Alternatives to remote validation of tokens

The Okta documentation on validating tokens shows us two options for validating tokens: locally and remotely. However, there is a caveat (mentioned very briefly at the end, in my opinion the caveat should be mentioned explicitly) in which local validation does not properly check for revoked tokens.

So, for true validation, we need to rely on the /v1/introspect method. However, there are rate limits on this endpoint, so it’s not a scalable solution for a resource server to check hit /v1/introspect every time an access token is sent. What are suggestions to solve for this problem?

Main suggestion is to limit token lifetime to 5 minutes (minimum) and use refresh tokens (which can/should also be revoked) to fetch new tokens so there is a smaller window for the token to be used after its been revoked.

1 Like