I need to implement OAuth exactly the same way as Shopify - after user authenticates and authorizes an app, he or she must receive kind of permanent token, which will be used in background services until manually revoked. It looks like a reference token to me.
IdentityServer4 documentation states:
Access tokens can come in two flavours - self-contained or reference.
A JWT token would be a self-contained access token - it’s a protected data structure with claims and an expiration. Once an API has learned about the key material, it can validate self-contained tokens without needing to communicate with the issuer. This makes JWTs hard to revoke. They will stay valid until they expire.
When using reference tokens - IdentityServer will store the contents of the token in a data store and will only issue a unique identifier for this token back to the client. The API receiving this reference must then open a back-channel communication to IdentityServer to validate the token.
IdentityServer provides an implementation of the OAuth 2.0 introspection specification which allows APIs to dereference the tokens.
So it looks like OAuth standard.
Machine-2-machine is not suitable because I need to act on behalf of particular user. Is revocable never expiring access token supported at Auth0? I didn’t find any kind of info in Auth0 docs.