I have Authorization Server and Resource Server as two different entities. I am calling REST API with the Access Token in header. I want to check the validity of the AT, whether it is active or not?
I have done some googling and found that we can validate the access token using token introspection end point, which requires ClientID and clientsecret as well. But in the rest API I'm not passing those(i.e clientID and clientsecret) information.
The answer will depend on the format of the access token. If it is a JWT, which is the preferred option, use code similar to this:
Along with configuration similar to this:
INTROSPECTION
If your API receives a reference token, eg in a UUID format, then introspection will instead be required.
Spring has a similar option to implement this, though it is more commonly done in an API gateway hosted in front of the API, rather than in the API's own code.
Introspection is usually accompanied by caching of the introspection result, to avoid hammering the authorization server, which is usually a critical component.