentication or POST but not for None (PCKE) I can't find any information relate to this.

NOTE: I have tried to request with Basic authentication and without + client_id, client_secret as a parameter but not working.

response 401 Unauthorized

{
    "error": "invalid_client",
    "error_description": "client authentication failed"
}
2

2 Answers

2
votes

I'm using OIDC with PKCE, and I managed to call the https://openid-connect.onelogin.com/oidc/token/introspection endpoint with a token retrieved via the authorization code flow:

$ curl -i -d "token=...&token_type_hint=access_token&client_id=..." https://openid-connect.onelogin.com/oidc/token/introspection

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Content-Length: 304
Content-Type: application/json; charset=utf-8
Date: Thu, 25 Apr 2019 23:37:42 GMT
Pragma: no-cache
X-Powered-By: Express
Set-Cookie: ol_oidc_canary_040819=false; path=/; domain=.onelogin.com

{"active":true,"sub":"...","client_id":"...","exp":1558819177,"iat":1556227177,"sid":"...","iss":"https://openid-connect.onelogin.com/oidc","jti":"...","scope":"openid profile email"}

Both the access_token and refresh_token returned from the auth code flow https://developers.onelogin.com/openid-connect/api/authorization-code-grant worked, and the access_token only returned {"active":false} after it expired.

Make sure you are not setting the Authorization header, and only set your client_id in the payload.

1
votes

Use client_id and code_verify in the POST body. That will authenticate the request on that endpoint.