Forum Discussion

dansubasinghe's avatar
dansubasinghe
New Contributor
5 years ago

According to the securityDefinition how the Oauth2 token validation should be done

When a following securityDefinieiton added in a swagger, it is not clear how the token validation should be done with the define security. 

 

Let's say the API has 2 API resources and one API resource have to invoke with the client-credential token. (That means 

OAuth2Security2 has mentioned as the security type of that particular API resource)

In that case when the API call hits the gateway with the oauth2 token, that token need to be validated, there we have to use the oauth2 introspection API of the authorization server, but it does not provide the information that how this token has taken either from client_credential grant or something else.

 

So how can we validate this?

What is the recommended approach, how the authorization server should work in this case

 

securityDefinitions:
  OAuth2Security1:
    type: oauth2
    flow: accessCode
    tokenUrl: 'https://authserver.example/token'
    authorizationUrl: 'https://authserver.example/authorization'
    scopes:
      accounts: Ability to all accounts
    description: authorization code flow 
  OAuth2Security2:
    type: oauth2
    flow: application
    tokenUrl: 'https://authserver.example/token'
    scopes:
      accounts:Ability to all accounts
    description: client credential flow

 

2 Replies

Sort By
  • Mar3y's avatar
    Mar3y
    Occasional Visitor
    5 years ago
    This could be done by dual-purposing the access token, defining a format that the client could parse and understand.
    • dansubasinghe's avatar
      dansubasinghe
      New Contributor
      5 years ago

      Can you explain more about what is "dual-purposing the access token" ?