This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 78%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Hi,
I am able to generate access_token in my SPA using PKCE flow now i am sending this token to my web API which is a golang micro-service. how can i verify this access_token in my API.
I worked with UAA before fortunately UAA provides a check-token endpoint but i am not able to figure out any endpoint similar to that in Azure. Is there any endpoint in Graph Api which can tell the validity of token?
Any help is much Appreciated.
Thanks!
Hello @Vyom Sharma ,
Thanks for reaching out.
When your API receives an access token, it must validate the signature to prove that the token is authentic. Your API must also validate a few claims in the token to prove that it is valid. Depending on the scenario requirements, the claims validated by an application can vary, but your application must perform some common claim validations in every scenario.
A registered application receives tokens and communicates with Azure AD B2C by sending requests to these endpoints:
https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/authorize
https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/oauth2/v2.0/token
To learn more about tokens in Azure Active Directory B2C refer :https://learn.microsoft.com/en-us/azure/active-directory-b2c/tokens-overview
Hope this helps.
-----
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thanks for detailed information and sorry for the inconvenience caused.
Azure AD does not have an introspection endpoint. I have taken this feedback to our product team.
Hi @Vyom Sharma , Could you please "Accept the answer", which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Hello @sikumars-msft ,
Thanks for taking time and replying to my question. I understand that i have to validate the signature and claims. but my issue is little different here there will be cases when the user logs out but the token associated with the user on the client doesn't expire and so when the Resource Servers/APIs invoked with these tokens gets serviced/honored. So i was looking for Introspection endpoint to verify the token just like we have in other Identity provider like Okta and UAA. But i guess that feature is not there yet in Azure
I am able to find the similar issue raised here https://feedback.azure.com/d365community/idea/ea407180-be25-ec11-b6e6-000d3a4f0789 but i guess this is something under review by Microsoft
:-(