I have a question regarding the revocation endpoint.
My OP server and the Resource servers are two separate projects. I have implemented the resource server with the client app.
I could successfully call the revocation endpoint, and could delete the access token from the server database, during the logout process. But the problem is, since the JWT is self defined, the token is still valid till its actual end time. That means, the JWT is still valid even if the user is logged off. I don't want the RP to depend on the database, since that will suppress the advantage of JWT.
I feel like there is no other way to verify the access token apart from the Introspection endpoint. That means, the client has to call the Introspection endpoint in each call before it actually grant access to protected resource.
Could you please confirm whether my understanding is correct?
The client has to call the Introspection endpoint in each call before it actually grant access to protected resource?
If point 2 is incorrect, whether the client app has the capability of validating the access token without calling Introspection endpoint?
I have a question regarding the revocation endpoint. My OP server and the Resource servers are two separate projects. I have implemented the resource server with the client app. I could successfully call the revocation endpoint, and could delete the access token from the server database, during the logout process. But the problem is, since the JWT is self defined, the token is still valid till its actual end time. That means, the JWT is still valid even if the user is logged off. I don't want the RP to depend on the database, since that will suppress the advantage of JWT. I feel like there is no other way to verify the access token apart from the Introspection endpoint. That means, the client has to call the Introspection endpoint in each call before it actually grant access to protected resource.