Overview#Access Token Validation is dependent on the Grant Type OAuth Client sees the Access_token is an Opaque entity and no validation is performed.
OAuth 2.0 Token Introspection (RFC 7662) defines a protocol that allows authorized protected resources to query the Authorization Server to determine the set of metadata for a given Access Token that was presented to them by an OAuth Client. This metadata includes whether or not the token is currently active (or if it has expired or otherwise been revoked), what rights of access the token carries (usually conveyed through OAuth Scopes), and the authorization context in which the token was granted (including who authorized the token and which OAuth Client the Token was issued to). OAuth 2.0 Token Introspection allows a protected resource to query this information regardless of whether or not it is carried in the token itself, allowing this method to be used along with or independently of structured token values. Additionally, a protected resource can use the mechanism described in this OAuth 2.0 Token Introspection to introspect the token in a particular authorization decision context and ascertain the relevant metadata about the token to make this authorization decision appropriately.
OAuth 2.0 Token Introspection (RFC 7662) defines a method for a Resource Server to query an OAuth 2.0 Authorization Server to determine the active state of an OAuth 2.0 access_token and to determine meta-information about this token.
Access Token Validation OpenID Connect#To validate an Access Token issued from the Authorization Endpoint with an ID Token, the Client SHOULD do the following: 
- Hash the octets of the ASCII representation of the access_token with the hash algorithm specified in JWA for the alg Header Parameter of the Id_token's JOSE Header. For instance, if the alg is RS256, the hash algorithm used is SHA-256.
- Take the left-most half of the hash and base64url encode it.
- The value of at_hash in the Id_token MUST match the value produced in the previous step.
Access Token Validation and Grant Types #
- Implicit Grant, if the id_token contains an at_hash Claim, the Client SHOULD use it to validate the Access Token (Access_token)
- Authorization Code Grant, if the id_token contains an at_hash Claim, the Client MAY use it to validate the Access Token (Access_token)
- Hybrid Flow, if the id_token contains an at_hash Claim, the Client SHOULD use it to validate the Access Token (Access_token)