It would be nice to provide support for phantom tokens. Many IDPs already have this feature, for example keycloak or curity. The main idea is that when introspect is called, jwt is returned in response. For example, as in keycloak:
{
"jwt": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJLb3BHYmVaeFdHSWJ6N2NVbDQzRFNqLXRIS1d5aklpSFB3LTB2bGNpTTJRIn0.eyJleHAiOjE3MTY1NTgzMDYsImlhdCI6MTcxNjU1ODAwNiwiYXV0aF90aW1lIjoxNzE2NTU4MDA2LCJqdGkiOiI2MGNlZjcyNC01Njk4LTRmYzQtODEwMC02ZWVjYmY4ZjdhZGQiLCJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo4NTQzL2F1dGgvcmVhbG1zL3Rlc3QiLCJhdWQiOlsiYWNjb3VudC1jb25zb2xlIiwiYWNjb3VudCJdLCJzdWIiOiIyNDRlNmM1Mi0yMDRlLTM3NmEtOTkxOS1iYjgwODA4ZjE5MmMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJ0ZXN0LWFwcCIsInNpZCI6Ijg4NWMzYjVhLWIyMzUtNGViZS1iZTBjLTlmOTdlNzIwOTFlOCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MTgwIiwiaHR0cHM6Ly9sb2NhbGhvc3Q6ODU0MyJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsibmV3LXJvbGUiLCJoYXJkY29kZWQtcm9sZSIsIm9mZmxpbmVfYWNjZXNzIiwiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJ0ZXN0LWFwcCI6eyJyb2xlcyI6WyJjdXN0b21lci11c2VyIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBhZGRyZXNzIGVtYWlsIHByb2ZpbGUiLCJ1c2VyLXNlc3Npb24tbm90ZSI6IjE3MTY1NTgwMDYiLCJ0ZXN0LWNsYWltIjoidGVzdC12YWx1ZSIsImFkZHJlc3MiOnsic3RyZWV0X2FkZHJlc3MiOiIxIE15IFN0cmVldCIsImxvY2FsaXR5IjoiQ2FyZGlmZiIsInJlZ2lvbiI6IkNhcmRpZmYiLCJwb3N0YWxfY29kZSI6IkNGMTA0UkEifSwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJncm91cC1uYW1lIjpbImxldmVsMmdyb3VwIl0sIm5hbWUiOiJUb20gQnJhZHkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0LXVzZXJAbG9jYWxob3N0Iiwic2Vzc2lvbl9zdGF0ZSI6Ijg4NWMzYjVhLWIyMzUtNGViZS1iZTBjLTlmOTdlNzIwOTFlOCIsImdpdmVuX25hbWUiOiJUb20iLCJmYW1pbHlfbmFtZSI6IkJyYWR5IiwiZW1haWwiOiJ0ZXN0LXVzZXJAbG9jYWxob3N0In0.yiAScO2FDFeRXaYtRBjRuB5Y2pUZVg4dg6J41WL7mKHa3B_Zp1gshGx1W06fQQdFjlAWnz__QiKTqBwznf_ENxmTNP1Cl8e5h3Tv9fnxBWOVrpyCnKiEP1--va8JkFnwuN4x_JXCk_RLasNVK0CK4fm566WaiIstD2JM3-zoM8qzQFipY7EqFwaBZ1SYwIZnZxzKL_F8e6VVk3PnRHJBr0WYWo1uK889DBPZABjxzJlEs5IBeVYATCAwJBqYoPNeB-VPhN9JEFZWjlbBqVDhvw10KRs9JflJPn8IiJGM9zMUl-l5LZrm4pAGG4eC_unwY0ewg9gWI6hgxRNjRzLHMQ"
}
Apparently this is very similar to JWT Response for OAuth Token Introspection
Comment From: jzheaux
I think there could be merit in implementing that spec once it is finalized. I'll leave this ticket open for the time being to see how it evolves.
Comment From: jzheaux
In the meantime, I think this would be a good fit for a Spring Security sample. Would you be interested in contributing to https://github.com/spring-projects/spring-security-samples/issues/295?