Cross client introspection?

[nbalu]

Hi!

I probably do have a user error on my end and I'm trying to figure out how I could solve the issue.

First this is my unencrypted jwt:

{
  "iss": "https://localhost:5001/",
  "exp": 1715096914,
  "iat": 1715093314,
  "aud": [
    "oct:Default",
    "x-api",
    "x-ui"
  ],
  "scope": "openid x-ui x-api",
  "jti": "9c2b8ecb-aa75-4e5d-abd3-0c5efbca7360",
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "4x6caz3wqfeg3rxkdcqh4pk8xe",
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "nbalu",
  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "[email protected]",
  "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": "Administrator",
  "Permission": [
    "Whatever..."
  ],
  "email": "[email protected]",
  "email_verified": true,
  "oc:entyp": "user",
  "sub": "4x6caz3wqfeg3rxkdcqh4pk8xe",
  "name": "nbalu",
  "oi_prst": "5a117b1a-d8e7-4c72-a2cf-5ce6fec48da0",
  "oi_au_id": "9b321cc230e5490d8e6df0fbf7e28d5d",
  "client_id": "5a117b1a-d8e7-4c72-a2cf-5ce6fec48da0",
  "oi_tkn_id": "038eebb9422247bf8cd70479a1211250"
}

I wanted to introspect the token from x-api and I've got a nice and shiny active: false and a warning message The introspection request was rejected because the access token was issued to a different client or for another resource server.

I do have two clients:
UI with client_id: 5a117b1a-d8e7-4c72-a2cf-5ce6fec48da0
API with client_id: e9d98495-ed6d-4c72-9c2f-6f7040b85324

I do have two scopes:
x-ui
x-api

My question would be how can I make introspection work as the audience and the resource seems to be ok for me within the api config:

builder.Services.AddOpenIddict()
    .AddValidation(options =>
    {
        // Note: the validation handler uses OpenID Connect discovery
        // to retrieve the address of the introspection endpoint.
        options.SetIssuer("https://localhost:5001/);
        options.AddAudiences("x-api");

        // Configure the validation handler to use introspection and register the client
        // credentials used when communicating with the remote introspection endpoint.
        options.UseIntrospection()
               .SetClientId(authOptions.ClientId)
               .SetClientSecret(authOptions.ClientSecret);
        
        // Register the System.Net.Http integration.
        options.UseSystemNetHttp();
        // Register the ASP.NET Core host.
        options.UseAspNetCore();
    });

[nbalu]

@kevinchalet you will probably know this from heart and I would really appriciate your help here.

[nbalu]

So it turned out that my clientId should match the scope => audience.

Took some hours but figured it out.