Replies: 1 comment
-
|
Or perhaps the resource/api server could use the client access token to access itself on the oauth provider to check the token validity ? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I'm a bit confused on how to verify the client access token on resource server side, as the client make the authorization and access token request on the oauth provider alone, then when client request the resource server this one has to verify the validity of the access token.
I can see some oauth providers like LinkedIn which have a token introspection endpoint
/v2/introspectTokenwhich permits the resource server to verify the validity of the token. KeyCloak has a introspection endpoint too/auth/realms/myrealm/protocol/openid-connect/token/introspect.When searching for "Introspect" in SocialiteProviders the only results are for Okta, EduID and OneLogin.
So if "introspection" is not so used, how do you do in mobile/spa context to verify the validity of the client access token ?
Thank you for helping me get my brain cells firing :-)
Beta Was this translation helpful? Give feedback.
All reactions