We are working on possibly implementing OAuth for apps. One of the big sets of applications requested that the OAuth access_token itself be a signed JWT with claims such as Groups, Phone Number, etc (similar to how ADFS does it).
What the apps want to do is be able to independently verify the access_token and get the information they need without going back to the OAuth Provider introspection endpoint. Just verify the issuer/aud/signature/time etc to say whether it's good or not.
However, looking at the OTK it essentially sends an access_token that is only able to be validated by the API Gateway itself. So they have to either be front-ended by the API Gateway itself (which they don't want) or send a request to the tokeninfo endpoint to get details on it.
Is that possible with the OTK? Any documentation on how to do so if it is or something we'd have to fully customize?