How to validate an OAuth 2 0 access token for a resource server

Question

When a client asks a resource server to get a protected resource with an OAuth 2 0 access token  how does this server validate the token  The OAuth 2 0 refresh token protocol

User · Answer

OAuth 2 0 spec doesn t define the part  But there could be couple of options    When resource server gets the token in the Authz Header then it calls the validate introspect API on Authz server to validate the token  Here Authz server might validate it either from using DB Store or verifying the signature and certain attributes  As part of response  it decodes the token and sends the actual data of token along with remaining expiry time  Authz Server can encrpt sign the token using private key and then publickey cert can be given to Resource Server  When resource server gets the token  it either decrypts verifies signature to verify the token  Takes the content out and processes the token  It then can either provide access or reject

User · Answer

An update on  Scott T  s answer  the interface between Resource Server and Authorization Server for token validation was standardized in IETF RFC 7662 in October 2015  see  https   tools ietf org html rfc7662  A sample validation call would look like   POST  introspect HTTP 1 1 Host  server example com Accept  application json Content-Type  application x-www-form-urlencoded Authorization  Bearer 23410913-abewfq 123483  token 2YotnFZFEjr1zCsicMWpAA   and a sample response   HTTP 1 1 200 OK Content-Type  application json       active   true     client id    l238j323ds-23ij4      username    jdoe      scope    read write dolphin      sub    Z5O3upPC88QrAjx00dis      aud    https   protected example net resource      iss    https   server example com       exp   1419356238     iat   1419350238     extension field    twenty-seven      Of course adoption by vendors and products will have to happen over time

User · Answer

Google way  Google Oauth2 Token Validation  Request   https   www googleapis com oauth2 v1 tokeninfo access token 1 fFBGRNJru1FQd44AzqT3Zg   Respond        audience   8819981768 apps googleusercontent com      user id   123456789      scope   https   www googleapis com auth userinfo profile https   www googleapis com auth userinfo email      expires in  436      Microsoft way  Microsoft - Oauth2 check an authorization  Github way  Github - Oauth2 check an authorization  Request   GET  applications  client id tokens  access token   Respond        id   1     url    https   api github com authorizations 1      scopes          public repo          token    abc123      app          url    http   my-github-app com        name    my github app        client id    abcde12345fghij67890          note    optional note      note url    http   optional note url      updated at    2011-09-06T20 39 23Z      created at    2011-09-06T17 26 27Z      user          login    octocat        id   1       avatar url    https   github com images error octocat happy gif        gravatar id    somehexcode        url    https   api github com users octocat          Amazon way  Login With Amazon - Developer Guide  Dec  2015  page 21   Request      https   api amazon com auth O2 tokeninfo access token Atza IQEBLjAsAhRmHjNgHpi0U-Dme37rR6CuUpSR      Response    HTTP l l 200 OK Date  Fri  3l May 20l3 23 22 l0 GMT  x-amzn-RequestId  eb5be423-ca48-lle2-84ad-5775f45l4b09  Content-Type  application json  Content-Length  247         iss   https   www amazon com       user id    amznl account K2LI23KL2LK2       aud    amznl oa2-client ASFWDFBRN       app id    amznl application 436457DFHDH       exp   3597      iat   l3ll280970

User · Answer

Update Nov  2015  As per Hans Z  below - this is now indeed defined as part of RFC 7662   Original Answer  The OAuth 2 0 spec  RFC 6749  doesn t clearly define the interaction between a Resource Server  RS  and Authorization Server  AS  for access token  AT  validation   It really depends on the AS s token format strategy - some tokens are self-contained  like JSON Web Tokens  while others may be similar to a session cookie in that they just reference information held server side back at the AS   There has been some discussion in the OAuth Working Group about creating a standard way for an RS to communicate with the AS for AT validation   My company  Ping Identity  has come up with one such approach for our commercial OAuth AS  PingFederate   https   support pingidentity com s document-item bundleId pingfederate-93 amp topicId lzn1564003025072 html lzn1564003025072  section N10578 N1002A N10001   It uses REST based interaction for this that is very complementary to OAuth 2 0

User · Answer

OAuth v2 specs indicates       Access token attributes and the methods used to access protected resources are beyond the scope of this specification and are defined by companion specifications    My Authorisation Server has a webservice  SOAP  endpoint that allows the Resource Server to know whether the access token is valid

[oauth] How to validate an OAuth 2.0 access token for a resource server?

Examples related to oauth

Examples related to oauth-2.0