Announcing the token introspection endpoint and if I may say, at one point I just wanted to have a response of yep or nope. I mean, why be so formal!
-
Only access_token and refresh_tokens will be validated. I may add id_token later but, it is really not needed IMO.
-
All Http status responses will be 200 with response showing whether active and the token status. Exceptions are in the case token fails signature verification or a mangled request then you’ll see appropriate 400/401/500.
-
To fetch url from discovery json use 'introspection_endpoint'
that yields something like https://localhost/oauth2/default/introspect
-
Request attributes:
Field |
Description |
Type |
Required |
client_id |
Application client Id |
String |
Yes |
client_secret |
Application Client Secret. If client has private(confidential) registration status, then a client secret is mandatory otherwise, public apps only require client_id. |
String |
Yes |
token_type_hint |
The appropriate token hint of access_token or refresh_token
|
String |
Yes |
token |
The string value of the token returned from auth token endpoints. |
String |
Yes |
curl -X POST -k -H 'Content-Type: application/x-www-form-urlencoded'
-i 'https://localhost:port/oauth2/default/introspect'
--data 'client_id=kbyuFDidLLm280LIwVFiazOqj...
&client_secret=khYVHgkbBBYUU...
&token_type_hint=refresh_token
&token=def50200695611d39349fad4bb913b686e1c53fc99116ebabdfcc08...
Active Token
Response Body Field |
Value Returned |
active |
true |
status |
‘active’ |
exp |
Expiry Epoch Time |
sub |
The subject of the token. Mostly user_id UUID |
scope |
Token scopes |
client_id |
Application Client ID Value |
Expired Token
Response Body Field |
Value Returned |
active |
false |
status |
‘expired’ |
exp |
Expiry Epoch Time |
sub |
The subject of the token. Mostly user_id UUID |
scope |
Token scopes |
client_id |
Application Client ID Value |
Revoked/Logged out User Token
Response Body Field |
Value Returned |
active |
false |
status |
‘revoked’ |
exp |
Expiry Epoch Time |
sub |
The subject of the token. Mostly user_id UUID |
scope |
Token scopes |
client_id |
Application Client ID Value |
Invalid Client Id or Client Secret
Also case of token client info doesn’t match trusted user. In both regards let’s not return anything useful
Response Body Field |
Value Returned |
active |
false |
status |
‘invalid’ |
- A refresh_token example response
{
"active": true,
"status": "active",
"scope": "openid email phone api:fhir api:pofh site:default",
"client_id": "kbyuFDidLLm280LIwVFiazOqjO3ty8KH",
"exp": 1614792378,
"sub": "91e65743-aa8c-4a7e-a183-706912c92436"
}
- A token invalid client example response
{"active":false}
So I think this gives a good overview of this endpoint. Comments welcomed.
Temporary note: I got a jump start on documenting this for comments with the PR going up within a day and in master shortly thereafter. I’ll post back once in master.