If the authorization server supports OpenID Connect (OIDC), developers may opt to perform remote validation instead of local validations. Opaque tokens must use remote validation. Non-opaque tokens may use remote validation to verify that a user is still active. The access token includes a unique client id. Adding an introspectionURI and a clientSecret property to the properties is required to support remote validation.

To configure remote validation to the following:
  1. Edit the oeablsecurity.properties.
  2. Set the oauth2 properties for remote validation. 
    oauth2.opaqueToken.instrospectionUri=http://machinename:port/introspect
oauth2.opaqueToken.clientSecret=stringClientSecret
    Note: The token services validation set in the oauth2.resSvc.tokenServices property is overridden when a URI is specified. Use the genpassword utility to encrypt the stringClientSecret on production systems.
  3. Save the properties file.