3.5 Validating Tokens

Access Manager issues tokens of variable length. The application must not assume the size of the tokens.

By default, access tokens are signed and encrypted by using Access Manager encrypted keys. You can choose to encrypt the access token by using resource server encrypted keys or disable encryption.

You can verify the access token received in earlier flows based on how the token is encrypted.

Use one of the following ways to verify the token:

  • When an access token is signed and encrypted by using Access Manager encrypted keys, the token can be validated by sending a request to the TokenInfo endpoint of Identity Server. This scenario requires the token to be sent to Identity Server for verification.

  • When access token is encrypted by using resource server encrypted keys, the resource server can validate the token by decrypting the token, verifying the signature, trusting the token that is issued by the trusted Identity Server, or by sending the decrypted token to TokenInfo endpoint of Identity Server. This scenario does not require token to be sent to Identity Server instead the resource server can verify the token by itself. For detailed sample code and tool for validating the JWT access token, see JWT Validation tool. The access token contains a claim called "_pvt" that is an Access Manager encrypted private claim and can be decrypted and used only by Access Manager.

  • When access token is not encrypted, the resource server can verify the signature of the token and trust the token that is issued by trusted Identity Server.

To validate access tokens and refresh token that are signed and encrypted by using Access Manager encrypted keys, send a request to TokenInfo endpoint. Refresh tokens are always encrypted by using Access Manager encryption keys. You can refer to the following sample to send the request:

The URL to invoke is https://idpbaseurl.com/nidp/oauth/nam/tokeninfo.

The TokenInfo endpoint supports both HTTP GET and POST methods.

The request must contain the token in the authorization header as follows:

Authorization: Bearer access_token

Response Values

The response to the TokenInfo endpoint contains the following values in the JSON format:

Parameter

Required

Description

expires_in

Yes

Time in seconds the token is valid from now

user_id

Yes

The user to whom the token was issued

scope

Yes

The list of scope values the token holds

Sample Request and Response
Request:
HTTP/1.1 GET /nidp/oauth/nam/tokeninfo
Host: www.idp.com:8443
Accept: /
Authorization: Bearer /wEBAAMDACAYtKt..............@kBEzw~~
Response:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json
Content-Length: 48
Date: Thu, 19 Mar 2015 15:47:25 GMT
{
"expires_in": 145, "user_id": "alice", "scope": []
}