问题
Spring exposes /check_token endpoint; see this link
For /check_token we need to configure RemoteTokenServices and it extracts the token. However, we can also configure UserInfoTokenServices that essentially does the same thing.
The only difference I can tell is the first one is according to OAuth 2.0 extension: Token Introspection Endpoint, however, this endpoint doesn't return node 'active' according to OAuth 2 Extension which is mandatory. See this link
But that aside, is there any other functional reason that we have these endpoints?
回答1:
I also had the same question but I made some research work and got my answer,I hope my answer can help you.If I made any mistake,please correct me.
There are two endpoints in spring security oauth2 and cloud-oauth2.
check_token:
defined in OAuth 2.0 extension Token Introspection. Its method is post,secured by HttpBasic authentication. It return the basic information.
It is a authorization server endpoint.
user_info_uri:
defined in openid-connect.
It returns the profile information(for example email address and birthday).It is mainly used in SSO login.It can be post or get method.
It is a resource server endpoint.
You can check the doc below to confirm.
OpenIDConnect
Let me quote some sentences to conclude here from below
https://github.com/spring-projects/spring-security/issues/6342
The /introspect endpoint and /userinfo endpoint are very different and are used in different scenarios with the provider.
The /introspect endpoint accepts an opaque (typically) access token and returns a set of claims associated to the access token.
The /userinfo endpoint accepts an access token and returns a set of claims associated to the currently authenticated user.
来源:https://stackoverflow.com/questions/47783648/what-is-the-difference-between-check-token-and-user-info-uri-endpoints-in-sprin