<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Use token introspection. It’s defined in RFC7662 and supported on /introspect on the server.<div class=""><br class=""></div><div class="">You’ll need to register the wrapper for your REST API on the server as a protected resource. You can either do this dynamically using the existing UI or you can do it in the admin UI and check “allow token introspection” in the config.</div><div class=""><br class=""></div><div class="">One caveat: by default, the server will only let the resource know about scopes associated with the token based on which scopes the resource is registered with. This is to limit information leakage to resources about a token’s potential targets. So if you’ve got a token with scopes A, B, C, and a resource server with scopes A, B, then introspecting that token from that resource will yield A, B even though the token itself also has C.</div><div class=""><br class=""></div><div class="">This behavior can be overridden by replacing the introspection services.</div><div class=""><br class=""></div><div class=""> — Justin</div><div class=""><br class=""></div><div class=""><div><blockquote type="cite" class=""><div class="">On Dec 13, 2016, at 9:57 AM, William Hadden1 <<a href="mailto:WilHadden@uk.ibm.com" class="">WilHadden@uk.ibm.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10.5pt"><div dir="ltr" class="">Hi,</div>
<div dir="ltr" class=""> </div>
<div dir="ltr" class="">Sorry for the stupid questions.</div>
<div dir="ltr" class=""> </div>
<div dir="ltr" class="">I want to be able to write a tomcat servlet which will sit in front of our REST APIs and accept an OAuth access token from a client and be able to confirm with the issuing OAuth server that it is indeed a valid token. Also as these client are autonomous I am using client credentials flow to create the token.</div>
<div dir="ltr" class=""> </div>
<div dir="ltr" class="">Currently I am able to create the token, but how should I query the OAuth server to authenticate the token from my servlet?</div>
<div dir="ltr" class=""> </div>
<div dir="ltr" class="">Thanks</div>
<div dir="ltr" class="">Wil</div></div>Unless stated otherwise above:<br class="">
IBM United Kingdom Limited - Registered in England and Wales with number 741598. <br class="">
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU<br class="">
<br class="">
_______________________________________________<br class="">mitreid-connect mailing list<br class=""><a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a><br class="">http://mailman.mit.edu/mailman/listinfo/mitreid-connect<br class=""></div></blockquote></div><br class=""></div></body></html>