dotnet core IdentityModel will not introspect tokens

Question

dotnet core IdentityModel will not introspect tokens

2.8k Views Asked by reidLinden At 08 April 2025 at 10:08

I'm playing around with porting one of my API applications to dotnet core (v2), and probably the most important part of that upgrade is getting my Authentication working.

To that end, I've added Thinkteture's IdentityModel package to my project.

How my API works is it receives an Authentication header in the form of a bearer token from the caller. I then Introspect that token to verify it is acceptable for the current task, and proceed with the main logic.

However, I seem to simply be missing something absolutely basic in the initial set up of the code, for I am unable to get the introspection to fire at all.

Following, I have some snippets from my Startup.cs, and a controller.

Startup.cs

   public void ConfigureServices(IServiceCollection services)
    {
        services.AddMvc();
        services.AddAuthentication(OAuth2IntrospectionDefaults.AuthenticationScheme)
            .AddOAuth2Introspection(options =>
            {
                options.IntrospectionEndpoint = "#REDACTED#";

                options.ClientId = "#REDACTED#";
                options.ClientSecret = "#REDACTED#";

            });
        var x = 1;

    }

ItemsController.cs

    [HttpGet]
    public IEnumerable<string> Get()
    {
       return new string[] { "isAuthenticated", $"{User.Identity.IsAuthenticated}" };
    }

This endpoint (GET api/items) always returns false, and my OIDC server app never logs any attempts to communicate with it. A breakpoint set on the services.AddAuthentication() code catches, so I know that the basic setup pieces are in place.

Some other things I've tried:

putting an Authorize decoration on the method (didn't really expect this to work.. and it didn't)
Using Authority options, and allowing discovery of the introspection endpoint (I'd thought perhaps that my OIDC server maybe didn't support discovery, and that was causing the problems, but supplying the introspection endpoint doesn't make any difference)

I'm sure I've missed something completely trivial, but after spending a few hours poking, searching, and trying assorted things, I've realized that I must just be overlooking it.

Original Q&A

There are 2 best solutions below

**Daniel** · Answer 1

Even if this answer comes late i would like to ask if you have tried setting SkipTokensWithDots to false.

what worked for me was:

services.AddAuthentication(OAuth2IntrospectionDefaults.AuthenticationScheme)
    .AddOAuth2Introspection(options =>
    {
        options.IntrospectionEndpoint = "#REDACTED#";

        options.ClientId = "#REDACTED#";
        options.ClientSecret = "#REDACTED#";

        // We are using introspection for JWTs so we need to override the default
        options.SkipTokensWithDots = false;
    });

**Tedar Teraise** · Answer 2

Tedar Teraise On 22 September 2023 at 11:18

I think you're missing the [Authorize] attribute in the controller. THis is why the middleware is not even trying to introspect the token and thus you don't get any trace info .

dotnet core IdentityModel will not introspect tokens

There are 2 best solutions below

Related Questions in C#

Related Questions in .NET-CORE

Related Questions in THINKTECTURE-IDENT-MODEL

Trending Questions

Popular # Hahtags

Popular Questions