Check token validity from resource server

Hi guys!
At this moment we are trying Ory Hydra with our custom consent. I’ve created one client for our mobile backend with custom scopes.
Our problem is from the resource server (api): How a third party api can check if access_token received as bearer is valid and has the correct scope?. We must register the api as a client, and get an access token to call introspect endpoint? Or can we call introspect endpoint using basic authorization? Should we setup some kind of policy?

Thanks in advance!

Yes to all basically!

We must register the api as a client, and get an access token to call introspect endpoint?

Yes, you can do that!

Or can we call introspect endpoint using basic authorization?

This works as well but I do not recommend it because it uses BCrypt which can be slow if used a lot.

Thank you very much,
I was failing because of a policy issue. I’ve had to add a new policy for the resource server this way:

hydra policies create --skip-tls-verify \
    --actions introspect \
    --description "Can introspect tokens" \
    --allow \
    --id accesstoken_introsp-policy \
    --resources "rn:hydra:oauth2:tokens" \
    --subjects client-id-resource-server

If someone try to do the same, take it into account.

Regards!

Awesome! Glad you got it working :slight_smile:

Added details in a related question in Stackoverflow targeting Java and Spring Boot.

1 Like

If the resource server registers as a different client than the client that the access token was created for, will it be able to introspect the other client’s token ?

yes