typeattributes. If suitable TokenIntrospector is found, token is being validated with either JWK obtained from
jwt.secret, depending on the signing algorithm. Token expiration (
expclaim) is also being checked.
jwtkey, so you'll be able to access them with AccessPolicy checks. If the token failed validation (it's expired or signature isn't correct) then the client will get a 401 "Unauthorised" response.
active. Aidbox uses this attribute to consider if token is valid or not. If token is valid, entire token introspection's response will be put into the request's object under
tokenkey, so you'll be able to use it in AccessPolicy checks. If token isn't valid, Aidbox will try to validate access token against currently active local sessions.
subattribute that equal
User.idon your box.
box_userclaim attribute. This makes sense when you use external oauth provider or any other identity system that manages
subattribute itself. In this case, you can put the box user id in to
subattribute, Aidbox injects this user and their roles to the request. Now we can create some AccessPolicy.