I want to use Auth0 together with opaque tokens. According to the spec for OAuth Introspection opaque tokens should be validated at the authorization server using the introspection endpoint.
Unfortunately, Auth0 does not provide an introspection endpoint. How can I validate opaque tokens?
Is it planned to add support for token introspection or token revocation?
For some customers of mine, JWT tokens must not be used, for example, due to privacy reasons
As far as I know there is no way to validate whether an opaque access token has expired, other than the validation that occurs as part of the normal flow (when the audience presents the token as proof of delegation).
Unfortunately we don’t have any plans to support introspection for now. We used to have a few people filing in feature request for that in the past but it was no big number of people advocating for that compared to other feature requests so the team probably decided to hold back here.