Router firewall and validating identity
We can control for how long cached responses are used, to mitigate the risk of accepting an expired or recently revoked access token.
For example, if an API client typically makes a burst of several API calls over a short period of time, then a cache validity of 10 seconds might be sufficient to provide a measurable improvement in user experience.
Except where noted, the information in this blog applies to both NGINX Open Source and NGINX Plus.
The NGINX Plus module performs offline JWT validation.
Opaque tokens, on the other hand, must be validated by sending them back to the Id P that issued them.
Authentication (line 19), the access token itself (line 21), and the URL for the token introspection endpoint (line 22) are typically the only necessary configuration items.
Authentication is required for the Id P to accept token introspection requests from this NGINX instance. With this configuration in place, when NGINX receives a request, it passes it to the Java Script module, which makes a token introspection request against the Id P.