Integration Server 10.15 | Built-In Services Reference Guide | OAuth Folder | Summary of Elements in this Folder | pub.oauth:introspectToken
 
pub.oauth:introspectToken
WmPublic. Checks whether an access token or refresh token generated by an Integration Server used as an authorization server is active.
Input Parameters
token
String The access token or refresh token issued by the authorization server.
token_type_hint
String. Optional. A hint for the token type. Specify:
*access_token if the provided token is an access token.
*refresh_token if the provided token is refresh token.
Output Parameters
active
String Indicates whether or not the token is active.
*true indicates the token was issued by this authorization server, has not expired, and has not been revoked.
*false indicates the token is not active.
token_type
String. Conditional. The type of access token issued by the authorization server. The value is Bearer.
token_type is returned only if active is true and token_type is access_token.
scope
String. Conditional. A space-delimited list of the scope names for which the authorization server issued the token.
scope is returned only if active is true and token_type is access_token.
client_id
String. Conditional. The client identifier for which the authorization server generated the access token. The client_id corresponds to a user account in Integration Server.
client_id is returned only if active is true, token_type is access_token, and the authorization server has a value for client_id.
The authorization server always has a client_id value for confidential clients because a confidential client must supply their client_id and client_secret when requesting a token. The authorization server will have a client_id value for public clients only if the public client has a user account on Integration Server and the client was already logged in at the time it requested an access token.
owner_id
String. Conditional. User ID of the resource owner that approved the client access.
owner_id is returned only if active is true and token_type is access_token.
iat
String. Conditional. Time at which the authorization server issued the token. Per RFC 7662, this is a timestamp, measured in the number of seconds since January 1 1970 UTC.
iat is returned only if active is true.
exp
String. Conditional. Time at which the token expires. Per RFC 7662, this is a timestamp, measured in the number of seconds since January 1 1970 UTC.
exp is returned only if active is true, token_type is access_token, and the token expires. If the token does not expire, exp does not appear in the output.
Usage Notes
The pub.oauth:introspectToken service is the introspection endpoint for the Integration Server authorization server. The URL for the introspection endpoint is:
https://host:port/invoke/pub.oauth/introspectToken
The pub.oauth:introspectToken service supports RFC 7662, OAuth 2.0 Token Introspection.
Supplying token_type_hint may help the Integration Server authorization server look up the token more quickly. If Integration Server does not find the token of the type specified in the provided hint, Integration Server looks for a token of the other type.
This service must be invoked using HTTPS unless the Require HTTPS setting on the Security > OAuth > Edit OAuth Global Settings page is disabled.
Clients must invoke this service via an HTTP POST request unless the watt.server.oauth.requirePost server configuration parameter is set to false. When this parameter is set to false, clients can invoke this service using HTTP GET.
Integration Server includes a server configuration parameter to control whether or not the OAuth introspection endpoint, the pub.oauth:introspectTokenservice, considers whether a client account is disabled or enabled when determining if an access token is active. When watt.server.oauth.disableClient.disableTokens is set to true, the pub.oauth:introspectToken service considers the token to be inactive if the client account to which the token was issued is disabled. The service returns a value of false for the active output parameter. The OAuth resource server, whether it's an Integration Server or another vendor, will not allow access to the requested resource. When watt.server.oauth.disableClient.disableTokens is set to false, the pub.oauth:introspectToken service does not consider the enabled/disabled state of the client account to which the access token was issued when evaluating an access token. The default value watt.server.oauth.disableClient.disableTokens is true.