Access Token Validation


Access Token Validation is dependent on the Grant Type

Access Token Validation OAuth 2.0 #

OAuth Client sees the Access_token is an Opaque entity and no validation is performed.

OAuth 2.0 Token Introspection (RFC 7662) defines a protocol that allows authorized protected resources to query the Authorization Server to determine the set of metadata for a given Access Token that was presented to them by an OAuth Client. This metadata includes whether or not the token is currently active (or if it has expired or otherwise been revoked), what rights of access the token carries (usually conveyed through OAuth Scopes), and the authorization context in which the token was granted (including who authorized the token and which OAuth Client the Token was issued to). OAuth 2.0 Token Introspection allows a protected resource to query this information regardless of whether or not it is carried in the token itself, allowing this method to be used along with or independently of structured token values. Additionally, a protected resource can use the mechanism described in this OAuth 2.0 Token Introspection to introspect the token in a particular authorization decision context and ascertain the relevant metadata about the token to make this authorization decision appropriately.

OAuth 2.0 Token Introspection (RFC 7662) defines a method for a Resource Server to query an OAuth 2.0 Authorization Server to determine the active state of an OAuth 2.0 access_token and to determine meta-information about this token.

Resource Server MUST validate the Access_token and ensure that it has not expired (exp) and that its OAuth Scopes covers the requested resource.

Access Token Validation OpenID Connect#

To validate an Access Token issued from the Authorization Endpoint with an ID Token, the Client SHOULD do the following: [1]

Access Token Validation and Grant Types [2]#

More Information#

There might be more information for this subject on one of the following: