When is `introspect` endpoint needed?
-
As I have understood, if the issued access token is not of type JWT, then the token's validity must be checked with the FusionAuth server for each user request.
But seems like none of the client libraries have implemented this endpoint (at least Python and Javascript haven't) and the conclusion I get is that this endpoint is not as essential as I thought.
Also saw that even the Python's requests_oauthlib library has not implemented this endpoint in it's OAuth2 session implementation.
So I'm a bit confused whether it's actually necessary to call this endpoint or not. Can anyone explain the protocol a bit? -
You don't need to call
introspect
, but you can if your code wants to check and see that a JWT is valid.However, if you have a resource server which isn't sure about the JWT it receives or really wants to double check it, you can call the introspect endpoint.
Here's more information: https://www.oauth.com/oauth2-servers/token-introspection-endpoint/
PS sorry for pointing you the wrong way about introspect/
requests_oauthlib
. -
No problem. But I'm asking about non-JWT access tokens. What about those?
-
In FusionAuth, the access token is always a JWT.
So you can always validate it on your own if you like, or use the Introspect, UserInfo or Validate APIs in FusionAuth to tell if you if the JWT is valid.
A FusionAuth invention.
https://fusionauth.io/docs/v1/tech/apis/jwt#validate-a-jwtThe OAuth2 way of doing it.
https://fusionauth.io/docs/v1/tech/oauth/endpoints#introspectThe OpenID Connect way of doing it.
https://fusionauth.io/docs/v1/tech/oauth/endpoints#userinfoEach of these APIs essentially does the same thing, takes a token and tells you if it is valid. If you're using an OAuth2 library that already knows how to call an Introspect endpoint, use that, if you're using an OIDC library that knows how to call the Userinfo endpoint, use that. If you're writing your own usage, use whatever you want!
We can add the Introspect or Userinfo endpoints to the client library if you like. Here is an issue for Python. https://github.com/FusionAuth/fusionauth-python-client/issues/8
However, because each of these APIs does essentially the same thing, if you're using the client library, you may as well use
validateJWT
. -
In FusionAuth, the access token is always a JWT.
That's what I got wrong then. I thought that if I disable JWT in an application, then FusionAuth will issue some other type of access token. Now it's clear.
Thank you. -
@robotdan Also, it was actually me who opened the mentioned issue.