On Wed, Nov 15, 2017 at 9:03 AM, Thilina Madumal <[email protected]> wrote:
> Hi Farazath, > > Thanks for the reply. Please see the inline comments. > > On Tue, Nov 14, 2017 at 11:10 PM, Farasath Ahamed <[email protected]> > wrote: > >> >> >> On Tuesday, November 14, 2017, Thilina Madumal <[email protected]> >> wrote: >> >>> Hi Devs, >>> >>> I'm working implementing an SPA that uses OAuth access-token in securing >>> resource access. >>> In the documentation [1] I found that to validate the access token that >>> I already have obtained, the introspection endpoint can be used. >>> >>> My question is, is there a way where I can send both the accesss token >>> and the refresh token, then IS will validate the access token, and if the >>> access token is expired IS will issue a new access token for the given >>> refresh token. >>> >>> I understand that the above use-case can be achieved by 2 requests to >>> the IS. But I'm curious is to know whether there is a way to achieve this >>> by a single request. >>> >> >> Introspection Endpoint is basically an endpoint used to gather validate >> and gather metadata about the access token. >> >> Usually this will be used by a resource server to validate an access >> token presented by an oauth client. Resource server will introspect the >> token to get metadata and authorize access. >> >> Meanwhile, a refresh token flow is between the oauth client and >> authorization server. >> >> So the requirement you have presented does not fit into the introspection >> call/endpoint. ie. Introspection and token refresh in one call simply >> because there are two completely different flows. >> > > In end-user perspective this would be a nice to have feature unless it is > not a spec violation. > On the other hand it do not need to be the introspection endpoint, it can > be some custom endpoint where it takes the access-token and refresh-token > and has the following behavior; > > - if the access-token is still valid return the same accesss-token and > refresh-token. > - if access-token is expired exchange the refresh-token for a new > access-token, and return the new access-token and a new refresh-token. > > Anyhow need to consider the practicality of the use-case furthermore. > > >> >> In you use case why does the SPA have to do the introspection call? >> Shouldn't it be the resource server consumed by SPA that needs to do the >> introspection call. >> > > In this particular use-case the IS is the resource server. The SPA is a > fully browser based application. > To verify the authenticity of the user the SPA uses the access-token it > obtained, that's why the SPA needs to call the introspection endpoint. > not the SPA, it is the oauth-client that do the introspection call on behalf of the SPA. > > >> >> If the resource server throws an error due to an invalid access token >> then the SPA can do the refresh call and get a new token. >> >>> >>> [1] https://docs.wso2.com/display/IS530/Invoke+the+OAuth+Int >>> rospection+Endpoint >>> >>> Best, >>> Thilina >>> -- >>> *Thilina Madumal* >>> *Software Engineer | **WSO2* >>> Email: [email protected] >>> Mobile: *+ <+94%2077%20767%201807>94 774553167* >>> Web: <http://goog_716986954>http://wso2.com >>> >>> <http://wso2.com/signature> >>> >>> >> >> -- >> Farasath Ahamed >> Software Engineer, WSO2 Inc.; http://wso2.com >> Mobile: +94777603866 >> Blog: blog.farazath.com >> Twitter: @farazath619 <https://twitter.com/farazath619> >> <http://wso2.com/signature> >> >> >> >> > > > -- > *Thilina Madumal* > *Software Engineer | **WSO2* > Email: [email protected] > Mobile: *+ <+94%2077%20767%201807>94 774553167* > Web: <http://goog_716986954>http://wso2.com > > <http://wso2.com/signature> > > -- *Thilina Madumal* *Software Engineer | **WSO2* Email: [email protected] Mobile: *+ <+94%2077%20767%201807>94 774553167* Web: <http://goog_716986954>http://wso2.com <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
