Invoke the OAuth Introspection Endpoint¶
The OAuth introspection endpoint is:
https://<IS_HOST>:<IS_PORT>/oauth2/introspect
This page guides you through invoking the OAuth Introspection Endpoint.
Register a service provider¶
You need to register your application as a service provider in WSO2 Identity Server.
-
Log in to the WSO2 Identity Server Management Console (
https://<IS_HOST>:<PORT>/carbon
) using administrator credentials (admin:admin
). -
Navigate to Main > Identity > Service Providers > Add.
-
Enter a Service Provider Name. Optionally, enter a Description.
-
Click Register.
Configure the service provider¶
Make the following changes to the created service provider.
-
Expand Inbound Authentication Configuration > OAuth/OpenID Connect Configuration and click Configure.
-
Enter the Callback Url.
Note
The Callback Url is the exact location in the service provider's application to which an access token will be sent. This URL should be the URL of the page that the user is redirected to after successful authentication.
-
Click Add. Note the OAuth Client Key and OAuth Client Secret that appear.
Tip
To configure more advanced configurations, see OAuth/OpenID Connect Configurations.
Info
If subject identifier in the token validation response needs to adhere to the " Use tenant domain in local subject identifier" and " Use user store domain in local subject identifier" configurations in service provider, add the following configuration to the <IS_HOME>/repository/conf/deployment.toml
file .
[oauth]
validation_response_subject_identifier_format= "app_configured"
- Default value of this property is false.
- If the value is false, subject identifier will be set as the fully qualified username.
Invoking the endpoint for the super tenant¶
Use the cURL commands given in the following sections to invoke the OAuth introspection endpoint for the super tenant users.
Tip
-
For requests that require
CLIENT_ID:CLIENT_SECRET
, use the client ID and client secret of the OAuth service provider you configured above. -
For requests that require
USERNAME:PASSWORD
by default, you can use credentials of any user with/permission/admin/manage/identity/applicationmgt/view
permissions.To allow users with other permissions to send validation requests, add the permissions to the
<IS_HOME>/repository/conf/deployment.toml
file as shown below and restart the server.[resource_access_control.introspect] permissions = ["/permission/admin/manage/identity/applicationmgt/view","/permission/admin/login"]
Get a valid token¶
Request | |
Response |
Validate the token¶
Request |
You can pass the token type as an optional parameter in the request (e.g., |
Response |
Get a valid token with a scope¶
Request | |
Response |
Validate the token¶
Request | |
Response |
Invalid token¶
If the token that you used is invalid, you get the following response:
{'active':false}
Empty token¶
If you leave the token parameter empty as shown below, you get the following response :
Request | |
Response |
Invoking the endpoint for tenants¶
Use the following cURL commands given in the following sections to invoke the OAuth introspection endpoint for tenant users.
Tip
-
For requests that require
CLIENT_ID:CLIENT_SECRET
, use the client ID and client secret of the OAuth service provider you configured above. -
For requests that require
[email protected]_DOMAIN:PASSWORD
by default, you can use credentials of any user with/permission/admin/manage/identity/applicationmgt/view
permissions.To allow users with other permissions to send validation requests, add the permissions to the
<IS_HOME>/repository/conf/deployment.toml
file as shown below and restart the server.
- Token introspection across tenant domains is disabled by default. To allow cross tenant token validation, add the following configuration to the[resource_access_control.introspect] permissions = ["/permission/admin/manage/identity/applicationmgt/view","/permission/admin/login"]
<IS_HOME>/repository/conf/deployment.toml
file and restart the server.[oauth.introspect] allow_cross_tenant = true
Get a valid token¶
Request | |
Response |
Validate the token¶
Request | You can use any of the request formats given below: Or
Request
You can pass the token type as an optional parameter in the request (e.g., |
Response |
Get a valid token with a scope¶
Request | |
Response |
Validate the token¶
Request | You can use any of the request formats given below: Or |
Response |
Invalid token¶
If the token that you used is invalid, you get the following response:
Response
{'active':false}
Empty token¶
If you leave the token parameter empty as shown below, you get the following response:
Request | Example: |
Response |
The samples given above only demonstrate how to validate a token obtained for the client credentials grant using the introspect endpoint. Similarly, you can invoke introspection endpoint with a token obtained from any other grant type as well.
Related topics