Introspect
- Frode Nilsen (Unlicensed)
Owned by Frode Nilsen (Unlicensed)
31 Jan 2018
3 min read
Loading data...
| URL | https://<oidc-baseurl>/protocol/openid-connect/token/introspect |
|---|---|
| Request method |
|
| Client authentication | See supported methods |
| Request parameters | See below |
| Response elements | See below |
| Example | See below |
Introspect is a standard endpoint used by Resource Servers to determine the particuar Authentication Context for a by-reference Access Token. A Resource Server needs such information to validate incomming tokens before granting access to Proteted Resources it hosts. Note in contrast that self-contained Access Tokens can be validated by a Resource Server without calling the Introspection endpoint. Each of the particular types of by-reference tokens supported by the OIDC Provider from BankID have corresponding support in the Introspect endpoint.
Request parameters
In addition to the parameters shown below comes parameters related to Client authentication.
= According to standard. 
= Feature restriction.
| Parameter | Support | Description |
|---|---|---|
token | | String value of the by-reference token |
token_hint | | Not supported |
Response parameters
JSON structure containing relevant attributes for the Access Token in question. The following attributes are supported
= According to standard. = Feature restriction. 
= In progress / future support. 
= Custom additions
| Parameter | Support | Description |
|---|---|---|
| | Indicator of whether or not the presented token is currently active |
scope | | Scopes associated with the access token in question |
client_id | | Identifier of the OIDC client that requested the token |
username | ??? | TBD |
token_type | | Type of token |
exp | | Expiration time for the token |
iat | | Issuing time for the token |
nbf | | |
sub | | Subject identifier of the end-user with which the token is associated |
aud | | |
iss | | Identifier for the issuer of the token |
jti | | |
nnin_altsub | | Norwegian National Identity Number of the end-user with which the token is associated (corresponds to nnin_altsub in IDToken). Only available for eligible OAuth Resource Servers. Note: an eligible Resource Server may get access to nnin even of the OIDC Client that received the access token in question is not eligible. |
Example
Introspection
POST /auth/realms/preprod/protocol/openid-connect/token/introspect HTTP/1.1
Host: oidc-preprod.bankidapis.no
Connection: close
Content-Length: 1321
Authorization: Basic UG9zdG1hbjo5YWE3NDBhZi03NGIxLTQ2ODMtOWFhNi02NWJiNDBmYmY1Zjk=
Postman-Token: 00976d86-f2ab-73ca-b0c4-78570bb367bd
Cache-Control: no-cache
Origin: chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJqdGkiOiI0NTIyNGYyYS02MmQwLTRlNTgtODY1Yi1iODA2NjZlMjM3NzEiLCJleHAiOjE1MTA4MzgzNzYsIm5iZiI6MCwiaWF0IjoxNTEwODM4MDc2LCJpc3MiOiJodHRwczovL29pZGMtcHJlcHJvZC5iYW5raWRhcGlzLm5vL2F1dGgvcmVhbG1zL3ByZXByb2QiLCJhdWQiOiJ0aW5mbyIsInN1YiI6ImIzZjRkOTE5LThjYzUtNDEzYy05ZTExLTNjMmM2NzViMmY4ZiIsInR5cCI6IkJlYXJlciIsImF6cCI6IlBvc3RtYW4iLCJhdXRoX3RpbWUiOjE1MTA4MzgwNTAsInNlc3Npb25fc3RhdGUiOiJiZjBhNGM5Zi0yZDAwLTQzZDgtODI4OC0wMWI4M2FiMWU1ODAiLCJuYW1lIjoiRnJvZGUgQmVja21hbm4gTmlsc2VuIiwiZ2l2ZW5fbmFtZSI6IkZyb2RlIEJlY2ttYW5uIiwiZmFtaWx5X25hbWUiOiJOaWxzZW4iLCJhY3IiOiI0IiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm5uaW5fYWx0c3ViIiwicHJvZmlsZSJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InRpbmZvIjp7InJvbGVzIjpbImFkZHJlc3MiLCJwaG9uZSIsImVtYWlsIl19fSwiYW1yIjoiQklEIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiTmlsc2VuLCBGcm9kZSBCZWNrbWFubiIsImJhbmtpZF9hbHRzdWIiOiI5NTc4LTYwMDAtNC0zMDc5OSJ9.EWLAWLfy4FFGa4UACJfLfCBiPKyNOoLJxUoEirrcR3JR81ruJW3T3SyTP4iMZ74nFbHclS9z4j8AhzBYfhdj9ZpCqAnYiJUGdwyMLPTRMoY_qW57qd1ZXoP93nAK9yhByLEI-N4U6wsC_FJado2EfyT_9oyKFx5YGa9Rg4wldbyt9EcUXsl-AuoLEhDbNjr3O-O9eixCXkyCj_sSptOlu4bdzTDpkYaAenXahncST6H_-n7Pe1Q1eZJuDjx2ofLsn3TGXlAb5zuOdiNUdmBk9jkUZiTz-5CxR-z9JQDZPfwJYSuC-z4X-rnknfDw06OnlbY7zGYPL827Nzw74snnRg
HTTP/1.1 200 OK
Date: Thu, 16 Nov 2017 13:15:21 GMT
Server: WildFly/10
X-Powered-By: Undertow/1
Content-Type: application/json
Content-Length: 717
Via: 1.1 oidc-preprod.bankidapis.no
Connection: close
{
"jti": "45224f2a-62d0-4e58-865b-b80666e23771",
"exp": 1510838376,
"nbf": 0,
"iat": 1510838076,
"iss": "https://oidc-preprod.bankidapis.no/auth/realms/preprod",
"aud": "tinfo",
"sub": "b3f4d919-8cc5-413c-9e11-3c2c675b2f8f",
"typ": "Bearer",
"azp": "Postman",
"auth_time": 1510838050,
"session_state": "bf0a4c9f-2d00-43d8-8288-01b83ab1e580",
"name": "Frode Beckmann Nilsen",
"given_name": "Frode Beckmann",
"family_name": "Nilsen",
"preferred_username": "Nilsen, Frode Beckmann",
"acr": "4",
"allowed-origins": [],
"realm_access": {
"roles": [
"nnin_altsub",
"profile"
]
},
"resource_access": {
"tinfo": {
"roles": [
"address",
"phone",
"email"
]
}
},
"amr": "BID",
"bankid_altsub": "9578-6000-4-30799",
"client_id": "Postman",
"username": "Nilsen, Frode Beckmann",
"active": true
}