Hi, I'm very new to OAuth 2.0 and OIDC stuff and need some help in understanding some stuff. Currently I have managed to set up Ory Kratos & Ory Hydra together to create an authorization server & identity provider. We also secured the APIs as advised by the docs by not exposing the write/admin APIs to the public. We have some first-party SPA + API apps, did some work to integrate these with the auth server, and managed to get the login, consent, access token etc to work on the SPA side. I haven't started working on the API side yet but from what I understood, since our first-party apps have access to Hydra's admin API via private network, the APIs can simply validate the opaque access tokens sent by the SPAs by calling Hydra's token introspection endpoint. But if a third-party wants to register as an OAuth 2.0 client, how do they validate the opaque access token? Do we change the access tokens into JWTs instead? Or do we open the token introspection API to the public (since other providers like Google have them open)? Or do they just call the

/userinfo

endpoint?

Why would they need to validate an opaque access token? The primary reason for it being opaque is that validation isn't required. Just set it as a bearer token in the Authorization header and let your ingress handle the token introspection from inside the private network. 🤷🏼‍♂️

Huh, that makes sense 🥴 Thanks a lot! I did overthink a lot since these concepts are very new to me 🙏