Implementing IdSvr4 is fantastic, but the documents leave much to be desired - I spent an entire hour searching the Internet to find a working solution. What you are told to โread the specificationโ is not always useful if you are new to the concept, which often happens on their forums.
So, what you have to pass POST/connect/introspect is the secret area.
You can configure quick start by changing the config.cs class. You will need to update the data store that you use if you configured it or do not use quick start - but the concept should (hopefully) be clear.
public static IEnumerable<ApiResource> GetApiResources() { return new List<ApiResource> { new ApiResource("MyResource", "My_Resource_DisplayName") { ApiSecrets = new List<Secret> { new Secret("hello".Sha256()) }, Scopes= { new Scope("MY_CUSTOM_SCOPE") } } }; }
Now...
1. Make sure your customer has a scope of MY_CUSTOM_SCOPE
2. Make sure you request the scope of MY_CUSTOM_SCOPE when receiving the bearer token.
Now create a Base64 encoded string with the api resource name and secret, for example like this:
Convert.ToBase64String(Encoding.UTF8.GetBytes(string.Format("{0}:{1}", userName, password)));
Where the username is MyResource and the password is in clear text ( hello use your own values!) - the result should be TXlSZXNvdXJjZTpoZWxsbw== line, which looks like this: TXlSZXNvdXJjZTpoZWxsbw==
Now you can send messages to IDSvr4 ...
POST /connect/introspect Authorization: Basic TXlSZXNvdXJjZTpoZWxsbw== Accept: application/json Content-Type: application/x-www-form-urlencoded token=<YOUR_TOKEN>
So, if your bearer token has a scope of MY_CUSTOM_SCOPE (or MY_CUSTOM_SCOPE you called it there), now you can use the IdSvr introspection endpoint to get information about it.
Hope this helps!