OAuth “Introspection” Access Token Validation no longer available as of 11.2
In MarkLogic 11.2, the “Internally managed reference token” access token type for OAuth access tokens have been deprecated along with the “Authorization code” and “Client credentials” flow types. In place of these deprecated elements, the “JSON Web Token” access token type and the “Resource server” OAuth flow type will be replacing these deprecated elements. OAuth 2.0 external securities that were already configured with the deprecated elements before the upgrade will still work in 11.2, but once upgraded, a new OAuth external security configuration should be created by deleting the old OAuth external security configuration and creating a new one using the “Resource server” flow type.
Important
Until the deprecated access token and flow types are removed, they still appear as options when creating OAuth external configurations but will fail when saving the configuration.
Because these flow types were not documented, it is not expected that they are in use. To ensue that they are not being used and can be fully removed in a future release, the associated configuration functions have been modified or removed in 11.2. The function signature for sec:oauth-server() has been modified and the following functions have been removed:
sec:external-security-get-oauth-scope()sec:external-security-get-oauth-server-uri()sec:external-security-get-oauth-authorization-server-uri()sec:external-security-get-oauth-token-server-uri()sec:external-security-get-oauth-introspection-server-uri()sec:external-security-get-oauth-client-authentication-method()sec:external-security-get-oauth-client-secret()sec:external-security-get-oauth-redirect-uri()sec:external-security-set-oauth-scope()sec:external-security-set-oauth-server-uri()sec:external-security-set-oauth-authorization-server-uri()sec:external-security-set-oauth-token-server-uri()sec:external-security-set-oauth-introspection-server-uri()sec:external-security-set-oauth-client-authentication-method()