Token Introspection
The OAuth 2.0 Authorization Framework extends its scope with many other speficications. One of these is the OAuth 2.0 Token Introspection (RFC 7662) which defines a protocol that allows authorized protected resources to query the authorization server to determine the set of metadata for a given token that was presented to them by an OAuth 2.0 client.
Client Setup
In order to enable this feature, some configurations must be performed in the Client.
The scope key:
token_introspectionmust be added to the client’s scope.
If OIDC_INTROSPECTION_VALIDATE_AUDIENCE_SCOPE is set to True then:
The
client_idmust be added to the client’s scope.
Introspection Endpoint
The introspection endpoint (/introspect) is an OAuth 2.0 endpoint that takes a parameter representing an OAuth 2.0 token and returns a JSON document representing the meta information surrounding the token.
The introspection endpoint its called using an HTTP POST request with parameters sent as “application/x-www-form-urlencoded” and Basic authentication (base64(client_id:client_secret).
Parameters:
tokenREQUIRED. The string value of an
access_tokenpreviously issued.
Example request:
curl -X POST \
http://localhost:8000/introspect \
-H 'Authorization: Basic NDgwNTQ2OmIxOGIyODVmY2E5N2Fm' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d token=6dd4b859706944848183d26f2fcb99c6
Example Response:
{
"aud": "480546",
"sub": "1",
"exp": 1538971676,
"iat": 1538971076,
"iss": "http://localhost:8000",
"active": true,
"client_id": "480546"
}
Introspection Endpoint Errors
In case of error, the Introspection Endpoint will return a JSON document with the key active: false
Example Error Response:
{
"active": "false"
}