...
While the OIDC specification defines the format for the OIDC ID Token (see also introspectID Token), the Access Token and Refresh tokens are Token are based on the OAuth2 specification.
...
The token_introspect endpoint URL can be found by looking at the value of the "token_introspect_endpoint" key in the introspectopenid-configuration.
Typical format of the URL is:
...
Note that the endpoint requires client authentication.
Parameter | Required | Description | Example |
---|---|---|---|
token | yes | The string value of the token. For access tokens, this is the "access_token" value returned from the |
token endpoint. For refresh tokens, this is the "refresh_token" value returned from the |
token endpoint ID Tokens are not supported as they are out of scope according to the spesification. Use the OIDC ID Token spesification for decoding. | token=eyJhbGciOiJSUzI1NiIsInR5... | ||
token_type_hint | no | A hint about the type of the token submitted for introspection. Values according to Initial Registry Contents. | token_type_hint=access_token |
Example request
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
BASEURL="https://auth.buypass.no/auth/realms/SECURITYDOMAIN/protocol/openid-connect"; CLIENT_ID="oidc-client" CLIENT_SECRET="mysecret" BASIC_AUTH=`echo -n "${CLIENT_ID}:${CLIENT_SECRET}"| base64` SCOPE="openid profile" USERID="someuser" USERPWD="somepassword" # Get the tokens using the Resource Owner Password Credentials Grant TOKENS_JSON=$(curl \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "Authorization: Basic ${BASIC_AUTH}" \ -X POST "${BASEURL}/token" \ -d "grant_type=password"\ "&username=${USERID}"\ "&password=${USERPWD}"\ "&scope=${SCOPE}" \ 2>/dev/null) # Get the Access Token (using the jq tool) ACCESS_TOKEN=$(jq -r '.access_token' <<<"${TOKENS_JSON}") # Introspect the Access Token curl -i -w "\n" \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "Authorization: Basic ${BASIC_AUTH}" \ -X POST "${BASEURL}/token/introspect" \ -d "token=${ACCESS_TOKEN}"\ "&token_type_hint=access_token" # Get the Refresh Token (using the jq tool) REFRESH_TOKEN=$(jq -r '.refresh_token' <<<"${TOKENS_JSON}") # Introspect the Refresh Token curl -i -w "\n" \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "Authorization: Basic ${BASIC_AUTH}" \ -X POST "${BASEURL}/token/introspect" \ -d "token=${REFRESH_TOKEN}"\ "&token_type_hint=refresh_token" |
...
Depending on the context, the Security Domain additional claims may be provided. The semantics and values may vary depending on the domain.
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
{ "jti": "4c64fccc-e06a-4613-a882-6a1fe57567c0", "exp": 1558702349, "nbf": 0, "iat": 1558702289, "iss": "https:\/\/auth.test.buypass.no\/auth\/realms\/SECURITYDOMAIN", "sub": "d6cccb1c-4390-41c1-b956-184ac9213a64", "typ": "Bearer", "azp": "oidc-client", "auth_time": 0, "session_state": "1b3b3efa-a26b-4599-8a49-ee1888402416", "preferred_username": "someuser", "acr": "1", "scope": "openid profile", "client_id": "oidc-client", "username": "someuser", "active": true } |
The following is an a response for a token that has been revoked or is otherwise invalid.
...