Check token validity from resource server


#1

Hi guys!
At this moment we are trying Ory Hydra with our custom consent. I’ve created one client for our mobile backend with custom scopes.
Our problem is from the resource server (api): How a third party api can check if access_token received as bearer is valid and has the correct scope?. We must register the api as a client, and get an access token to call introspect endpoint? Or can we call introspect endpoint using basic authorization? Should we setup some kind of policy?

Thanks in advance!


#2

Yes to all basically!

We must register the api as a client, and get an access token to call introspect endpoint?

Yes, you can do that!

Or can we call introspect endpoint using basic authorization?

This works as well but I do not recommend it because it uses BCrypt which can be slow if used a lot.


#3

Thank you very much,
I was failing because of a policy issue. I’ve had to add a new policy for the resource server this way:

hydra policies create --skip-tls-verify \
    --actions introspect \
    --description "Can introspect tokens" \
    --allow \
    --id accesstoken_introsp-policy \
    --resources "rn:hydra:oauth2:tokens" \
    --subjects client-id-resource-server

If someone try to do the same, take it into account.

Regards!


#4

Awesome! Glad you got it working :slight_smile:


#5

Added details in a related question in Stackoverflow targeting Java and Spring Boot.