Add service to service guide

[sixhobbits]

We had some questions while doing this one, as the introspect endpoint didn't work as we expected.

We posted this forum post and received some clarification on one point from @mooreds - but are still not clear if Fusionauth is implementing the introspect endpoint in a standard way, or we don't understand how to correctly use it.

The original draft of this article had the following paragraph which explains our understanding of what introspect should do and how it doesn't work that way in Fusionauth. We removed it as it's either a bug in Fusionauth or a misunderstanding on our part.

@mooreds maybe you have a quick insight here on the following as you responded on the forum before about the second point?

---

A Better Way To Verify A Token — Introspection

Verifying a token by manually looking at JWT signatures, as the code above does, is not standard in OAuth. Instead, all OAuth servers should allow anyone to verify a token by passing the token to the standard introspect endpoint. Example code to do this is given below.

async function verifyTokenThroughIntrospectionEndpoint(token) {
  const response = await axios({
    method: "post",
    url: "http://localhost:9011/oauth2/introspect",
    headers: {"Content-Type": "application/x-www-form-urlencoded"},
    data: `token=${token}&client_id=40450891-0231-49c4-839b-b2c444f57f9c&client_secret=EmQ3FL-rDqHuESnJCmZacFK3sKQbOKX-gQYnC5pPLio`
  });
  console.log("\nToken verification result:", response.data);
  return response.data;
}

Unfortunately, FusionAuth does not implement this endpoint correctly. In the code above, you have to send the customer's secret key along with the token to be verified. But the server is the one that wants to verify the key, and the server doesn't have access to the customer's secrets. So the server can't verify any access tokens with this endpoint, as it should be able to. If you try passing the server's secret key to FusionAuth it doesn't work either.