- Access Tokens
- Refresh Tokens
- ID Tokens
- Proof-of-Possession (PoP) Tokens
- PKCE (RFC 7636)
- Client Management
- Authorization Requests
- User Authentication
- Error Handling
- Client Authentication
- Introspection response for expired access token
- Checking if an access token has particular scopes
- Use cases for two introspection APIs
- Userinfo Endpoint
- Device Flow (RFC 8628)
Introspection response for expired access token
When an resource server makes a request to Authlete's /auth/introspection API, and the request includes an expired access token, Authlete works as follows:
- To the first request: Authlete determines the token has been expired and then removes the token from its database.
- To the second and subsequent requests: Authlete determines the token doesn't exist. Because the token has been removed at the first request.
In either case, a value of "action" in a response from the API would be "UNAUTHORIZED".
How did we do with this article?