When using the
access_token to make authenticated requests to an OAuth2 protected API:
- How does the resource server typically validate that the requests have the appropriate scopes?
- How are scopes typically associated to API endpoints / any documentation on best practices around is?
Based on docs I’ve read so far, I see that Okta suggests libraries to validate the tokens locally (or remotely via /v1/introspect), but that only checks the validity of the token, not the permissions.
Thank you in advance!