Forum Discussion

dansubasinghe's avatar
New Contributor
5 years ago

According to the securityDefinition how the Oauth2 token validation should be done

When a following securityDefinieiton added in a swagger, it is not clear how the token validation should be done with the define security. 


Let's say the API has 2 API resources and one API resource have to invoke with the client-credential token. (That means 

OAuth2Security2 has mentioned as the security type of that particular API resource)

In that case when the API call hits the gateway with the oauth2 token, that token need to be validated, there we have to use the oauth2 introspection API of the authorization server, but it does not provide the information that how this token has taken either from client_credential grant or something else.


So how can we validate this?

What is the recommended approach, how the authorization server should work in this case


    type: oauth2
    flow: accessCode
    tokenUrl: 'https://authserver.example/token'
    authorizationUrl: 'https://authserver.example/authorization'
      accounts: Ability to all accounts
    description: authorization code flow 
    type: oauth2
    flow: application
    tokenUrl: 'https://authserver.example/token'
      accounts:Ability to all accounts
    description: client credential flow 


2 Replies

  • Mar3y's avatar
    Occasional Visitor
    This could be done by dual-purposing the access token, defining a format that the client could parse and understand.
    • dansubasinghe's avatar
      New Contributor

      Can you explain more about what is "dual-purposing the access token" ?