Which is the standard flow to use in a gateway to know what's inside an opaque token
Introspection
The phantom token flow defines a pattern to:
Hide sensitive data on the Internet but expose it internally
There are three methods to use tokens for API to API calls
Exchange, embed, share
What is good practice for the gateway when it comes to authorization
To validate the token and inspect the scopes to perform a coarse grained authorization decision
Last updated 1 year ago