Auth0 Home Blog Docs

Resource Server Check Token Endpoint



We have spring boot resource servers that are configured to make requests to an /check_token endpoint which makes a request with the access token it received from an incoming request to check it it is a token that was provided by the Authenticator. the expected response contains information about the token in json format.
I do not see this implemented anywhere. And we would like to be able to check the token to make sure it is legit before making any action on the Resource server.

Example of this implemented in CloudFoundry UAA Service.

$ curl 'http://localhost/check_token' -i -u 'app:appclientsecret' -X POST \
    -d 'token=53dbe3e05dcf4ff38d350bc74a7fc97b&scopes=password.write%2Cscim.userids'

POST /check_token HTTP/1.1
Authorization: Basic YXBwOmFwcGNsaWVudHNlY3JldA==
Host: localhost
Content-Type: application/x-www-form-urlencoded

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 687

  "user_id" : "66b42b3a-fb36-49b7-a490-a6a41e32d2da",
  "user_name" : "marissa",
  "email" : "",
  "client_id" : "app",
  "exp" : 1505210194,
  "scope" :  "scim.userids", "openid", "", "password.write", "cloud_controller.write" ],
  "jti" : "53dbe3e05dcf4ff38d350bc74a7fc97b",
  "aud" :  "app", "scim", "cloud_controller", "password", "openid" ],
  "sub" : "66b42b3a-fb36-49b7-a490-a6a41e32d2da",
  "iss" : "http://localhost:8080/uaa/oauth/token",
  "iat" : 1505166994,
  "cid" : "app",
  "grant_type" : "password",
  "azp" : "app",
  "auth_time" : 1505166994,
  "zid" : "uaa",
  "rev_sig" : "782ab4cd",
  "origin" : "uaa",
  "revocable" : true