Do IdentityServer4 API Resources require a secret?

Question

Does not having a secret defined for an IdentityServer4 API Resource introduce a security vulnerability?

I'm a little confused on the Introspection Endpoint, when it is used, and whether or not someone could use the Introspection endpoint to bypass Authorization and access an API without a defined secret (by a POST with just the API name as a parameter).

Is this possible? Or is the introspection endpoint only authorized through defined clients that use something like the Client Credential Grant?

Answer 1

The introspection endpoint will only validate a posted token, it shouldn't accept an API name in its request.

It can be used to validate reference tokens (or JWTs if the consumer does not have support for appropriate JWT or cryptographic libraries). The introspection endpoint requires authentication using a scope secret.

http://docs.identityserver.io/en/release/endpoints/introspection.html

This shouldn't be an endpoint you need to implement, it is included by identity server in the same way as the '.well-known/openid-configuration'.

A use case for this endpoint would be an API being passed a token and wanting to confirm its genuine and still valid (not expired or revoked), the response would include the claims associated with the token (users claims with the tokens scope taken into consideration)

For introspection security considerations see the RFC 7662 Section 4