Hi Farazath, Thanks for the reply. Please see the inline comments.
On Tue, Nov 14, 2017 at 11:10 PM, Farasath Ahamed <[email protected]> wrote: > > > On Tuesday, November 14, 2017, Thilina Madumal <[email protected]> > wrote: > >> Hi Devs, >> >> I'm working implementing an SPA that uses OAuth access-token in securing >> resource access. >> In the documentation [1] I found that to validate the access token that I >> already have obtained, the introspection endpoint can be used. >> >> My question is, is there a way where I can send both the accesss token >> and the refresh token, then IS will validate the access token, and if the >> access token is expired IS will issue a new access token for the given >> refresh token. >> >> I understand that the above use-case can be achieved by 2 requests to the >> IS. But I'm curious is to know whether there is a way to achieve this by a >> single request. >> > > Introspection Endpoint is basically an endpoint used to gather validate > and gather metadata about the access token. > > Usually this will be used by a resource server to validate an access token > presented by an oauth client. Resource server will introspect the token to > get metadata and authorize access. > > Meanwhile, a refresh token flow is between the oauth client and > authorization server. > > So the requirement you have presented does not fit into the introspection > call/endpoint. ie. Introspection and token refresh in one call simply > because there are two completely different flows. > In end-user perspective this would be a nice to have feature unless it is not a spec violation. On the other hand it do not need to be the introspection endpoint, it can be some custom endpoint where it takes the access-token and refresh-token and has the following behavior; - if the access-token is still valid return the same accesss-token and refresh-token. - if access-token is expired exchange the refresh-token for a new access-token, and return the new access-token and a new refresh-token. Anyhow need to consider the practicality of the use-case furthermore. > > In you use case why does the SPA have to do the introspection call? > Shouldn't it be the resource server consumed by SPA that needs to do the > introspection call. > In this particular use-case the IS is the resource server. The SPA is a fully browser based application. To verify the authenticity of the user the SPA uses the access-token it obtained, that's why the SPA needs to call the introspection endpoint. > > If the resource server throws an error due to an invalid access token then > the SPA can do the refresh call and get a new token. > >> >> [1] https://docs.wso2.com/display/IS530/Invoke+the+OAuth+ >> Introspection+Endpoint >> >> Best, >> Thilina >> -- >> *Thilina Madumal* >> *Software Engineer | **WSO2* >> Email: [email protected] >> Mobile: *+ <+94%2077%20767%201807>94 774553167* >> Web: <http://goog_716986954>http://wso2.com >> >> <http://wso2.com/signature> >> >> > > -- > Farasath Ahamed > Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > -- *Thilina Madumal* *Software Engineer | **WSO2* Email: [email protected] Mobile: *+ <+94%2077%20767%201807>94 774553167* Web: <http://goog_716986954>http://wso2.com <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
