Support for token introspection

[Ross65536]

From what I can tell there currently isn't a way for a third party service to tell if an access token is still valid without querying the authorization server's DB directly.

While the OAuth 2 specification RFC doesn't explicitly specify how to check if an access token is valid there are 2 main ways in which it can be done:

• introspection endpoint: there is an OAuth extension RFC 7662 which specifies an additional OAuth endpoint which can return information about an access token or refresh token, like if it is still valid, scopes, expiry time, etc.
• signed token: for example a JWT access token signed with a public/private key. There is a specification for this.

[Ross65536]

I'm currently working on adding support for this using an introspection endpoint