How to validate OAuth2 access token from resource server

Question

I have Authorization Server and Resource Server as two different entities. I am calling REST API with the Access Token in header. I want to check the validity of the AT, whether it is active or not?

I have done some googling and found that we can validate the access token using token introspection end point, which requires ClientID and clientsecret as well. But in the rest API I'm not passing those(i.e clientID and clientsecret) information.

Answer 1

The answer will depend on the format of the access token. If it is a JWT, which is the preferred option, use code similar to this:

@Configuration
public class SecurityConfiguration {
    
    @Bean
    public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception {

        http
            .antMatcher("/api/**")
            .authorizeRequests(authz -> authz
                .anyRequest().authenticated())
            .oauth2ResourceServer().jwt();

        return http.build();
    }
}

Along with configuration similar to this:

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          jwk-set-uri: https://login.example.com/.well-known/jwks.json

INTROSPECTION

If your API receives a reference token, eg in a UUID format, then introspection will instead be required.

Spring has a similar option to implement this, though it is more commonly done in an API gateway hosted in front of the API, rather than in the API's own code.

Introspection is usually accompanied by caching of the introspection result, to avoid hammering the authorization server, which is usually a critical component.

Answer 2

First, It's better to understand the authentication types, IDP, token types and grant types, API gateways to get a clear understanding of the high-level authentication flow.

There are different types of grant types in the OAuth framework[1].

Client credential grant type[2] is one of the grant types.

If you need to follow a standard authentication mechanism, it's better to use an Identity provider to generate tokens and validate them. (You can implement it on your own, but it is easy to use already implemented one)

There are different types of token types.

1. JWT[3] - These are Self Contained tokens. It is ideal to use JWT access tokens as API credentials because JWT access tokens can carry claims (data) that are used in order to authenticate and authorize requests. No need an introspection endpoint for this since the token itself has informations to validate the token

2. Opaque access tokens[4] - An opaque or a reference token is a random and a unique string of characters which has been issued by the token service as an identifier to be used for API authentication purposes. These tokens does not carry any information related to user, hence it is required to open a back channel to the token validation service to validate it and retrieve token information. For this it needs an introspection endpoint

To secure your APIs, it will be easy to use an already-developed API gateway(There are plenty of API gateways[5]). Integrating an API gateway to your APIs will provide the capability to add security for your APIs. From this you don't need to worry about implementing authentication for your APIs.

[1] https://is.docs.wso2.com/en/6.0.0/references/concepts/authorization/grant-types/

[2] https://is.docs.wso2.com/en/6.0.0/references/concepts/authorization/client-credential-grant/

[3] https://apim.docs.wso2.com/en/latest/design/api-security/oauth2/access-token-types/jwt-tokens/

[4] https://apim.docs.wso2.com/en/3.1.0/learn/api-security/oauth2/access-token-types/opaque-tokens/

[5] https://apim.docs.wso2.com/en/latest/get-started/overview/