OAuth2 Token introspection - integration guide for developers
Overview
This API is used to get introspect an access token (this means checking if the token is active and which user the token is issued to).
Prerequisites
- PhenixID Authentication Services HTTP API configured for OAuth2 token introspection use case
- OAuth/OIDC OP Discovery URL
Token introspection - data to be fetched before api call
The api client must fetch this value:
- access_token, returned from previous authentication (this might be returned through API, OIDC or SAML2)
How this parameter is fetched may differ depending on the use case.
Token introspection - api call
Request
Method: HTTP POST
Endpoint: <This value is fetched from the OAuth/OIDC discovery URL)
Example: /api/authentication/introspect?tenant=t1
Headers:
| Name | Value |
Mandatory | Comment |
|---|---|---|---|
| Content-Type | application/x-www-form-urlencoded |
Yes | |
| Authorization | Basic <b64(client_id:client_secret)> | Yes | HTTP Basic authentication will be used by default. |
Body:
token=<access_token>
Example request
PUT /api/authentication/introspect?tenant=t1 HTTP/1.1
Host: integration.phenixid.se
Content-Type: application/json
Authorization: Basic ZG9uYWxkOnRydW1wZQ==
cache-control: no-cache
token=21e0d582-f1b9-4747-95ad-f16ca7ef2a9c
Response
Response
The HTTP Response status code may have one of these values:
- 200 if ok.
- 403 if authentication failed or any error occured.
Response body:
| Key | Type | Example | Comment |
|---|---|---|---|
| Active | Boolean | true | Result of access_token status control |
| username | String | abj | username bound to access_token (if the subject is a user) |