I am currently working on a project where IdentityServer4 is used as an authorization/authentication server. We have only one client (Angular) and a few resource-based APIs (ASP.NET Core). At the moment we use code flow (PKCE) and at the same time reference tokens, making use of the token introspection endpoint provided by IdentityServer4.
Is it overkill to use both PKCE and reference tokens? Askin from the APIs to always call IdentityServer4’s token introspection endpoint adds another request to every resource request received. We are wondering if using reference tokens gives us any security advantage over just using PKCE with normal access tokens.
Thank you!
PKCE is only here to secure the initial user authentication, after that PKCE is no longer involved and you use PKCE for both reference and normal JWT tokens.
If you are worried about the performance of the extra lookup request, then you should take a look at this video
Improving JWT performance in ASP.NET Core webinar with Mentor - Marcin Hoppe