phoenix_oauth2_provider icon indicating copy to clipboard operation
phoenix_oauth2_provider copied to clipboard

Published 20 hours ago verified publisher icon danschultzer

Support for token introspection

Open Ross65536 opened this issue 3 years ago • 1 comments

From what I can tell there currently isn't a way for a third party service to tell if an access token is still valid without querying the authorization server's DB directly.

While the OAuth 2 specification RFC doesn't explicitly specify how to check if an access token is valid there are 2 main ways in which it can be done:

  • introspection endpoint: there is an OAuth extension RFC 7662 which specifies an additional OAuth endpoint which can return information about an access token or refresh token, like if it is still valid, scopes, expiry time, etc.
  • signed token: for example a JWT access token signed with a public/private key. There is a specification for this.

Ross65536 avatar Jun 11 '21 21:06 Ross65536

I'm currently working on adding support for this using an introspection endpoint

Ross65536 avatar Jun 15 '21 19:06 Ross65536