@dan
Okay I can give it a go.
But, trying to understand what is the difference in doing this webhook way vs doing following steps:
On every client request to backend service:
GET: api/jwt/validate or can implement manual validations (when no-claims scenario, only need to check signature and expiry)GET api/user with valid jwt from step 1. Which returns a response with user.active: false for deactivated user@dan I am passing the access token to the introspect endpoint, as you mentioned it is always returning active.
What I actually trying to do is to have the access token revoked if the user account is deactivated.
For my scenario, I am using access token with longer expiry but also wanted to revoke those token if a user is deactivated before that token is expired.
Can you be able to help me understand these flows:
I have two users parent-user and child-user
child-user logged in and received a valid token with lengthy expiry
parent-user deactivated child-user using endpoint DELETE: /api/user which successfully locked the user and showing locked in fusionauth UI
But, when child-user requested data using token issued in step 1, validate endpoint GET: api/jwt/validate endpoint is not invalidating the user. And returning success response back. When i checked user, applications are present in registrations.
Is this a bug? How can i invalidate a locked user properly??
EDIT:
I have looked into your post: https://fusionauth.io/community/forum/topic/49/how-should-i-validate-access-tokens
And, make sense /api/jwt/validate is just validating expiry, signature and claims. But, when I hit /oauth2/introspect endpoint I am still getting user status active
{
"active": true,
"applicationId": "<appid-uuid>",
"aud": "<appid-uuid>",
"auth_time": 1673234995,
"authenticationType": "PASSWORD",
"email": "myuser@mailinator.com",
"email_verified": true,
"exp": 1674444595,
"iat": 1673234995,
"iss": "auth-dev.mailinator.com",
"jti": "jti-uuid",
"roles": [],
"scope": "offline_access",
"sub": "<user-uuid>",
"tid": "<t-uuid>"
}
@dan Discard my comment above regarding custom claims for JWT.
I found your post: https://fusionauth.io/community/forum/topic/65/how-does-one-add-custom-claims-to-the-jwt-issued-by-the-oauth-flow?_=1672715552700
Which should guide me through next steps. Thanks 
@dan Now I am able to validate the token using RS256.
But, trying to figure out how can I add a user status ACTIVE or INACTIVE to jwt token when generated first time by fusionauth.
I previously used auth0 where we can add a js script like lambda functions to add custom parameters to jwt. Is something I could do with fusionauth?
@dan I forgot how I created my key at first place, imported a new one and using private key which I generated.