I have a question about validating the access token.
In order to do so I send a GET request to the OAuth User Info URL:
https://MY-DOMAIN.auth0.com/userinfo.
If the access token is valid and not yet expired, I get as a response a Json with the user information. The problem is that after a few calls I get response 429 – “Too Many Requests”.
Am I doing something wrong?
Yes, you’re doing something wrong although the provided information is not sufficient to exactly pinpoint the issue. If the access token is only suitable for the /userinfo
endpoint then the client application should only perform a request to that endpoint when it requires to obtain user information, it should not be doing repeated requests just to ascertain the validity of the access token. In particular, when the client application received the authentication response containing the access token it should also have received a general indication of for how long the access token will remain valid through the expires_in
response parameter.
If you’re sending the access token from a client application to a resource server (API) and then it is the API that performs that call then the issue is that you need to obtain an access token suitable to your own API. At this time, if you configure an API in the APIs section of the dashboard and then request an access token for that API from a client application then the issued access token will be a JWT. In this case the resource server can validate the access token by itself simply by validating the signature of the access token and then ensuring that the access token claims are the ones it expects (issuer, audience, lifetime, etc).