Hi folks!
I have a question. At database a token signature is stored, instead of the token itself. How can we get token information even when the token is outdated (to trace access to our apis and detect the owner of leaked tokens, for example). At introspect endpoint, if is outdate, cant retrieve the whole information, only active=false.
Thanks!
That is not possible at the moment
You can introspect the refresh token though
The purpose is logging at resource servers what ip addresses and what client_id are presenting outdated tokens. At this moments we can’t discriminate between outdated and invalid.
Thanks anyway!
Ah I see, that makes sense. The spec is unfortunately clear here - if the token is invalid, no metadata should be returned