Great video. I would also mention that the structured token has an expiration date. So if a token is revoked at the auth server but the resource server doesn't introspect, at least the resource server will only accept the token until it expires anyway.

Perfect video! Only thanks to that I`ve understood why is token introspection sometimes needed with jwt tokens. Thank you very much!

Excellent video, crystal clear. You have a talent, please keep posting great content.

Nice work. Explaination is wonderful

The Authorization Server could also push a notification about the revocation to the resource server or like periodically push a list of all revocations that happened recently (depending on the configured token life span) along with a timestamp, then the resource server could also interpret this as a heartbeat and detect when the messages from the authorization server did not arrive. But yeah, the revocation and possibility of stealth or permission changes is why the access token should be short-lived.

thanks! I just liked and subscribed.

Why this and the previous video are not part of the OAuth playlist?

For token revocation what if i publish a event to a event bus, with the revoked token hash so that resource server can keep it their local cache for the token lifetime, and reject the token if passs after revocation ? or is there any standard for token revocation ?

Could you do more tutorials in nodejs. For instance I would like a production ready backend for the Tinder clones made in react of so many youtubers. They always leave the backend to something like firebase or barely work on the matching algorithm.

Thanks.