We have an SPA which passes an authenticated user’s access token with any back-end service requests the UI makes.
If that token was stolen it could be used to call those services whilst the token is still valid (or at least not expired) in a ‘replay attack’. We can shorten the expiry time and could add compromised tokens to a deny list to mitigate some of that, but we would also like be able to determine if the Okta user session was still valid for an access token that’s been passed to a particular back-end service (so not all services) - i.e. the service is able to ask Okta if the passed access token is linked to an active user session. If the user has logged out of the UI and terminated the Okta session, the answer would be no.
We had assumed that the /introspect endpoint could be used for this purpose but this does not seem to be the case.
Is there a way to check if an access token is linked to an active Okta session from a back-end service (where there is no browser sessionId)?