Is it possible to validate the access token received in a request locally in java ? My use case is without making a call to Okta api, is it possible to validate access token locally within java code ? Does okta allow that ? If so how ?
If the access token was issued by a custom authorization server (eg. issuer is something like “https://org.okta.com/oauth2/default”), then you can retrieve the signing keys from /keys endpoint (eg. “https://org.okta.com/oauth2/default/v1/keys”) and use a JWT verifier such as this one in order to verify the token locally.
what if it is issued by org authorizatipon server?
How can we validate it?
You can use the same call basically as for the custom authorization servers:
curl --location --request POST 'https://dragos.okta.com/oauth2/v1/introspect' \ --header 'Accept: application/json' \ --header 'Authorization: Basic MG9hN...' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'token=TOKEN_HERE'