

Invoke the OAuth Introspection Endpoint¶

The OAuth introspection endpoint is:

https://<IS_HOST>:<IS_PORT>/oauth2/introspect

This guide explains how to invoke the OAuth Introspection Endpoint.

Register a service provider¶

To register your application as a service provider in the WSO2 Identity Server:

Log in to the WSO2 Identity Server Management Console using administrator credentials.
Go to Main > Identity > Service Providers > Add.
Enter a Service Provider Name. Optionally, enter a Description.
Click Register.

Configure the service provider¶

Make the following changes to the created service provider.

Expand Inbound Authentication Configuration > OAuth/OpenID Connect Configuration and click Configure.
Enter the Callback Url.

Note

The Callback Url is the exact location in the service provider's application to which an access token will be sent. This URL should be the URL of the page that the user is redirected to after successful authentication.
Click Add. Note the OAuth Client Key and OAuth Client Secret that appear.

Tip

To configure more advanced configurations, see OAuth/OpenID Connect Configurations.

Info

If subject identifier in the token validation response needs to adhere to the " Use tenant domain in local subject identifier" and " Use user store domain in local subject identifier" configurations in service provider, add the following configuration to the <IS_HOME>/repository/conf/deployment.toml file .

[oauth]
validation_response_subject_identifier_format= "app_configured"

Default value of this property is false.
If the value is false, subject identifier will be set as the fully qualified username.

Invoking the endpoint for the super tenant¶

Use the cURL commands given in the following sections to invoke the OAuth introspection endpoint for the super tenant users.

Prerequisites¶

Note the following before you begin.

Token validation requests sent to the introspection endpoint can be authenticated using basic authentication or client credentials.
Important

Basic authentication is enabled by default. However, it is recommended to use client credentials for authenticating to the introspection endpoint as it improves server performance.

To enable token validation using client credentials, apply the following configurations to the deployment.toml file (stored in the <IS_HOME>/repository/conf directory).
```
[[resource.access_control]]
context="(.*)/oauth2/introspect(.*)"
http_method = "all"
secure = true
allowed_auth_handlers="BasicClientAuthentication"
```
For token validation requests that require CLIENT_ID:CLIENT_SECRET, use the client ID and client secret of the OAuth service provider you configured above.
For token validation requests that require USERNAME:PASSWORD, you can use credentials of any user with /permission/admin/manage/identity/applicationmgt/view permissions. If you want to allow users with other permissions to send token validation requests, add the permissions to the <IS_HOME>/repository/conf/deployment.toml file as shown below and restart the server.
```
[resource_access_control.introspect]
permissions = ["/permission/admin/manage/identity/applicationmgt/view","/permission/admin/login"]
```

Get a valid token (without scopes)¶

First, you need to get a valid access token as follows:

Request Format

curl -v -X POST --basic -u <CLIENT_ID>:<CLIENT_SECRET> -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' -k -d 'grant_type=client_credentials' https://<IS_HOST>:<IS_PORT>/oauth2/token

Sample Request

curl -v -X POST --basic -u rgfKVdnMQnJSSr_pKFTxj3apiwYa:BRebJ0aqfclQB9v7yZwhj0JfW0ga -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' -k -d 'grant_type=client_credentials' https://localhost:9443/oauth2/token

You will receive the access token as follows:

{"token_type":"Bearer","expires_in":3600,"access_token":"fbc4e794-23db-3394-b1e5-f2c3e511d01f"}

Get a valid token (with scopes)¶

First, you need to get a valid access token as follows:

Request Format

curl -v -X POST --basic -u <CLIENT_ID>:<CLIENT_SECRET> -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' -k -d 'grant_type=client_credentials&scope=<scope 1> <scope 2>' https://<IS_HOST>:<IS_PORT>/oauth2/token

Sample Request

curl -v -X POST --basic -u rgfKVdnMQnJSSr_pKFTxj3apiwYa:BRebJ0aqfclQB9v7yZwhj0JfW0ga -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' -k -d 'grant_type=client_credentials&scope=test1 test2' https://localhost:9443/oauth2/token

You will receive the access token as follows:

