I'm adding a simple web service to an older application that needs to authenticate via OAuth 2.0. Since the app uses older technologies (Java 6, Tomcat 6, Struts 1, no Spring Framework) and upgrading the app is not currently in the scope, budget, or schedule for the project, I'm working with the Apache Oltu libraries -- older, but they appear to be adequate for my needs.
The service will be passed a bearer token from the consumer in the request headers, which I can retrieve. I believe next would be to pass the token with the web service's client id and secret from it's authorization OAuth account to an (as yet unknown to me) Oltu token validation routine that will use a PingFederate URL in our company's domain for validation (i.e., "https://fedlogin.xxx.com/as/token.oauth2"), and get back whether or not it's a valid token. This is a very low traffic web service, so I don't think I need to worry about refresh tokens, storing anything in keyvaults/caches/databases, etc.
What I'm looking for seems simple, but maybe I'm oversimplifying things in my understanding of the process. I've found lots of examples online but not a guide or example that lays out the correct method(s), parameters, etc. to validate the bearer token in this situation. I've unsuccessfully tried a number of different variations on examples I've found online. I'm new to OAuth so I may be having difficulty with the terminology and naming conventions for the available classes and methods.
Can anyone suggest (or guide me to) a method to quickly and simply validate the bearer token using Oltu? Am I on the right track or am I missing/misunderstanding something fundamental in how OAuth 2 validation from a web service's perspective works?
Edit: I think I may have an answer for why I can't find a solution in the Oltu library -- it doesn't exist. See my response below...
