Join Beta Sign in to Console

Access Token Validation via the Introspection Endpoint

Estimated time: 5 minutes

What You Will Accomplish

In this guide, you will validate an Access Token issued by Mekarge A3 using the Introspection Endpoint defined in RFC 7662

Mekarge A3 allows Resources to validate Access Tokens via the Introspection Endpoint. Introspection becomes important when a Client attempts to perform a highly sensitive action on the Resource. As Permissions are granted dynamically, it is important to check if the Access Token includes the exact scope required for the operation at the time of the request, not just what was initially granted.

This guide uses two different Access Tokens:

  • A Resource token used to authenticate the Resource to the Introspection Endpoint.
  • A target Access Token, which is the token being validated.

At the end of this tutorial:

  • You will validate an Access Token as a Resource.

Quick Concepts

ClientRepresents the web application
ResourceRepresents a protected API

Read more about Architecture and Concepts in Mekarge A3 documentation.

Prerequisites

Quick Start Steps

Tooling

  • curl to test configuration endpoints
  • jq (Optional) for better JSON output

Get Resource Access Token

  • Sign in to Mekarge A3 Console

1Populate the .env.resource File

  1. Navigate to Environments
  2. Click at the end of the current Environment and select View Details
  3. Navigate to URLs tab
  4. Copy the Token Endpoint from Authorization Endpoints section to set TOKEN_ENDPOINT
  5. Navigate to AuthorizationResources
  6. Click at the end of the previously created row and select View Details
    7. 💡 Hints

    Find the Resource created in Authorize Machine-to-Machine Application guideline

  7. Copy the Client Id from Resource Credentials section to set RESOURCE_ID
  8. Copy the Client Secret from Resource Credentials section to set RESOURCE_SECRET
  9. Create .env.resource file in your working directory
  10. Fill out the .env.resource file with the information collected above

TOKEN_ENDPOINT=
RESOURCE_ID=
RESOURCE_SECRET=

2Get Access Token

  1. Load .env.resource file

source .env.resource
  1. Run the following command to get Access Token to use for introspection

curl ${TOKEN_ENDPOINT} \
  -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=${RESOURCE_ID}" \
  -d "client_secret=${RESOURCE_SECRET}" \
  -d "scope=token:introspect" \
  | jq

Obtain the Access Token to Validate

3Request Access Token to Validate

  1. Obtain a fresh Access Token for the Client using the final step from the "Authorize Machine-to-Machine Application" guide.

4Populate the .env.introspect File

  1. Navigate to Environments
  2. Click at the end of the current Environment and select View Details
  3. Navigate to URLs tab
  4. Copy the Introspection Endpoint from Authorization Endpoints section to set INTROSPECTION_ENDPOINT
  5. Create .env.introspect file in your working directory
  6. Fill out the .env.introspect file with the information collected above
  7. Set Access Token obtained in step 2 as BEARER_TOKEN
    8. 💡 HintsAccess Token is given by access_token attribute in response JSON
  8. Set Access Token obtained in step 3 as ACCESS_TOKEN
    9. 💡 HintsAccess Token is given by access_token attribute in response JSON

INTROSPECTION_ENDPOINT=
ACCESS_TOKEN=
BEARER_TOKEN=

Validate Token

5Send Introspection Request

  1. Load .env.introspect file

source .env.introspect
  1. Run the following command to validate the Access Token

curl ${INTROSPECTION_ENDPOINT} \
  -X POST \
  -H "Authorization: Bearer ${BEARER_TOKEN}" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "token=${ACCESS_TOKEN}" \
  | jq

Summary

What Happened?

  1. An Access Token with a special token:introspect Scope is requested on behalf of Resource
  2. The Introspection endpoint is called with
    • The Access Token retrieved for Resource passed as Bearer token to authenticate the Resource.
    • The actual Access Token in question passed in the request body for the authorization server to validate.

Key Takeaways

  • Resources need to authenticate to call Introspection endpoint.