I am currently working on a project where IdentityServer4 is used as an authorization/authentication server. We have only one client (Angular) and a few resource-based APIs (ASP.NET Core). At the moment we use code flow (PKCE) and at the same time reference tokens, making use of the token introspection endpoint provided by IdentityServer4.
Is it overkill to use both PKCE and reference tokens? Askin from the APIs to always call IdentityServer4’s token introspection endpoint adds another request to every resource request received. We are wondering if using reference tokens gives us any security advantage over just using PKCE with normal access tokens.
Thank you!
