Checking access token for revocation

I’m looking for some clarification about how as a resource server accepting access tokens from a custom auth server I can check whether the access token has been revoked?

I understand how to get the signing keys and check the token signature, claims, and check for expiration.

What I wanted to do was be able to check the OIDC /introspect endpoint to see if a token was revoked before it expired.

I understand that /introspect requires authentication.

What I found was that when my resource server called /introspect as a public client, any token that was obtained and presented by other clients was introspected as “Token is not active”. But if I gave my resource server a confidential client ID, it seems to work as I expected and my resource server can /introspect access tokens obtained by other clients.

It this expected? I don’t have a particular reason to allocate secrets to my resource servers, so I wasn’t going to if I didn’t have to - just give my resource servers non-confidential client IDs.

As you have mentioned, the /introspect endpoint requires client authentication. There isn’t anything that would prevent you from making that request with other client id’s. Maybe this article will be helpful as well.

1 Like

Yes. The abuse/fishing reasoning make sense. Pulling the client ID out of the token being validated isn’t a general solution since it requires foreknowledge of what client IDs are non-confidential (require no real auth) and which are not (requiring some sort of secret to auth)

So long as my confidential clients will be able to validate tokens from any client, I can work with that.