Does a token obtained with a client work on another?

[oculos]

Hi,

I always thought that when I authenticate with a client, the token obtained couldn't be used with another client. Hence things like token exchange were implemented.

But something is weird: My mail server is now configured to use oauth. it is connected to its client - let's call it dovecot.
I compiled Thunderbird to use oauth2 against my Keycloak instance. I got it configured to use a client called thunderbird. And it just works! Should it work? Shouldn't I configure Thunderbird to use the same client?

Best,
Francis

[embesozzi]

Behind the scenes, it's all about how the client validates the tokens. Nevertheless, each app should have its own OAuth 2.0 client. Based your example, the Thunderbird app must check that the audience claim is thunderbird

[oculos]

Behind the scenes, it's all about how the client validates the tokens. Nevertheless, each app should have its own OAuth 2.0 client. Based your example, the Thunderbird app must check that the audience claim is thunderbird

Thanks a lot @embesozzi . When you say " it's all about how the client validates the tokens", could you elaborate a bit on that?
Let's say you have roundcube as the webmail, and dovecot as the imap server. If I have a "roundcube" client, and a "dovecot" client, would the later be able to introspect a token from the former? It seems so - I created a thunderbird client, and Dovecot, while configured to introspect tokens on its own client, does grant access to tokens obtained via authentication to the thunderbird client. I was just concerned that it would recognize any token.

[embesozzi]

I mean that the app should follow the RFC OAuth 2.0 when validating the token.
Each app/client can introspect any tokens, then it will decide if that is valid or not.