Hi everyone, I am using hydra2.3.0 And using opaque tokens with secrets. I have an expired toke. Now i need to find out which client issued that and to whom? Guys this is very urgent. Please help. Thanks in advance

hey can you explain the use case @cool-tailor-60162? usually you would introspect the token to get the clientid but this does not work when it is expired.

Hi Vincent, Thanks for the reply. I am using introspection api for all the use cases. But I received a lot of request with the expired request token, now i want to know which client issues that token thus i want to search the same in db with the signature in hydra_oauth2_access table hut unable to get the digested string that is saved in db. Main use case to ask question from that client and to whom that token was issued.

Ory Hydra stores only the signature part of an opaque token in the database (specifically in the

hydra_oauth2_access

table), not the full token or its key. The token format is

<key>.<signature>

, and only the signature is stored. This is a security feature: even if the database is compromised, an attacker cannot reconstruct valid tokens without the system secret [OAuth 2.0 security overview]. Implications for you @cool-tailor-60162 : • If you receive an expired token, you cannot use the introspection API to get the

client_id

or

sub

(subject), as introspection will return

active: false

and not provide further details for expired tokens. • You also cannot search the database for the full token, because only the signature is stored, and you cannot derive the signature from the token without the system secret.

I understand that. But with signature can i search the database?