Authlete's /auth/introspection API has a feature that checks if an access token for introspection has particular token. You can specify the scopes as values of an array, in a request to the API.
Checking scopes associated with a token
Here we assume there is an “Order API” in a resource server. It checks an access token attached with a request to the API and processes the request at least when the token has a payment scope.
With Authlete's /auth/introspection API, you have two implementation options:
The resource server sends only the access token to /auth/introspection API, to get “a list of scopes associated with the token” and determine if it has the payment scope
The resource server sends “scopes that the token must have” along with the access token to /auth/introspection API, and gets a response that states if the token is valid
/auth/introspection API can accept "scopes" parameter. You can use it to check if an access token that is a value of "token" parameter covers particular scopes that are specified the "scopes" parameter.
The "scopes" parameter is an array. It includes each scope as a value. For example, you can check if an access token covers "account" and "payment" scopes by describing them as follows:
"scopes":["account", "payment"]
Note that the following example doesn't work as expected.
"scopes":["account payment"]
Authlete would recognize this value as a single scope, "account payment", that doesn't actually exist, and understand no values are specified for the scopes parameter:
"scopes":[]
As a result, Authlete would do nothing in terms of checking scopes.
Examples
The following request/response examples show how to check if an access token (MhVD...) with three scopes (openid, profile, and payment) has particular scopes. curl command is used for the examples. (folded for readability)
When it has particular scopes
Request
The request is made to check if the token has openid and payment scopes.