The POST /{{envID}}/as/introspect
endpoint returns information about the refresh token.
You need to authenticate using the client credentials for the client that was issued the token. Note that the application’s tokenEndpointAuthMethod
property value determines how you authenticate. The tokenEndpointAuthMethod
property supports these options: CLIENT_SECRET_BASIC
, CLIENT_SECRET_JWT
, PRIVATE_KEY_JWT
, CLIENT_SECRET_POST
, and NONE
.
In the sample request shown here, the application’s tokenEndpointAuthMethod
value is CLIENT_SECRET_BASIC
, which requires the Authorization: Basic
HTTP header and a Base64-encoded representation of “username:password” in the request, in which the username is the client_id
and the password is the client_secret
.
If the application’s introspectEndpointAuthMethod
value is CLIENT_SECRET_JWT
, the token endpoint uses a JWT signed by the application’s client secret to authenticate the request. For information about creating the JWT and the claims in the JWT, see Create a client secret JWT. Token requests that use this auth method require the client_assertion
and client_assertion_type
OAuth properties to specify the JWT:
curl --location --request POST '{{authPath}}/{{envID}}/as/introspect' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_assertion={{clientSecretJWT}}' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
--data-urlencode 'token={{refreshToken}}'
If the application’s tokenEndpointAuthMethod
value is PRIVATE_KEY_JWT
, the token endpoint uses a JWT signed by an external private key file to authenticate the request. For information about creating the JWT and the claims in the JWT, see Create a private key JWT. Token requests that use this auth method require the client_assertion
and client_assertion_type
OAuth properties to specify the JWT:
curl --location --request POST '{{authPath}}/{{envID}}/as/introspect' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_assertion={{privateKeyJWT}}' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer'
--data-urlencode 'token={{refreshToken}}'
If the application’s tokenEndpointAuthMethod
value is CLIENT_SECRET_POST
, the request does not need an Authorization
header, and the client_id
and client_secret
property values are submitted in the request body:
curl --location --request POST '{{authPath}}/{{envID}}/as/introspect' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={{appID}}' \
--data-urlencode 'client_secret={{appSecret}}'\
--data-urlencode 'token={{refreshToken}}'
If the application’s tokenEndpointAuthMethod
value is NONE
, the request requires the client_id
property value in the request body and does not require an Authorization
header:
curl --location --request POST '{{authPath}}/{{envID}}/as/introspect' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={{appID}}' \
--data-urlencode 'token={{refreshToken}}'
The exp
claim in a refresh token is expressed in epoch seconds (time in seconds since January 01, 1970), and resolves to a specific date and time. The value is calculated based on the lesser of current time + refreshTokenDuration
and original token minting time + refreshTokenRollingDuration
. The “original token minting time” is the time the user last authenticated using an authorization_code
grant type on the /token
endpoint and received the initial refresh token.
For more information about the refreshTokenDuration
and refreshTokenRollingDuration
OpenID Connect application properties, see the Applications OIDC settings data model.
refreshToken
.Property | Type | Required? |
---|---|---|
client_id |
String | Optional |
client_secret |
String | Optional |
client_assertion |
String | Optional |
client_assertion_type |
String | Optional |
token |
String | Required |
See the OpenID Connect/OAuth2 data model for full property descriptions.