Token validation by resource servers¶
A resource server is responsible for protecting resources such as APIs via OAuth2 access tokens. Access tokens are intended for authorizing the access of a resource. The resource server should be able to verify the access token sent by the application. If the application sends a self-contained JWT access token, then the resource server can validate the access token without interacting with the authorization server. OAuth2.0 supports token introspection to inspect the access tokens and refresh tokens using authorization servers.
WSO2 Identity Server provides the /oauth2/introspect endpoint to perform token validation. A resource server can inspect tokens using WSO2 Identity Server and know the information related to the tokens. On WSO2 Identity Server, the resource server has to use client secret basic authentication to authenticate with the token introspection endpoint.
You have to send it as the authorization header in the request: Authorization: Basic BASE46_ENCODING<client_id:client_secret>
Token introspection endpoint
https://localhost:9443/oauth2/introspect
Tip
To perform base64 encoding for the client ID and client secret, you can use a tool, or you can run the below command.
echo -n '<client_id:client_secret>' | base64
Request format
curl --location --request POST '{introspection_endpoint_url}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic V3NvcTh0NG5IVzgwZ1NuUGZ5RHZSYmlDX19FYTp6MEM3OXpsb3B4OGk3QnlPdzhLMTVBOWRwbFlh' \
--data-urlencode 'token={access_token}'
Sample request
curl --location --request POST 'https://localhost:9443/oauth2/introspect' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cookie: atbv=646b0ed2-c501-4b17-9251-94112013a718' \
--header 'Authorization: Bearer 54bd024f-5080-3db5-9422-785f5d610605' \
--data-urlencode 'token=94e325b7-77c8-32c2-a6ff-d7be430bf785'
This introspection request takes the following parameters:
Note
See the OAuth2.0 introspection request for details.
| Request Parameter | Description |
|---|---|
token |
The token(access token or refresh token) you want to inspect. |
Sample response
The following response will be returned for the provided access token:
{
"aut": "APPLICATION_USER",
"nbf": 1629961093,
"scope": "openid profile",
"active": true,
"token_type": "Bearer",
"exp": 1629968693,
"iat": 1629961093,
"client_id": "Wsoq8t4nHW80gSnPfyDvRbiC__Eb",
"username": "[email protected]"
}
The following response will be returned for the provided refresh token:
{
"nbf": 1629961093,
"scope": "openid profile",
"active": true,
"token_type": "Refresh",
"exp": 1630047493,
"iat": 1629961093,
"client_id": "Wsoq8t4nHW80gSnPfyDvRbiC__Ea",
"username": "[email protected]"
}
If the token you used is invalid, you will get the following response:
{'active':false}