Duende Software
Middleware for token endpoint #89
-
|
So I think I've got the refresh token part figured out... so now, the introspection part, would be really hand part to be able to solve. I'm migrating from an older version of IDS. I am migrating the database to a new platform, and the new instance of IDS is in a new location. I'm having issues with reference tokens and refresh tokens during the cutover process. (new token requests and logins are working as expected). These issues include 400 and 401 client errors on introspection and refresh token requests. I am wondering if it possible to inject middleware to temporarily validate the reference tokens and refresh token (via the old IDS instance) prior to issuing success for the client? In other words, forward requests I know are possibly valid against the old IDS, and upon success mark validation complete, and continue the token issue/introspection process in the new IDS. Is this strategy possible? Is there an example of some one already doing something like this, or is there a potential "better" way to go about this? For introspection: sequenceDiagram
participant c as Client
participant a as New IDS
participant b as Old IDS
c->>a: Introspection
a->>b: Forward Old Reference Token Request
b->>a: 200 Refence Token Response
a->>c: Forward response to client
For refresh token: sequenceDiagram
participant c as Client
participant a as New IDS
participant b as Old IDS
c->>a: Refresh Token
a->>b: Forward Old Refresh Token Request
b->>a: 200 Refresh Token Response
a-->a: Request is valid...Continue Refresh Response
a->>c: Reply to client with New IDS Token
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Yes, it would be possible to do something like that in a migration scenario. But there are more details to it that should be considered, for example what issuer that is returned in the introspection responses. And also if you want to migrate the tokens when introspected to allow them to be used independently of the old IdentityServer in the future. This is an interesting question. Unfortunately, working on it in depth goes beyond what we cover as part of support. Duende and partners do supply remote consulting that are a better fit for this kind of questions. Please reach out if you want more information. |
Beta Was this translation helpful? Give feedback.
Yes, it would be possible to do something like that in a migration scenario. But there are more details to it that should be considered, for example what issuer that is returned in the introspection responses. And also if you want to migrate the tokens when introspected to allow them to be used independently of the old IdentityServer in the future.
This is an interesting question. Unfortunately, working on it in depth goes beyond what we cover as part of support. Duende and partners do supply remote consulting that are a better fit for this kind of questions. Please reach out if you want more information.