Hi, I am using the okta OIDC for past few months. I can’t understand the flow which is if I get the access_token using custom scope in custom authorization server using the token endpoint, the endpoint returns only the access token and its type and validity and it does not return the id_token. I understand the flow why the id_token is not returned, because the openid scope is not given in the authorize endpoint. But after I getting the access token from custom scope what should I do with that access token at next steps? The userinfo endpoint returns only if the openid scope is given. Is there any other endpoints for these types of access tokens in okta?
Thank you for your reply @dragos, but i already know about the access_token validation, but the problem is if i generate the access token using the custom scopes, is it used for any endpoints like okta predefined endpoints or can we create custom endpoints for the access token generated using custom scopes
If you are using Okta authorization server, then you can use the access token as bearer token to access Okta tenant API endpoints instead of using an API token. You can find more details about this feature here.
For custom authorization servers, you can use the access token as a bearer token inside the Authorization in order to securely request details from a resource server. Access tokens generated through this authorization header have the signing keys returned on /keys endpoint and, as such, the resource server can verify them locally without the need to do a request to the /introspect endpoint of the authorization server.
Thank you @dragos, I understand it in little bit. But my major question is if I get a access token by using the custom scopes in token endpoint, apart from verifying the signature, what can I do with that access token?
For example, If I get the access token using openid scope then I can use that access token for userinfo endpoint. Likewise, If I create a custom scope in custom authorization server and the custom scope name is “test”. I can use the scope(test) in authorize endpoint to get the code and also get the access token using that authorization code. After that can i access that access token to any endpoints(i.e) userinfo endpoint?