Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for token introspection #40

Open
Ross65536 opened this issue Jun 11, 2021 · 1 comment · May be fixed by #42
Open

Support for token introspection #40

Ross65536 opened this issue Jun 11, 2021 · 1 comment · May be fixed by #42

Comments

@Ross65536
Copy link

Ross65536 commented Jun 11, 2021
edited
Loading

From what I can tell there currently isn't a way for a third party service to tell if an access token is still valid without querying the authorization server's DB directly.

While the OAuth 2 specification RFC doesn't explicitly specify how to check if an access token is valid there are 2 main ways in which it can be done:

  • introspection endpoint: there is an OAuth extension RFC 7662 which specifies an additional OAuth endpoint which can return information about an access token or refresh token, like if it is still valid, scopes, expiry time, etc.
  • signed token: for example a JWT access token signed with a public/private key. There is a specification for this.
@Ross65536
Copy link
Author

I'm currently working on adding support for this using an introspection endpoint

This was referenced Aug 21, 2021
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Token introspection Ross65536/phoenix_oauth2_provider
1 participant
@Ross65536