Check token validity from resource server

davidf.76 · March 12, 2018, 4:55pm

Hi guys!
At this moment we are trying Ory Hydra with our custom consent. I’ve created one client for our mobile backend with custom scopes.
Our problem is from the resource server (api): How a third party api can check if access_token received as bearer is valid and has the correct scope?. We must register the api as a client, and get an access token to call introspect endpoint? Or can we call introspect endpoint using basic authorization? Should we setup some kind of policy?

Thanks in advance!

hackerman · March 12, 2018, 5:38pm

Yes to all basically!

We must register the api as a client, and get an access token to call introspect endpoint?

Yes, you can do that!

Or can we call introspect endpoint using basic authorization?

This works as well but I do not recommend it because it uses BCrypt which can be slow if used a lot.

davidf.76 · March 12, 2018, 6:35pm

Thank you very much,
I was failing because of a policy issue. I’ve had to add a new policy for the resource server this way:

hydra policies create --skip-tls-verify \
    --actions introspect \
    --description "Can introspect tokens" \
    --allow \
    --id accesstoken_introsp-policy \
    --resources "rn:hydra:oauth2:tokens" \
    --subjects client-id-resource-server

If someone try to do the same, take it into account.

Regards!

hackerman · March 12, 2018, 6:33pm

Awesome! Glad you got it working

davidf.76 · March 14, 2018, 4:45pm

Added details in a related question in Stackoverflow targeting Java and Spring Boot.

michaeld · June 13, 2018, 8:14am

If the resource server registers as a different client than the client that the access token was created for, will it be able to introspect the other client’s token ?

hackerman · June 13, 2018, 8:26am

yes