Commercetools integration

Hi,

I am working on creating Commercetools integration and would love to get some help on it please. Commercetools supports OAuth 2.0 Bearer tokens issued by another service: https://docs.commercetools.com/http-api-authorization#requesting-an-access-token-using-an-external-oauth-server-beta.
So Commercetools needs external introspection endpoint to verify the Auth0 tokens. Do you support this flow? What would you recommend for this if not?

Thank you.

I’m afraid at this time the Auth0 service does not support token introspection endpoint. Currently, the access tokens we issue use the JWT format and could be validated by the resource server using the public key associated to the specific tenant domain.

However, it seems Commercetools does not support such option so a direct integration does not seem possible at this time.

Hi @jmangelo

Thanks for your quick response - I have a quick follow up question please.I understand direct integration does not seem possible at this time.

Since Auth0 service does not support token introspection endpoint, can I implement our own custom endpoint?But at the same time commercetools expects RFC 7662-compliant introspection endpoint.

is it possible to implement our own RFC 7662-compliant introspection endpoint?

Technically speaking, I think you could indeed implement your own endpoint that accepts a JWT access token, validates it accordingly and returns a response in accordance to the token introspection requirements.

Having said that we don’t generally recommend such proxies because you will now be fully responsible by ensuring that the extension you’re adding (an introspection endpoint in this case) does not introduce possible security vulnerabilities.