Vault OIDC identity provider access token introspection

Hi all!

I’m looking into using Vault’s OIDC identity provider as an IDP to secure an API by letting users first obtain a OIDC access token with Vault and then using the access token with the API. In order for such a setup to work the API back-end needs to be able to inspect the access token (validity, expiry time for caching, etc).

Vault’s OIDC identity provider does not (as far as I can tell) offer an introspection endpoint (defined as introspection_endpoint in the .well-known/openid-configuration file). Does that mean that the only way with Vault to inspect an access token generated by Vault’s OIDC identity provider would be to use the Vault token lookup function? I would prefer it if there was a OIDC/OAuth2 standardized way to do so.