Generating Reference Token Instead of JWT

Question

Please find below the steps I applied in order to generate Reference Token instead of JWT:

1. In the [Clients] table, I updated property [AccessTokenType] = 1. Please note that this is the client configured to be used from Angular Frontend app.

OIDC client configuration (Angular App)

"IdentityGuardsConfig": {
"oidcSettings": {
  "authority": "http://localhost:5000",
  "client_id": "local_spa",
  "redirect_uri": "http://localhost:4200/#/identity-guards/auth-callback#",
  "post_logout_redirect_uri": "http://localhost:4200",
  "response_type": "id_token token",
  "scope": "openid profile inspection_profile",
  "filterProtocolClaims": true,
  "loadUserInfo": true,
  "automaticSilentRenew": true,
  "silent_redirect_uri": "http://localhost:4200/#/identity-guards/silent-refresh#"
},

2- Since API (/connect/introspect) is secure, I had to create API Resource and API Secret (as per this thread). Also as per the thread, I had to assign the exact scopes requested from Frontend client (3 scopes ==> opened, profile, inspection_profile)

After applying the above configuration, IdentityServer service is returning reference token, also the reference token is being persisted in [PersistedGrants] table

To validate the reference token, I was able to do that by hitting (/connect/introspect) API from Postman (below is the converted cURL request)

curl --location --request POST 'http://localhost:5000/connect/introspect' \
--header 'Authorization: Basic bG9jYWxfc3BhOlBAc3N3MHJk' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=f007eff8fc2a3d8d9af7cb605b93b78d7004880d24356acebf928dae5a48dd8e'

Below is the response I recived for the above cURL request:

{
"iss": "http://localhost:5000",
"nbf": 1640694748,
"exp": 1640698348,
"aud": "http://localhost:5000/resources",
"client_id": "local_spa",
"sub": "f6a5ccec-9d70-4c7c-ab50-7a932f685cac",
"auth_time": 1640694748,
"idp": "local",
"amr": "pwd",
"email": "[email protected]",
"name": "[email protected]",
"given_name": "admin",
"phone_number": "0506198339",
"role": "SystemAdmin",
"preferred_username": "[email protected]",
"active": true,
"scope": "openid profile inspection_profile"
}

However, when I tried to access (/.well-known/openid-configuration) I’m getting the below exception:

An unhandled exception occurred while processing the request. Exception: Found identity scopes and API scopes that use the same names. This is an invalid configuration. Use different names for identity scopes and API scopes. Scopes found: openid, profile, inspection_profile IdentityServer4.Stores.IResourceStoreExtensions.Validate(IEnumerable identity, IEnumerable apiResources) in IResourceStoreExtensions.cs, line 60

Answer 1

I think the error message explains pretty well what the problem is.

Found identity scopes and API scopes that use the same names. This is an invalid configuration. Use different names for identity scopes and API scopes.

You need to make sure the IdentityResource and ApiScope names are not the same.

Answer 2

@Tore Nestenius You were correct. As adivsed I moved [inspection_profile] scope from [IdentityResources] to [ApiResources]. Also for all custom claim that I already have in [IdentityClaims], I re-linked them to the [openid] profile.