Token Introspection Endpoint is an Endpoint when receiving a Requesting Party Token with the "Bearer" scheme in the Authorization Header from a OAuth Client making an access attempt, the Resource Server introspects the Requesting Party Token by using the Token Introspection Endpoint of the Protection API. The Protection API Token used by the Resource Server to make the introspects request which provides the Resource Owner context to the Authorization Server.
The Authorization Server responds with a JSON object with the structure dictated by OAuth 2.0 Token Introspection. If the "active" property has a Boolean value of true, then the JSON object MUST NOT contain a "scope" claim, and MUST contain an extension property with the name "permissions" that contains an array of zero or more values, each of which is an object consisting of these properties:
|resource_set_id||REQUIRED||A string that uniquely identifies the Resource Set, access to which has been granted to this client on behalf of this Requesting Party. The identifier MUST correspond to a Resource Set that was previously registered as protected.|
|scopes||REQUIRED||An array referencing one or more URIs of scopes to which access was granted for this Resource Set. Each scope MUST correspond to a scope that was registered by this resource server for the referenced Resource Set.|
|exp||OPTIONAL||Integer timestamp, Unix Time, indicating when this Permission will expire. If the property is absent, the Permission does not expire. If the token-level "exp" value pre-dates a permission-level "exp" value, the former overrides the latter.|
|iat||OPTIONAL||Integer timestamp,Unix Time, indicating when this Permission was originally issued. If the token-level "iat" value post-dates a permission-level "iat" value, the former overrides the latter.|
|nbf||OPTIONAL||Integer timestamp, Unix Time, indicating the time before which this Permission is not valid. If the token-level "nbf" value post-dates a permission-level "nbf" value, the former overrides the latter.|