Versions Compared

Old Version 1

changes.mady.by.user Kai Bjørnstad

Saved on

compared with

New Version Current

changes.mady.by.user Kai Bjørnstad

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

While the OIDC specification defines the format for the OIDC ID Token (see also introspectID Token), the Access Token and Refresh  tokens are Token are based on the OAuth2 specification.

...

The token_introspect endpoint URL can be found by looking at the value of the "token_introspect_endpoint" key in the introspectopenid-configuration.

Typical format of the URL is:

...

Note that the endpoint requires client authentication.

ParameterRequiredDescriptionExample
tokenyes

The string value of the token.

For access tokens, this is the "access_token" value returned from the

introspect

token endpoint.

For refresh tokens, this is the "refresh_token" value returned from the

introspect endpoint

token endpoint

ID Tokens are not supported as they are out of scope according to the spesification. Use the OIDC ID Token  spesification for decoding.

token=eyJhbGciOiJSUzI1NiIsInR5...
token_type_hintnoA hint about the type of the token submitted for introspection. Values according to Initial Registry Contents.token_type_hint=access_token

Example request

Code Block
languagebash
themeMidnight
titleExample request using curl
BASEURL="https://auth.buypass.no/auth/realms/SECURITYDOMAIN/protocol/openid-connect";
CLIENT_ID="oidc-client"
CLIENT_SECRET="mysecret"
BASIC_AUTH=`echo -n "${CLIENT_ID}:${CLIENT_SECRET}"| base64`
SCOPE="openid profile"

USERID="someuser"
USERPWD="somepassword" 
 
# Get the tokens using the Resource Owner Password Credentials Grant 
TOKENS_JSON=$(curl \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Authorization: Basic ${BASIC_AUTH}" \
-X POST "${BASEURL}/token" \
-d "grant_type=password"\
"&username=${USERID}"\
"&password=${USERPWD}"\
"&scope=${SCOPE}" \
2>/dev/null)
 
# Get the Access Token (using the jq tool)
ACCESS_TOKEN=$(jq -r '.access_token' <<<"${TOKENS_JSON}")

# Introspect the Access Token
curl -i -w "\n" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Authorization: Basic ${BASIC_AUTH}" \
-X POST "${BASEURL}/token/introspect" \
-d "token=${ACCESS_TOKEN}"\
"&token_type_hint=access_token"

# Get the Refresh Token (using the jq tool)
REFRESH_TOKEN=$(jq -r '.refresh_token' <<<"${TOKENS_JSON}")

# Introspect the Refresh Token
curl -i -w "\n" \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "Authorization: Basic ${BASIC_AUTH}" \
-X POST "${BASEURL}/token/introspect" \
-d "token=${REFRESH_TOKEN}"\
"&token_type_hint=refresh_token"

...

Depending on the context, the Security Domain additional claims may be provided. The semantics and values may vary depending on the domain.

...

Code Block
languagejs
themeMidnight
titleIntrospect response example
{
  "jti": "4c64fccc-e06a-4613-a882-6a1fe57567c0",
  "exp": 1558702349,
  "nbf": 0,
  "iat": 1558702289,
  "iss": "https:\/\/auth.test.buypass.no\/auth\/realms\/SECURITYDOMAIN",
  "sub": "d6cccb1c-4390-41c1-b956-184ac9213a64",
  "typ": "Bearer",
  "azp": "oidc-client",
  "auth_time": 0,
  "session_state": "1b3b3efa-a26b-4599-8a49-ee1888402416",
  "preferred_username": "someuser",
  "acr": "1",
  "scope": "openid profile",
  "client_id": "oidc-client",
  "username": "someuser",
  "active": true
}

The following is an a response for a token that has been revoked or is otherwise invalid.

...