According to the Authlib documentation, there is a built-in approach to use introspection endpoint to validate the given token when resource server has no access to token database:
import requests
from authlib.oauth2.rfc7662 import IntrospectTokenValidator
from your_project import secrets
class MyIntrospectTokenValidator(IntrospectTokenValidator):
def introspect_token(self, token_string):
url = 'https://example.com/oauth/introspect'
data = {'token': token_string, 'token_type_hint': 'access_token'}
auth = (secrets.internal_client_id, secrets.internal_client_secret)
resp = requests.post(url, data=data, auth=auth)
resp.raise_for_status()
return resp.json()
We can then register this token validator in to resource protector:
require_oauth = ResourceProtector()
require_oauth.register_token_validator(MyIntrospectTokenValidator())
When I use @require_oauth for my api routes, I have the following error:
TypeError: 'ResourceProtector' object is not callable
Can someone help please?
Source: https://docs.authlib.org/en/latest/specs/rfc7662.html#use-introspection-in-resource-server
UPDATE: The problem has been found. Wrong source import
Correct one: