如何在资源服务器上验证 WSO2 oauth2 访问令牌

Question

I am looking for fittings ends to our SSO puzzle.

Currently we have an OpenLDAP behind WSO2 Identity Provider. A client (Service Provider) redirects authorization to the IP (OAuth2) and recieves an access_token.

All fine.

Next step is to validate this token on another Service Provider, in this case a reverse proxy (Apache or Nginx) residing on another EC2 instance, which protects a number of unprotected 3rd party applications (3rd party in the sense that we can't touch source code, but do the hosting our selves). Which tools do serve this request?

Am am aware that the OAuth2 spec leaves a hiatus here and that there is draft which adds a /introspect call to validate this token. I also know that pingidentity implements this draft as part of there Apache module ( https://github.com/pingidentity/mod_auth_openidc ).

I am just wondering how to implement this on the WSO2-IS side, as I don't find documentation.

*bonus: we also hit several errors while deploying WSO2 (SQL errors) and using it ( https://wso2.org/jira/browse/IDENTITY-3009 ) which made us a bit distrusting about the product.

Answer 1

Oauth2 token validate may be performed with a SOAP call to

{WSO2_IS}/services/OAuth2TokenValidationService.OAuth2TokenValidationServiceHttpsSoap11Endpoint/

The response will include details regarding token validity and JWT claims.