I am using OAuth 2.1 compliant authorization service.
- There are two oauth2 clients "client-1", "client-2"
- Create access access token using "client-1"
- Introspect generated token using "client-1", "client-2"
Return success response from "client-1" and error response (Invalid client) from "client-1".
with this case, If two applications have same permissions each application accept other application issued tokens. Resource server need to validate introspection response client id and application client id before authorization.
As [1] and [2] this is correct behavior.
[1]. https://github.com/spring-projects/spring-authorization-server/issues/1501
[2]. https://datatracker.ietf.org/doc/html/rfc7662#section-2.3
As I understood this case has security issue. Any reason to allow this.
Introspection should be thought of as a process for getting token data for an opaque access token. Introspection often runs in an API gateway then forwards token data to resource servers (APIs). Expired tokens fail introspection.
Introspection is not a substitute for authorization. Each API should authorize using the access token data. First check for the required issuer, audience, scopes and claims. Then apply business rules.
In the authorization server, each client should be configured with least privilege access tokens. Clients can be given different (or the same) audience, scopes, claims. This enables you to control which clients can call which APIs. Eg ensure that a client with
marketingscope cannot call afinanceAPI.Ideally the introspection response should be a JWT access token. Some authorization servers support this. The JWT can then be forwarded to APIs, which keeps the access token verifiable as it flows.