Introspection of refresh token during access token validation

[beornf]

According to oauth2 the refresh token is only used to generate a new access token and not read/write content on the resource server. As per the spec RFC 6749 section 1.5

Unlike access tokens, refresh tokens are intended for use only with authorization servers and are never sent to resource servers.

I am using the introspect token method in http middleware to validate access tokens, however this line allows refresh tokens to pass as well: https://github.com/ory/fosite/blob/master/handler/oauth2/introspector.go#L29.

Is my conclusion right that it would be better to check the passed in tokenType explicitly?

[aeneasr]

Token introspection RFC allows both refresh and access token validation :) I find this confusing as well, but see for yourself: https://tools.ietf.org/html/rfc7662#section-2.1

[beornf]

Right so that parameter is the token type hint. I'm still looking for a way for the introspection endpoint to only validate access tokens and ignore refresh tokens as these shouldn't be accepted by the resource server.

Would bringing the warden strategy from hydra into fosite as a custom factory be useful or is too much outside the oauth2 standard?
https://github.com/ory/hydra/blob/master/warden/warden_strategy.go

[aeneasr]

Hm, maybe make this configurable in the standard validator? The token_hint is not binding, only something to reduce processing time, don't rely on it :)

[aeneasr]

Addressed and closed in #208