{"access_token":"34060588-dd4e-36a5-ad93-440cc77a1cfb","scope":"test1 test2","token_type":"Bearer","expires_in":3600}

Validate the token¶

You can send a token validation request using one of the following authentication methods:

Using basic authentication:

Request Format

curl -k -u <USERNAME>:<PASSWORD> -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=<ACCESS_TOKEN>' https://<IS_HOST>:<IS_PORT>/oauth2/introspect

Sample Request

curl -k -u admin:admin -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=fbc4e794-23db-3394-b1e5-f2c3e511d01f' https://localhost:9443/oauth2/introspect

Not that you can pass the token type as an optional parameter in the request (e.g., token_type_hint=access_token or token_type_hint=refresh_token).

Using authentication with client credentials:

Tip

Note that authentication using client credentials should be enabled for the server. See the prerequisites for instructions.

Request Format

curl -k -u <CLIENT_ID>:<CLIENT_SECRET> -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=<ACCESS_TOKEN>' https://<IS_HOST>:<IS_PORT>/oauth2/introspect

Sample Request

curl -k -u rgfKVdnMQnJSSr_pKFTxj3apiwYa:BRebJ0aqfclQB9v7yZwhj0JfW0ga -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=fbc4e794-23db-3394-b1e5-f2c3e511d01f' https://localhost:9443/oauth2/introspect

You will receive one of the following responses:

If the access token did not request scopes:

{"exp":1464161608,"username":"[email protected]","active":true,"token_type":"Bearer","client_id":"rgfKVdnMQnJSSr_pKFTxj3apiwYa","iat":1464158008}

If the access token requested scopes:

{"exp":1464161560,"username":"[email protected]","scope":"test1 test2","active":true,"token_type":"Bearer","client_id":"rgfKVdnMQnJSSr_pKFTxj3apiwYa","iat":1464157960}

Invalid token¶

If the token that you used is invalid, you get the following response:

{'active':false}

Empty token¶

If you leave the token parameter empty as shown below, you get the following response :

Request

Request

curl -k -u <USERNAME>:<PASSWORD> -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=' https://<IS_HOST>:<IS_PORT>/oauth2/introspect

Sample cURL

 curl -k -u admin:admin -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=' https://localhost:9443/oauth2/introspect

Response

{'error': 'Invalid input'}

Invoking the endpoint for tenants¶

Use the following cURL commands given in the following sections to invoke the OAuth introspection endpoint for tenant users.

Prerequisites¶

Note the following before you begin.

Token validation requests sent to the introspection endpoint can be authenticated using basic authentication or client credentials.
Important

Basic authentication is enabled by default. However, it is recommended to use client credentials for authenticating to the introspection endpoint as it improves server performance.

To enable token validation using client credentials, apply the following configurations to the deployment.toml file (stored in the <IS_HOME>/repository/conf directory) and restart the server.
```
[[resource.access_control]]
context="(.*)/oauth2/introspect(.*)"
http_method = "all"
secure = true
allowed_auth_handlers="BasicClientAuthentication"
```
For token validation requests that require CLIENT_ID:CLIENT_SECRET, use the client ID and client secret of the OAuth service provider you configured above.
For token validation requests that require USERNAME:PASSWORD, you can use credentials of any user with /permission/admin/manage/identity/applicationmgt/view permissions. If you want to allow users with other permissions to send token validation requests, add the permissions to the <IS_HOME>/repository/conf/deployment.toml file as shown below and restart the server.
```
[resource_access_control.introspect]
permissions = ["/permission/admin/manage/identity/applicationmgt/view","/permission/admin/login"]
```
Token introspection across tenant domains is disabled by default. To allow cross tenant token validation, add the following configuration to the <IS_HOME>/repository/conf/deployment.toml file and restart the server.
```
[oauth.introspect]
allow_cross_tenant = true
```

Get a valid token (without scopes)¶

First, you need to get a valid access token as follows:

Request Format

curl -v -X POST --basic -u <CLIENT_ID>:<CLIENT_SECRET> -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' -k -d 'grant_type=client_credentials' https://<IS_HOST>:<IS_PORT>/t/<TENANT_DOMAIN>/oauth2/token

