I try understand how a REST service works with OAuth 2.0. What the access_token is and how to get it I understand. But how the Resource server (a REST service) uses the access_token I do not understand. Does the Resource Server make a request to the Authorization Server each time it receives an access_token (on a REST call from the Client) to verify it?
3
votes
1 Answers
3
votes
In the OAuth 2.0 standard the agreement on what the access token looks like and how it is to be validated and interpreted is up to the discretion of the Resource Server (RS) and the Authorization Server (AS). So it is entirely possible that the RS executes a validation call each time it receives an access token as you describe. It is more likely that the RS caches the result of the lookup for performance reasons; that is a model that is pretty widely deployed today.
It would also be possible for the Authorization Server to structure the access token in such a way that the RS can validate it on its own. An example of that is to use a JSON Web Token as the access token format.
On top of that: there is an extension of OAuth 2.0 that standardizes the validation interaction between RS and AS that you described. It is called "OAuth 2.0 Token Introspection" and can be found here. The RS and AS may agree to adhere to that and it would increase the chances for the RS to be interoperable with another AS.
