I am developing a platform for our company and the it’s just the beginning of a suite of applications. Since there will be users using one or more of the applications, we thought it would be a good idea to have single sign on. So I began looking into the various options we had and very quickly came across IdPs and protocols such as Oauth2 and Openid-connect. We decided to build an API for the service and now I’m stuck at implementing authentication and authorization properly. What I have done thus far is create public clients, which means they don’t have a client_secret and using the password grant_type so they can login and get an access token. However, my API also needs to know if a user is logged in so as to protect access to some resources and what I have now is a system where I cannot hit the introspection endpoint to ask my auth server if the user with a given access_token is logged in (the introspect endpoint is not allowed for public clients). What I can do however, is look at the JWT (access_token) and extract user information. This isn’t very good because what if the user had already logged out? what if someone else got a hold of this token, even if it has been invalidated by the auth server?