Invoke the OAuth Introspection Endpoint

The OAuth introspection endpoint is:

https://<IS_HOST>:<IS_PORT>/oauth2/introspect

This page guides you through invoking the OAuth Introspection Endpoint.


Register a service provider

You need to register your application as a service provider in WSO2 Identity Server.

  1. Log in to the WSO2 Identity Server Management Console (https://<IS_HOST>:<PORT>/carbon) using administrator credentials (admin:admin).

  2. Navigate to Main > Identity > Service Providers > Add.

  3. Enter a Service Provider Name. Optionally, enter a Description.

  4. Click Register.


Configure the service provider

Make the following changes to the created service provider.

  1. Expand Inbound Authentication Configuration > OAuth/OpenID Connect Configuration and click Configure.

  2. Enter the Callback Url.

    Note

    The Callback Url is the exact location in the service provider's application to which an access token will be sent. This URL should be the URL of the page that the user is redirected to after successful authentication.

  3. Click Add. Note the OAuth Client Key and OAuth Client Secret that appear.

Tip

To configure more advanced configurations, see OAuth/OpenID Connect Configurations.

Info

If subject identifier in the token validation response needs to adhere to the " Use tenant domain in local subject identifier" and " Use user store domain in local subject identifier" configurations in service provider, add the following configuration to the <IS_HOME>/repository/conf/deployment.toml file .

[oauth]
validation_response_subject_identifier_format= "app_configured"
  • Default value of this property is false.
  • If the value is false, subject identifier will be set as the fully qualified username.

Invoking the endpoint for the super tenant

Use the cURL commands given in the following sections to invoke the OAuth introspection endpoint for the super tenant users.

Tip

  • For requests that require CLIENT_ID:CLIENT_SECRET, use the client ID and client secret of the OAuth service provider you configured above.

  • For requests that require USERNAME:PASSWORD by default, you can use credentials of any user with /permission/admin/manage/identity/applicationmgt/view permissions.

    To allow users with other permissions to send validation requests, add the permissions to the <IS_HOME>/repository/conf/deployment.toml file as shown below and restart the server.

    [resource_access_control.introspect]
    permissions = ["/permission/admin/manage/identity/applicationmgt/view","/permission/admin/login"]

Get a valid token

Request
Response

Validate the token

Request

You can pass the token type as an optional parameter in the request (e.g., token_type_hint=access_token or token_type_hint=refresh_token).

Response

Get a valid token with a scope

Request
Response

Validate the token

Request
Response

Invalid token

If the token that you used is invalid, you get the following response:

{'active':false}

Empty token

If you leave the token parameter empty as shown below, you get the  following response :

Request
Response

Invoking the endpoint for tenants

Use the following cURL commands given in the following sections to invoke the OAuth introspection endpoint for tenant users.

Tip

  • For requests that require CLIENT_ID:CLIENT_SECRET, use the client ID and client secret of the OAuth service provider you configured above.

  • For requests that require [email protected]_DOMAIN:PASSWORD by default, you can use credentials of any user with /permission/admin/manage/identity/applicationmgt/view permissions.

    To allow users with other permissions to send validation requests, add the permissions to the <IS_HOME>/repository/conf/deployment.toml file as shown below and restart the server.

    [resource_access_control.introspect]
    permissions = ["/permission/admin/manage/identity/applicationmgt/view","/permission/admin/login"]
    - Token introspection across tenant domains is disabled by default. To allow cross tenant token validation, add the following configuration to the <IS_HOME>/repository/conf/deployment.toml file and restart the server.
    [oauth.introspect]
    allow_cross_tenant = true

Get a valid token

Request
Response

Validate the token

Request

You can use any of the request formats given below:

Or

Response

Get a valid token with a scope

Request
Response

Validate the token

Request

You can use any of the request formats given below:

Or

Response

Invalid token

If the token that you used is invalid, you get the following response:

Response

{'active':false}

Empty token

If you leave the token parameter empty as shown below, you get the following response:

Request

Example:

Response

The samples given above only demonstrate how to validate a token obtained for the client credentials grant using the introspect endpoint. Similarly, you can invoke introspection endpoint with a token obtained from any other grant type as well.


Top