Client Credentials Introspection
-
Hi,
I am trying to implement the client credentials grant for an API.
I have a paid version of fusionAuth.
I have created two entity types for it: An API and an API client.
I created two entities one for each of the types.
I have the api client entity a grant to the api entity with the permissions that are on the entity type.Using postman I am able to do a client credential grant and get a token back. When I base 64 decode the token I see the expected permissions from the target entity.
My problem is when I am trying to introspect the token in postman. I am getting this response back:
{ "active": false }I am passing the token and the client_id as parameters to the introspection url. Why is it returning false?
I have an application and if I do an authorization grant for a user I am able to introspect that token and it returns active as being true and the additional data.
Is there some setup or something that I am missing?
-
I would recommend reviewing the following tutorials for good examples on how to implement the client credentials grant using Entity Management within FusionAuth.
https://www.youtube.com/watch?v=pJIzYLSTrMM
https://www.youtube.com/watch?v=rT-VTtgligIOur documentation:
https://fusionauth.io/docs/v1/tech/oauth/endpoints/#client-credentials-grant-requestLastly, I was able to replicate the behavior that you found and will check with the team. I will post back if I discover anything else.
Thanks,
Josh -
This is being reviewed for inclusion in future releases of FusionAuth. You can follow and upvote this on the following ticket:
https://github.com/FusionAuth/fusionauth-issues/issues/1434.
In the interim, you can use an external library to validate jwt's issued from the client credentials grant (something like https://github.com/FusionAuth/fusionauth-jwt, perhaps.)
Thanks,
Josh -
@joshua Thanks for confirming the behavior I am seeing. I will try using a library to validate the jwt instead.