Sample Request

curl -v -X POST --basic -u rgfKVdnMQnJSSr_pKFTxj3apiwYa:BRebJ0aqfclQB9v7yZwhj0JfW0ga -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' -k -d 'grant_type=client_credentials' https://localhost:9443/t/foo.com/oauth2/token

You will receive the access token as follows:

{"token_type":"Bearer","expires_in":3600,"access_token":"fbc4e794-23db-3394-b1e5-f2c3e511d01f"}

Get a valid token (with scopes)¶

First, you need to get a valid access token as follows:

Request Format

curl -v -X POST --basic -u <CLIENT_ID>:<CLIENT_SECRET> -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' -k -d 'grant_type=client_credentials&scope=test1 test2' https://<IS_HOST>:<IS_PORT>/t/<TENANT_DOMAIN>/oauth2/token

Sample Request

curl -v -X POST --basic -u rgfKVdnMQnJSSr_pKFTxj3apiwYa:BRebJ0aqfclQB9v7yZwhj0JfW0ga -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' -k -d 'grant_type=client_credentials&scope=test1 test2' https://localhost:9443/t/foo.com/oauth2/token

You will receive the access token as follows:

{"access_token":"34060588-dd4e-36a5-ad93-440cc77a1cfb","scope":"test1","token_type":"Bearer","expires_in":3600}

Validate the token¶

You can send a token validation request using one of the following authentication methods:

Using basic authentication:

Request Format (method 1)

curl -k -u <USERNAME>@<TENAND_DOMAIN>:<PASSWORD> -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=<ACCESS_TOKEN>' https://<IS_HOST>:<IS_PORT>/t/<TENANT_DOMAIN>/oauth2/introspect

Sample Format (method 2)

curl -v -k -H 'Authorization: Basic <BASE64ENCODED(USERNAME@TENAND_DOMAIN:PASSWORD)>' -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=<ACCESS_TOKEN>' https://localhost:9443/t/<TENANT_DOMAIN>/oauth2/introspect

Sample Request

curl -k -u [email protected]:admin -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=fbc4e794-23db-3394-b1e5-f2c3e511d01f' https://localhost:9443/t/foo.com/oauth2/introspect

Not that you can pass the token type as an optional parameter in the request (e.g., token_type_hint=access_token or token_type_hint=refresh_token).

Using authentication with client credentials:

Tip

Note that authentication using client credentials should be enabled for the server. See the prerequisites for instructions.

Request Format

curl -k -u <CLIENT_ID>:<CLIENT_SECRET> -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=<ACCESS_TOKEN>' https://<IS_HOST>:<IS_PORT>/t/<TENANT_DOMAIN>/oauth2/introspect

Sample Request

curl -k -u rgfKVdnMQnJSSr_pKFTxj3apiwYa:BRebJ0aqfclQB9v7yZwhj0JfW0ga -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=fbc4e794-23db-3394-b1e5-f2c3e511d01f' https://localhost:9443/t/foo.com/oauth2/introspect

You will receive one of the following responses:

If the access token did not request scopes:

{"active":true,"token_type":"Bearer","exp":1517922556,"iat":1517918956,"client_id":"okaN2IXAsLx5SBH9Los1C6zX1RIa","username":"[email protected]”}

If the access token requested scopes:

{"scope":"1 test","active":true,"token_type":"Bearer","exp":1517922663,"iat":1517919063,"client_id":"okaN2IXAsLx5SBH9Los1C6zX1RIa","username":"[email protected]"}

Invalid token¶

If the token that you used is invalid, you get the following response:

Response

{'active':false}

Empty token¶

If you leave the token parameter empty as shown below, you get the following response:

Request

Example:

Request

curl -k -u <USERNAME>@<TENANT_DOMAIN>:<PASSWORD> -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=' https://<IS_HOST>:<IS_PORT>/t/<TENANT_DOMAIN>/oauth2/introspect

Sample cURL

 curl -k -u admin:admin -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=' https://localhost:9443/oauth2/introspect

Response

{'error': 'Invalid input'}

The samples given above only demonstrate how to validate a token obtained for the client credentials grant using the introspect endpoint. Similarly, you can invoke introspection endpoint with a token obtained from any other grant type as well.