Response from Authlete's /api/auth/introspection/standard API. Note that the API and /api/auth/introspection API are different. The /api/auth/introspection/standard API exists to help your authorization server provide its own introspection API which complies with RFC 7662 (OAuth 2.0 Token Introspection).
More...
Properties | |
| StandardIntrospectionAction | Action [get, set] |
| The next action that the introspection endpoint of your authorization server should take. More... | |
| string | ResponseContent [get, set] |
| The response content which can be used as the entity body of the response returned to the client application. More... | |
 Properties inherited from ApiResponse | |
| string | ResultCode [get, set] |
The code of the result of an Authlete API call. For example, "A004001". More... | |
| string | ResultMessage [get, set] |
| The message of the result of an Authlete API call. For example, "[A001202] /client/get/list,
Authorization header is missing." More... | |
Detailed Description
Response from Authlete's /api/auth/introspection/standard API. Note that the API and /api/auth/introspection API are different. The /api/auth/introspection/standard API exists to help your authorization server provide its own introspection API which complies with RFC 7662 (OAuth 2.0 Token Introspection).
Authlete's /api/auth/introspection/standard API returns JSON which can be mapped to this class. The implementation of the introspection endpoint of your authorization server should retrieve the value of the "action" parameter (which can be obtained via the Action property of this class) from the response and take the following steps according to the value.
When the value of the Action property is StandardIntrospectionAction.INTERNAL_SERVER_ERROR, it means that the request from your system to Authlete (StandardIntrospectionRequest) was wrong or that an error occurred in Authlete. In either case, from a viewpoint of the client application, it is an error on the server side. Therefore, the introspection endpoint of your authorization server should generate a response to the client application with the HTTP status of "500 Internal
Server Error".
In this case, the ResponseContent property returns a JSON string which describes the error, so it can be used as the entity body of the response if you want. Note that, however, RFC 7662 does not mention anything about the format of the response body of error responses.
The following illustrates an example response which the introspection endpoint of your authorization server generates and returns to the client application.
When the value of the Action property is StandardIntrospectionAction.BAD_REQUEST, it means that the request from the client application is invalid. This happens when the request from the client did not include the "token" request parameter. The HTTP status of the response returned to the client application should be "400 Bad Request". See 2.1. Introspection Request of RFC 7662 for details about requirements for introspection requests.
In this case, the ResponseContent property returns a JSON string which describes the error, so it can be used as the entity body of the response if you want. Note that, however, RFC 7662 does not mention anything about the format of the response body of error responses.
The following illustrates an example response which the introspection endpoint of your authorization server generates and returns to the client application.
When the value of the Action property is StandardIntrospectionAction.BAD_REQUEST, it means that the request from the client application is valid. The HTTP status of the response returned to the client application must be "200 OK" and its content type must be "application/json".
In this case, the ResponseContent property returns a JSON string which complies with the introspection response defined in 2.2. Introspection Response of RFC 7662. The following illustrates the response which the introspection endpoint of your authorization server should generate and return to the client application.
Note that RFC 7662 says "To prevent token scanning attacks, the endpoint MUST also require some form of authorization to access this endpoint". This means that you have to protect your introspection endpoint in some way or other. Authlete does not care about how your introspection endpoint is protected. In most cases, as mentioned in RFC 7662, "401 Unauthorized" is a proper response when an introspection request does not satisfy authorization requirements imposed by your introspection endpoint.
Property Documentation
◆ Action
|
getset |
The next action that the introspection endpoint of your authorization server should take.
◆ ResponseContent
|
getset |
The response content which can be used as the entity body of the response returned to the client application.
The documentation for this class was generated from the following file:
- Authlete/Dto/StandardIntrospectionResponse.cs
