Hi,
I am working on creating Commercetools integration and would love to get some help on it please. Commercetools supports OAuth 2.0 Bearer tokens issued by another service: https://docs.commercetools.com/http-api-authorization#requesting-an-access-token-using-an-external-oauth-server-beta.
So Commercetools needs external introspection endpoint to verify the Auth0 tokens. Do you support this flow? What would you recommend for this if not?
Thank you.
I’m afraid at this time the Auth0 service does not support token introspection endpoint. Currently, the access tokens we issue use the JWT format and could be validated by the resource server using the public key associated to the specific tenant domain.
However, it seems Commercetools does not support such option so a direct integration does not seem possible at this time.
Hi @jmangelo
Thanks for your quick response - I have a quick follow up question please.I understand direct integration does not seem possible at this time.
Since Auth0 service does not support token introspection endpoint, can I implement our own custom endpoint?But at the same time commercetools expects RFC 7662-compliant introspection endpoint.
is it possible to implement our own RFC 7662-compliant introspection endpoint?
Technically speaking, I think you could indeed implement your own endpoint that accepts a JWT access token, validates it accordingly and returns a response in accordance to the token introspection requirements.
Having said that we don’t generally recommend such proxies because you will now be fully responsible by ensuring that the extension you’re adding (an introspection endpoint in this case) does not introduce possible security vulnerabilities.
Hi there @jmangelo,
Is there any particular reason why Auth0 doesn’t provide a token introspection endpoint? Obviously it would be pretty easy for you guys to build this, and you are in an opportune position, having all these token details readily on hand at your endpoints. In fact, some Auth0 API endpoints already return similar information, they just don’t do it in any standards-compliant way, at least with regard to RFC 7662.
We are also trying to integrate with Commercetools. We were hoping to use Auth0, but this a blocker for us. It would help to know if you guys see this as an issue (seeing as there are at least 5-6 forum posts I could find from a quick cursory search), whether losing customers over it would matter, and if it is a priority to help customers with their OAuth needs, when this might see production.
Is it on the roadmap at all?
hello,
am coming across the same problem myself and am wondering if you have any insight into how you resolved your issue?
Also, has auth-0 planned out any work to add an introspect endpoint?