Skip to content

Instantly share code, notes, and snippets.

@zamd

zamd/asp-token-introspection.md

Last active November 29, 2017 15:38
Show Gist options
  • Save zamd/fe3738cf6a9653f1bd201fd7a8faf4ba to your computer and use it in GitHub Desktop.
Save zamd/fe3738cf6a9653f1bd201fd7a8faf4ba to your computer and use it in GitHub Desktop.
Download ZIP
Auth0 ASP Introspection
Raw
asp-token-introspection.md

Auth0 ASP Introspection API

POST https:/{tenant}/oauth/introspect

{ "client_assertion": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FwaS5maW5pc2VuLmNvbSIsInN1YiI6Imh0dHBzOi8vYXBpLmZpbmlzZW4uY29tIiwiYXVkIjoiaHR0cHM6Ly96dWxmaXFhci5hdXRoMC5jb20vIiwiZXhwIjoxNzk4NzU0MTI3fQ.iYS-OdkUYP9vL1i9PFCL_llGla43TmhiAaGAg5cdeDJqfupFb5ZBeVs6vdGOEMGpCFgSJ3aGnZpfrlItvL3whcFaAKpAppFl17tUCAFHFxLZCyVO09pUcQ3y3lKBdmF3HoysmugfK-943R1o5S-91C_ASaU24NhnrOPA0UsUNekqotHCVTr9V6TFIh8qAJPwLbd7Q0GyEAxx6Jj_-_E0k6Un4b6AUEh54A8DDkeodCq1D7KplJMNYoHLW4UCPFKg-5DcB1TAwuHdaIprqKdlipg_RUd6UtK4l66GiKYkXo_onl1B04oCPOxsnwUmYBBNf4vHFEjKArPiOxANretv3A", "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "token": "bw6xGRqEjBQUr9FxJTfp" }

###JWT Payload

{ "iss": "https://api.finisen.com", "sub": "https://api.finisen.com", "aud": "https://zulfiqar.auth0.com/", "exp": 1798754127 }

CURL

curl -X POST
https://zulfiqar.au.auth0.com/oauth/introspect
-H 'cache-control: no-cache'
-H 'content-type: application/json'
-H 'postman-token: ac751c1b-9639-0e14-6946-3982b4e5f1d5'
-d '{ "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "client_assertion": "eyJhbGciOiJSUzCvDQAU66Ih3l_QLE1Yhxi3jhAi9jSPhqIqh5mBqgbXRkCUfz91BtpyR_Ur-r4RSvTQ-A8KscirwgBg", "token": "bRK5hOzIkLHuFwzwgHhU" }'

JWT

HEADER
{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "eu-master"
}

PAYLOAD

{ 
  "iss": "https://media.server.io", 
 "sub": "https://media.server.io", 
 "aud": "https://zulfiqar.au.auth0.com/",
  "exp": "1511979472"
}

RS setup

Resource server can be setup with multiple verficationKeys as follwoing:

