TsgcHTTP_OAuth2_Server › Events › OnOAuth2AfterIntrospectToken
Fires after the /introspect endpoint processes a token introspection request (RFC 7662).
property OnOAuth2AfterIntrospectToken: TsgcHTTPOAuth2AfterIntrospectTokenEvent;
// TsgcHTTPOAuth2AfterIntrospectTokenEvent = procedure(Sender: TObject; Connection: TsgcWSConnection; OAuth2: TsgcHTTPOAuth2Request; const Token: String; var IsActive: Boolean) of object—
OnOAuth2AfterIntrospectToken is raised after a resource server has queried the introspection endpoint (RFC 7662) to check the state of a token. Token contains the token value submitted for introspection and IsActive is the boolean that the server is about to report in the "active" field of the JSON response. You can read the event for audit purposes or set IsActive to False to force the server to report the token as inactive, for example when additional business rules (revocation lists, tenant context) invalidate an otherwise valid token.
procedure OnOAuth2AfterIntrospectToken(Sender: TObject; Connection: TsgcWSConnection;
OAuth2: TsgcHTTPOAuth2Request; const Token: string; var IsActive: Boolean);
begin
DoLog(Format('Introspect token (active=%s): %s',
[BoolToStr(IsActive, True), Token]));
// force inactive for tokens that belong to disabled tenants
if IsActive and IsTenantDisabled(OAuth2.ClientId) then
IsActive := False;
end;