Token Introspection (Resource ID and Secret)
POST {{authPath}}/{{envID}}/as/introspect
The POST /{{envID}}/as/introspect endpoint returns the active state of an OAuth 2.0 token and the claims specified in RFC 7662 Section 2.2. The request requires the token parameter, which is the token string.
Note: The response includes only core OAuth claims and any optional claims specified in OAuth 2.0 Token Introspection (RFC7662). The audience claim should match the value configured in Resources.
For introspection as the resource server, use the custom resource's ID and secret according to the resource's introspectEndpointAuthMethod value. The introspectEndpointAuthMethod property supports three options: CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, and NONE.
In the sample request shown here, the resource's introspectEndpointAuthMethod value is CLIENT_SECRET_BASIC, which requires the Authorization: Basic HTTP header and a Base64-encoded representation of username:password
in the request, in which the username (the client_id) is the {{resourceID}} for the custom resource and the password (the client_secret) is the {{resourceSecret}} associated with the custom resource.
If the resource's introspectEndpointAuthMethod value is CLIENT_SECRET_POST, the request does not need an Authorization header, and the client_id and client_secret property values are the {{resourceID}} and {{resourceSecret}}, respectively, and these properties are submitted in the request body:
curl --location --request POST '{{authPath}}/{{envID}}/as/introspect' \\
--header 'Content-Type: application/x-www-form-urlencoded' \\
--data-urlencode 'client_id={{resourceID}}' \\
--data-urlencode 'client_secret={{resourceSecret}}'\\
--data-urlencode 'token={{accessToken}}'
If the resource's introspectEndpointAuthMethod value is NONE, the request requires the client_id property in the request body, and this property value is the {{resourceID}}. This request does not require an Authorization header:
curl --location --request POST '{{authPath}}/{{envID}}/as/introspect' \\
--header 'Content-Type: application/x-www-form-urlencoded' \\
--data-urlencode 'client_id={{resourceID}}' \\
--data-urlencode 'token={{accessToken}}'
The response always shows the active attribute, which is a boolean that indicates whether the token is currently active. For active tokens, the response also shows the token_type attribute, and this property always returns a value of Bearer.
For more information about token claims, see Token claims.
Prerequisites
- See OpenID Connect/OAuth 2 and Token for important overview information.
| Property | Type | Required? |
|---|---|---|
client_id | String | Required |
client_secret | String | Required |
token | String | Required |
See the OpenID Connect/OAuth2 data model for full property descriptions.
Request Body
[{"name"=>"token", "value"=>"{{accessToken}}", "datatype"=>"string"}, {"name"=>"client_id", "value"=>"{{resourceID}}", "datatype"=>"string"}, {"name"=>"client_secret", "value"=>"{{resourceSecret}}", "datatype"=>"string"}]
RESPONSES
status: OK
{"active":true,"scope":"CustomScope_1666376234","client_id":"9bd74a2e-4ecd-44cd-abe7-62b288a9a8c9","token_type":"Bearer","exp":1666383500,"iat":1666376300,"sub":"13e04105-df5f-47e7-ada7-62af8701bad8","aud":["https://api.custom-resource.com"],"iss":"https://auth.pingone.com/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/as","sid":"3aa55365-7677-4a14-90d5-b34f5297618d"}