curl -X PATCH \
  https://zulfiqar.au.auth0.com/api/v2/resource-servers/5988063fe4485a3d7ece7233 \
  -H 'authorization: Bearer eyJ0eXAiOiJKV1Qi' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -H 'postman-token: 7e3a6fbe-ccac-7925-d18c-6aaaac7fb530' \
  -d '{
    "verificationKeys": [
        {
            "pem": "-----BEGIN CERTIFICATE-----\r\nMIIFYTCCBEmgAwIBAgISA19kY3wRP1zhxhQNwH4Qe5I5MA0GCSqGSIb3DQEBCwUA\r\nMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD\r\nExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzEwMTgwODI4MTNaFw0x\r\nODAxMTYwODI4MTNaMB0xGzAZBgNVBAMTEnp1bGZpcWFyLmdvdGRucy5jaDCCASIw\r\nDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN+jqUToJI763UsBkEQz5aGNXdol\r\nDOxBRkEwOBsLI6BMWU/NEKNFjp154PDssirAii5U9ibbpGuj7HQX51zjSMpDRXPz\r\nryy9wZtILTynC2gB6zhTzLIt5TEsAiEoBDIeancysPOO2ZzW3QWGXXY3WjA4p7Hz\r\nb4NZsj7waWSPE8kHyVn53+rygYdDrKL7Lz4AQfJ/iC8dTHdB93fEz19F12TgtuMc\r\nNLGR+qGPb5d8vRkGXNReW/50u/UX0mtmwAOB0WQJVTwCQ7M0IqTU+9JSXMjdOuCB\r\ndQj+ylPdMWG6OKbkq7NcM1rqncBBPbudRsFmbugNJYKAKBYmLr3HE1i7ElUCAwEA\r\nAaOCAmwwggJoMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI\r\nKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUn737a7+mei0dBczn8Z2t\r\niFmCKcswHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUH\r\nAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5\r\ncHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5\r\ncHQub3JnLzB3BgNVHREEcDBugg5hdXRoLmdvdGRucy5jaIIVZmluaXNlbmNvcnAu\r\nZ290ZG5zLmNoghFteWxvZ2luLmdvdGRucy5jaIIPbXlzdHMuZ290ZG5zLmNogg1z\r\nc28uZ290ZG5zLmNoghJ6dWxmaXFhci5nb3RkbnMuY2gwgf4GA1UdIASB9jCB8zAI\r\nBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8v\r\nY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRp\r\nZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGll\r\ncyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBv\r\nbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5\r\nLzANBgkqhkiG9w0BAQsFAAOCAQEAUXQs1likLUJ+oH6B14cFn3VKvlK1xK8cTXZD\r\npgOpn3rZ5PkIf7EMDdGg1SocWSR0fEkvoQzjs8WmnusdlUjwuGxvM14CFy+tFyIJ\r\nFBcWWBLnONod5sQxAivvd+8jZWjJurrjywJspGm9JMes5QAUaAbSGew5q6eWRfDu\r\nop2eW1GsycLXLWST4jfNfFMy6Z82RjM00kmKp/1gpPS+TFi1BmoqVxq0q1Jay3US\r\ncopuVVbshQmHelUhvb3fd4QdmhH24T/dxQhyQflFeHDkHLqjSRYQiceWlFjAS/oy\r\nTkJ0OFTn7hFHnih5TX+SPYMtCcxfqJ1rBV8kcDtoIODBWujknw==\r\n-----END CERTIFICATE-----\r\n",
            "kid": "au-master"
        },
        {
            "kid": "eu-master",
            "pem": "-----BEGIN CERTIFICATE-----\r\nMIIFejCCBGKgAwIBAgISA6GbB94fIsP3mTF7FmVkcMB3MA0GCSqGSIb3DQEBCwUA\r\nMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD\r\nExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzEwMDkwMzAxNTdaFw0x\r\nODAxMDcwMzAxNTdaMBoxGDAWBgNVBAMTD3J0YS5maW5pc2VuLmNvbTCCASIwDQYJ\r\nKoZIhvcNAQEBBQADggEPADCCAQoCggEBANl70IK2FNU74A37++qQM3tNfaFsY5ji\r\nJFXaumPhJPYtzxd6TTzj6bzYtD9mPpOPh9A9G9Q6Jsu1nsJndSQl+c+fhuz9tpzA\r\nkobnZ3iD4AXXXUkHoTv2STCvm18/mVcBJVujTWaa7Ct0/LaFRiGCPFeA0+lYJcuy\r\nGQgyz2uQV/WElpepUdDZaLEvshOTvOZBhVTXQwUhpRxYTC6yQ5tJ1/rF2uBCIeO8\r\nmcVMAm7KWJcucFVJvkEEP1y349t4gwzUCcK9oBm7htZ3gIC8EnkL1/MLe0jx6v90\r\naDg5+LGPnx6ucx32RKgQFUcp+KufXzmkIKsgeIrJ9gFN4h91ra7yursCAwEAAaOC\r\nAogwggKEMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB\r\nBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUBpteWF5BssVDDptSZBnarpab\r\nfckwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE\r\nYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu\r\nb3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu\r\nb3JnLzCBkgYDVR0RBIGKMIGHghBhdXRoLmZpbmlzZW4uY29tghJtYW5hZ2UuZmlu\r\naXNlbi5jb22CD3J0YS5maW5pc2VuLmNvbYISc2lnbmluLmZpbmlzZW4uY29tgg9z\r\nc28uZmluaXNlbi5jb22CE3dlYnRhc2suZmluaXNlbi5jb22CFHp1bGZpcWFyLmZp\r\nbmlzZW4uY29tMIH+BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEB\r\nATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasG\r\nCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxp\r\nZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5j\r\nZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9s\r\nZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBACgj\r\nt8MNKdDC6lxdfRLyEtH3EXK3u6o4WYcDTGhlPq6g3dNr94sWCdWCI8v6yK3zWeP5\r\nSF8Hqv7LFwGv4r7pPqG+uaWoj8q+zwbDpZypVD1ahzehfwIdtYo0/I4ejUeZGtY/\r\ndaTAzR5LYDtUiNm39Bv+KVmLtx7U1QOMpU8IKdwfkwaaPTDsQcL2+b0b8tOrmzOL\r\nBmzG+nILTiI9ts7/+VXLIvRIj7guDU5yfXAEboNuAgx9IS8LSj8UfbpY41e0SFXK\r\nZ2vcqEei1oItb9mzbYKJnCSZ3NLgjFKxmSqsCG2fDpn6i2SmcvCKOjowr6B+Xf/F\r\nWaZ27KfwUlvMfGQFTZ0=\r\n-----END CERTIFICATE-----\r\n"
        }
    ]
}'

The JWT assertion can then be signed by any key along and kid header field can be used to specify the key which should be used for signature verification.

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "eu-master"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment