FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    When is `introspect` endpoint needed?

    Scheduled Pinned Locked Moved
    Q&A
    3
    6
    6.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AliMirlou
      last edited by

      As I have understood, if the issued access token is not of type JWT, then the token's validity must be checked with the FusionAuth server for each user request.
      But seems like none of the client libraries have implemented this endpoint (at least Python and Javascript haven't) and the conclusion I get is that this endpoint is not as essential as I thought.
      Also saw that even the Python's requests_oauthlib library has not implemented this endpoint in it's OAuth2 session implementation.
      So I'm a bit confused whether it's actually necessary to call this endpoint or not. Can anyone explain the protocol a bit?

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        You don't need to call introspect, but you can if your code wants to check and see that a JWT is valid.

        However, if you have a resource server which isn't sure about the JWT it receives or really wants to double check it, you can call the introspect endpoint.

        Here's more information: https://www.oauth.com/oauth2-servers/token-introspection-endpoint/

        PS sorry for pointing you the wrong way about introspect/requests_oauthlib.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • A
          AliMirlou
          last edited by

          No problem. But I'm asking about non-JWT access tokens. What about those?

          1 Reply Last reply Reply Quote 0
          • robotdanR
            robotdan
            last edited by

            In FusionAuth, the access token is always a JWT.

            So you can always validate it on your own if you like, or use the Introspect, UserInfo or Validate APIs in FusionAuth to tell if you if the JWT is valid.

            A FusionAuth invention.
            https://fusionauth.io/docs/v1/tech/apis/jwt#validate-a-jwt

            The OAuth2 way of doing it.
            https://fusionauth.io/docs/v1/tech/oauth/endpoints#introspect

            The OpenID Connect way of doing it.
            https://fusionauth.io/docs/v1/tech/oauth/endpoints#userinfo

            Each of these APIs essentially does the same thing, takes a token and tells you if it is valid. If you're using an OAuth2 library that already knows how to call an Introspect endpoint, use that, if you're using an OIDC library that knows how to call the Userinfo endpoint, use that. If you're writing your own usage, use whatever you want! 🙂

            We can add the Introspect or Userinfo endpoints to the client library if you like. Here is an issue for Python. https://github.com/FusionAuth/fusionauth-python-client/issues/8

            However, because each of these APIs does essentially the same thing, if you're using the client library, you may as well use validateJWT.

            1 Reply Last reply Reply Quote 0
            • A
              AliMirlou
              last edited by

              In FusionAuth, the access token is always a JWT.

              That's what I got wrong then. I thought that if I disable JWT in an application, then FusionAuth will issue some other type of access token. Now it's clear. ✋
              Thank you.

              1 Reply Last reply Reply Quote 1
              • A
                AliMirlou
                last edited by

                @robotdan Also, it was actually me who opened the mentioned issue. 😅

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post