This section includes information about using API for OAuth and OpenID Connect in the following scenarios:
A client application can use the Access Manager token to access an Access Manager OAuth protected resource. The following is the workflow of accessing a protected resource when the client uses the Access Manager token:
Registration: The client must be registered in Access Manager. For information about registering a client, see Registering Client Applications.
Retrieve a token from Access Manager: The client retrieves the token by selecting any of the following authorization grant flows:
Authorization code flow
Implicit flow
Resource owner credentials flow
Client credential flow
ID token flow
SAML 2 bearer profile for authorization grant flow
NOTE:For information about grants, see OAuth Authorization Grant in the Access Manager 5.0 Administration Guide. For required endpoints, see the respective endpoint sections in OAuth 2.0 Endpoints.
Send the token to resource server: The token is sent as an authorization header bearer token.
A resource server can validate a token that is issued by Access Manager through resource server keys or through Access Manager keys. By default, the token encryption is done by using Access Manager keys. The resource server sends a request to Access Manager to validate the token. If you provide the resource server's key and encryption algorithm details in Access Manager, the resource server does not require to send a request to Access Manager. Instead, the resource server can use its key to validate the token.
Only an Access Manager administrator can register a new resource server. To validate a token, the resource server must know how the token is encrypted.
Encrypted by Access Manager: This is an older way of validating the token. You need to send the token to Access Manager's token info endpoint for validation.
Encrypted using configured resource server keys: No need to validate through Access Manager. The resource server cryptokeys can be configured in Access Manager. Access Manager uses this key to encrypt the access token. This enables a resource server to validate the token itself, without sending it to the Access Manager token verification endpoint.
The following is a sample in Java code about how to validate the token:
//Step1: decrypt the JWT Token (JWE Standard) String jwtAccessToken = "eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwidHlwIjoiSldUIiwia2lkIjoibmFtLTEifQ.ZjE0jRb5oh3suQZHFmaB-m...."; JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setCompactSerialization(jwtAccessToken); JsonWebKeySet jsonWebKeySet = new JsonWebKeySet(jwks); List<JsonWebKey> jsonWebKeys = jsonWebKeySet.getJsonWebKeys(); JsonWebKey jsonWebkey = jsonWebKeys.stream().filter( p -> p.getKeyId().equalsIgnoreCase(jwe.getKeyIdHeaderValue())).findFirst().orElse(jsonWebKeys.get(0)); if(jsonWebkey instanceof RsaJsonWebKey){ RsaJsonWebKey rsa = (RsaJsonWebKey) jsonWebkey; jwe.setKey(rsa.getPrivateKey()); }else { jwe.setKey(jsonWebkey.getKey()); } String decryptedToken = jwe.getPlaintextString(); //Step 2: Verify the JWT Signature (JWS Standard) JsonWebKeySet jsonWebKeySet = new JsonWebKeySet(jwks); JsonWebKey jsonWebkey = jsonWebKeySet.getJsonWebKeys().get(0); JsonWebSignature jws = new JsonWebSignature(); jws.setKey(jsonWebkey.getKey());; jws.setCompactSerialization(decryptedToken); if(true == jws.verifySignature()){ System.out.println("Signature is valid."); String payload = jws.getPayload(); // }
For detailed sample code and tool for validating the JWT access token, see JWT Validation tool.
No encryption: Trust and accept the token. As access token is not encrypted, use the sample in Java code mentioned in the previous step to verify the signature and trust the token. For information about configuring access token encryption keys, see Registering a Resource Server.
Access Manager revokes only the refresh token and its corresponding access token. Only the refresh tokens that are generated by Access Manager Version 4.4 or later can be revoked.
You can perform the following tasks by using Access Manager API:
Revoking refresh token for applications
Revoking tokens that are issued to a device
For example, a user lost the device and wants to revoke all tokens that are issued to that device.
Using Mobile Access SDK: Use the Access Manager user portal for deregistering a device. When device is deregistered, the refresh token and associated access token are revoked.
Not using Mobile Access SDK: If you do not use Mobile Access SDK to revoke a device, you must provide the device ID in the access token request so that the device can be associated with the token. You can use this device ID later for revoking the tokens issued to the device. For more information, see Revoking Token Issued to a Device.