Otuth2 - Does every request goes to the authorization server for token validation?

Question

Having a doubt in case of Oauth being used more for authentication.

1. I go to a website
2. It redirects me to Oauth provider like google (provider) for sign IN
3. I am able to sign in successfully and provider returns a token having resource information and other stuff

Few questions

1. Typically token refresh time could be as long as 2 months(https://learn.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin/context). Can client control token validity time?
2. When ever user access the app, will app hit provider every time to validate token or will it be able to decode the token locally and allow user access (Something like self contained JWT) ?
3. If it hits the provider every time will this not impact scalability? My understanding is it will have to hit the provider every time
4. Just in case if it need not hit the provider on each request -how access is denied, the moment we revoke the permissions from the provider.

I am little bit lost around

• Use case when a third party app is using the token only for authentication - how application scale if every request end up at provider and if it does not end up at provider on each request then how apps are notified about revoked key ?
• If Resource is looked up (say feeds from Facebook) -it's obvious it will hit resource server, does resource server always validates the token with authorization server?

Answer 1

1. Token timeout period is usually configured per-application in authorization server, which will then be applied to all requests accessing that particular application.

   If the authorization server is capable to determine the level of trust of the client, e.g. the client is a managed device, the authorization server may issue tokens with a longer/shorter timeout period according to the client settings. An example can be found from Azure AD Conditional Access.

2. There are two ways to determine the validity of the access token.

   1. Using a self-encoded access token, e.g. JWT. In this case the application server can validate the integrity of the access token without negotiating with authorization server directly.

   2. Some authorization server implements Token Introspection endpoint for application server to check the validity of the access token. But not all authorization servers provide this feature.

3. I believe so, but sorry that I cannot find real world reference on that. Notice that even Azure AD does not provide a token introspection endpoint, so a considerable portion of OAuth2 applications should using self-encoded access token, which does mitigate this scalability issue.

4. That's why the lifetime of access tokens should be kept short, and the client should refresh the access token from authorization server regularly to maintain access authorization.