access_token
or a refresh_token
and needs to get metadata information about these tokens (when they were issued, the scopes, ...). This is not the primary use case for introspection.access_token
which it needs to validate.resource
parameter in the Authorization request, Authorization Code request or the Refresh Token request. Unfotunately, the ResourceServer may need more information about the access_token than what is directly available in the access_token. Enters the introspection
flow.access_token
s. In fact by adding, personal information in a JWT, the Application will have access to this data without having an explicit consent from the user or from your administrator.introspection_endpoint
can be used to share additional claims with ResourceServers, with the added security of having the ResourceServer authenticate before accessing the data.POST /token_endpoint HTTP/1.1Host: oauth.serverContent-Type: application/x-www-form-urlencodedtoken=AN_ACCESS_TOKEN_VALUE&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET
Parameter | Required | Description |
---|---|---|
token | Yes | The access_token to be introspected |
token_type_hint | No | An indication to the OAuth Provider the type of token. Possible values are access_token or refresh_token |
client_id | Yes | The identifier for the ResourceServer |
client_secret | No | Only required if the ResourceServer authenticates through client_secret_post |
client_assertion | No | Only required if the ResourceServer authenticated through client_secret_jwt or private_key_jwt |
client_assertion_type | No | Only required if a client_assertion is used. The value must be urn:ietf:params:oauth:client-assertion-type:jwt-bearer |
HTTP/1.1 400 Bad RequestContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{"error": "AN_ERROR_CODE","error_description": "AN_ERROR_DESCRIPTION"}
aud
of the access_token, the token has expired, the token is unknown, or the token is not an access_tokenHTTP/1.1 400 Bad RequestContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{"active": false}
HTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{"sub": "SUBJECT_IDENTIFIER","resource": "https://resource.server.com/protected/resource","aud": "ACCESS_TOKEN_AUDIENCE","nbf": 1607870056,"iat": 1607870056,"exp": 1607873656,"scope": "SPACE_SEPARATED_SCOPES","client_id": "ACCESS_TOKEN_CLIENT_ID","active": true}
profile
scopeHTTP/1.1 200 OKContent-Type: application/jsonCache-Control: no-storePragma: no-cache
{"updated_at": 1607850283,"locale": "en_US","zoneinfo": "Europe/Berlin","birthdate": null,"gender": null,"picture": "https://user.as.com/picture","profile": "https://user.as.com/profile/USER_ID","preferred_username": "username@example.com","nickname": "nick-name","middle_name": null,"given_name": "Nick","family_name": "Name","name": "Nick Name","sub": "SUBJECT_IDENTIFIER","resource": "https://resource.server.com/protected/resource","aud": "ACCESS_TOKEN_AUDIENCE","nbf": 1607870056,"iat": 1607870056,"exp": 1607873656,"scope": "SPACE_SEPARATED_SCOPES","client_id": "ACCESS_TOKEN_CLIENT_ID","active": true}