Verifying scopes on the resource server or API proxy?

Hi there,

When using the access_token to make authenticated requests to an OAuth2 protected API:

  • How does the resource server typically validate that the requests have the appropriate scopes?
  • How are scopes typically associated to API endpoints / any documentation on best practices around is?

Based on docs I’ve read so far, I see that Okta suggests libraries to validate the tokens locally (or remotely via /v1/introspect), but that only checks the validity of the token, not the permissions.

Thank you in advance!

For context, I’m trying to secure an API key/pair protected API with OAuth2, and am trying to keep the security checks as decoupled as I can because I don’t have access to the target server codebase. Would love to hear if this is a common or known use case!

Anyway, what I ended up doing for now for my proof-of-concept was implementing two python decorators: one for local token validation and one for scope checks. I used the python-jose (jwt) library.