What is the difference between /check_token and user-info-uri endpoints in Spring OAuth2?

Question

Spring exposes /check_token endpoint; see this link

For /check_token we need to configure RemoteTokenServices and it extracts the token. However, we can also configure UserInfoTokenServices that essentially does the same thing.

The only difference I can tell is the first one is according to OAuth 2.0 extension: Token Introspection Endpoint, however, this endpoint doesn't return node 'active' according to OAuth 2 Extension which is mandatory. See this link

But that aside, is there any other functional reason that we have these endpoints?

Answer 1

I also had the same question but I made some research work and got my answer,I hope my answer can help you.If I made any mistake,please correct me.

There are two endpoints in spring security oauth2 and cloud-oauth2.

check_token: defined in OAuth 2.0 extension Token Introspection. Its method is post,secured by HttpBasic authentication. It return the basic information.
It is a authorization server endpoint.

user_info_uri: defined in openid-connect. It returns the profile information(for example email address and birthday).It is mainly used in SSO login.It can be post or get method.
It is a resource server endpoint.
You can check the doc below to confirm.
OpenIDConnect

Let me quote some sentences to conclude here from below
https://github.com/spring-projects/spring-security/issues/6342

The /introspect endpoint and /userinfo endpoint are very different and are used in different scenarios with the provider.

The /introspect endpoint accepts an opaque (typically) access token and returns a set of claims associated to the access token.

The /userinfo endpoint accepts an access token and returns a set of claims associated to the currently authenticated user.