Alternatives to remote validation of tokens

kapple · March 24, 2022, 9:06pm

The Okta documentation on validating tokens shows us two options for validating tokens: locally and remotely. However, there is a caveat (mentioned very briefly at the end, in my opinion the caveat should be mentioned explicitly) in which local validation does not properly check for revoked tokens.

So, for true validation, we need to rely on the /v1/introspect method. However, there are rate limits on this endpoint, so it’s not a scalable solution for a resource server to check hit /v1/introspect every time an access token is sent. What are suggestions to solve for this problem?

andrea · March 24, 2022, 9:28pm

Main suggestion is to limit token lifetime to 5 minutes (minimum) and use refresh tokens (which can/should also be revoked) to fetch new tokens so there is a smaller window for the token to be used after its been revoked.

system · February 12, 2024, 6:19pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Post		Replies	Views
Remote vs local verification of access token Questions	2	4013	October 27, 2021
Validate tokens via /introspect vs /keys Questions	2	3968	June 7, 2021
Remote token validation in c# Questions	2	1565	February 16, 2024
Native Application logout Questions	9	3703	January 24, 2024
Revoke an user access token API	3	1935	February 16, 2024

Alternatives to remote validation of tokens

Related topics