1 Reply Latest reply on Jun 22, 2017 8:28 AM by ryanrutan

    Does JIVE implement oAuth token introspection endpoint?




      In order to interconnect our JIVE platform (on-premise) and the API Management solution of our organization (which is based on APIGEE) .
      (API management => to control API flows with quotas and to provide 3-legged accesses creation to our JIVE platform Api's )  .


      We already know that Jive oAuth provides /authorize (to get authorization code) and /token endpoint (for getting and refreshing tokens),

      but we have no information about token introspection.

      In our organization this endpoint is mandatory, as the protocol used to implement "3 legs" is Open ID Connect.


      To be clear :
      The purpose is to delegate the authentication of API calls to the API Management solution.
      But to keep JIVE as the "referent" in that process, the API management must check if tokens submitted by external apps are valid

      (even if those tokens were generated by Jive) with the token introspection endpoint.


      Is token introspection endpoint already provided in JIVE?

      If no, how can we create this end-point into JIVE?

      How can we use JIVE to implement Open ID Connect Protocol?


      For more information about token introspection :

      RFC 7662 - OAuth 2.0 Token Introspection

        • Re: Does JIVE implement oAuth token introspection endpoint?

          So I just looked through the code base and I do not see support for the /introspect end-point or logic.    The only way to do this (to my knowledge), would to be put a middleware service in front of Jive to proxy the requests...and implement the /introspect end-point as a proxy call to /api/core/v3/people/@me or some other similar call ... and construct the payload based on the status code being != 401. =\


          Oddly enough Jive supports Open ID as an identity provider, but that seems to be more of Jive as a consumer, rather than a producer in the flow.


          While not the perfect answer, until this feature is requested (and I've logged it internally in our backlog) by customers as a gap...it wont get much traction.  So definitely file a support ticket and reference:

          CUSTOM-3323 and CLOUD-5472


          Hope that helps.

          2 people found this helpful