On Tuesday, November 14, 2017, Thilina Madumal <[email protected]> wrote:
> Hi Devs, > > I'm working implementing an SPA that uses OAuth access-token in securing > resource access. > In the documentation [1] I found that to validate the access token that I > already have obtained, the introspection endpoint can be used. > > My question is, is there a way where I can send both the accesss token and > the refresh token, then IS will validate the access token, and if the > access token is expired IS will issue a new access token for the given > refresh token. > > I understand that the above use-case can be achieved by 2 requests to the > IS. But I'm curious is to know whether there is a way to achieve this by a > single request. > Introspection Endpoint is basically an endpoint used to gather validate and gather metadata about the access token. Usually this will be used by a resource server to validate an access token presented by an oauth client. Resource server will introspect the token to get metadata and authorize access. Meanwhile, a refresh token flow is between the oauth client and authorization server. So the requirement you have presented does not fit into the introspection call/endpoint. ie. Introspection and token refresh in one call simply because there are two completely different flows. In you use case why does the SPA have to do the introspection call? Shouldn't it be the resource server consumed by SPA that needs to do the introspection call. If the resource server throws an error due to an invalid access token then the SPA can do the refresh call and get a new token. > > [1] https://docs.wso2.com/display/IS530/Invoke+the+ > OAuth+Introspection+Endpoint > > Best, > Thilina > -- > *Thilina Madumal* > *Software Engineer | **WSO2* > Email: [email protected] > <javascript:_e(%7B%7D,'cvml','[email protected]');> > Mobile: *+ <+94%2077%20767%201807>94 774553167* > Web: <http://goog_716986954>http://wso2.com > > <http://wso2.com/signature> > > -- Farasath Ahamed Software Engineer, WSO2 Inc.; http://wso2.com Mobile: +94777603866 Blog: blog.farazath.com Twitter: @farazath619 <https://twitter.com/farazath619> <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
