Add support for introspection endpoint
jmiddleton opened this issue · 3 comments
The token introspection endpoint is generally intended for identifier-based access token. It would be good to have this feature as part of the implementation. More details can be found here: https://connect2id.com/products/server/docs/api/token-introspection#introspect-endpoint
Thanks. This is already under consideration. Can you share details of your use case and why this is important?
I was thinking in a way to check that the token is still valid i.e. it hasn't been revoked by the idp in case of an identity theft or any other reason where the idp blocks the token. Anyway, this might not be critical if we have short-live tokens.
Having said that, I did some more research and the introspection endpoint seems more relevant in OAuth 2.0 where we have an access token and the only way to retrieve the status of the token is using this endpoint.
A solution for OAuth 2.0 token introspection is documented here:
https://www.nginx.com/blog/validating-oauth-2-0-access-tokens-nginx/
It is possible to combine this with OpenID Connect by using auth_jwt and auth_request in the same location.