I’m looking for some clarification about how as a resource server accepting access tokens from a custom auth server I can check whether the access token has been revoked?
I understand how to get the signing keys and check the token signature, claims, and check for expiration.
What I wanted to do was be able to check the OIDC /introspect endpoint to see if a token was revoked before it expired.
I understand that /introspect requires authentication.
What I found was that when my resource server called /introspect as a public client, any token that was obtained and presented by other clients was introspected as “Token is not active”. But if I gave my resource server a confidential client ID, it seems to work as I expected and my resource server can /introspect access tokens obtained by other clients.
It this expected? I don’t have a particular reason to allocate secrets to my resource servers, so I wasn’t going to if I didn’t have to - just give my resource servers non-confidential client IDs.