OAuth reference token

Hi guys,

I need to implement OAuth exactly the same way as Shopify - after user authenticates and authorizes an app, he or she must receive kind of permanent token, which will be used in background services until manually revoked. It looks like a reference token to me.

IdentityServer4 documentation states:

Access tokens can come in two flavours - self-contained or reference.

A JWT token would be a self-contained access token - it’s a protected data structure with claims and an expiration. Once an API has learned about the key material, it can validate self-contained tokens without needing to communicate with the issuer. This makes JWTs hard to revoke. They will stay valid until they expire.

When using reference tokens - IdentityServer will store the contents of the token in a data store and will only issue a unique identifier for this token back to the client. The API receiving this reference must then open a back-channel communication to IdentityServer to validate the token.

IdentityServer provides an implementation of the OAuth 2.0 introspection specification which allows APIs to dereference the tokens.

So it looks like OAuth standard.

Machine-2-machine is not suitable because I need to act on behalf of particular user. Is revocable never expiring access token supported at Auth0? I didn’t find any kind of info in Auth0 docs.


The “reference token” referred to in the IdentityServer4 documentation is actually an “opaque” token.

What you are looking for is a refresh token, which does not expire and allows the holder to acquire new access tokens “forever” (until the refresh token is manually revoked).

1 Like

Thanks for sharing that solution Mark!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.