Token Introspection

As a resource server publishing APIs protected by OAuth, you need to verify the tokens received from clients. For JWT access tokens issued by SPiD, this can be done in two ways:

  1. By a request to SPiD's introspection endpoint /oauth/introspect.
  2. By verifying the token signature and content locally.

Note: Non-JWT tokens can not be introspected. Make sure JWT tokens are enabled for the client in Self Service.

Note: User tokens can not be introspected locally. Only remote introspection via a token introspection request to SPiD is currently supported.

Token introspection request

The introspection endpoint is protected by the same client authentication as the token endpoint. A resource server is only allowed to introspect tokens which are intended for itself, or for another client belonging to the same merchant.

To allow a resource server to introspect a token issued to a client not belonging to the same merchant as the resource server, the client must make sure to specify a "resource indicator" in the token request.

curl -X POST -H "Authorization: Basic NGU4NDYzNTY5Y2FmN2NhMDE5MDAwMDA3OmZvb2Jhcg"\
                     -d token=<access token>
                     https://identity-pre.schibsted.com/oauth/introspect

When successful, this request will return a JSON object:

{
  "active": true,
  "scope": "profile email",
  "client_id": "4e8463569caf7ca019000007",
  "token_type": "Bearer",
  "exp": 1487169930,
  "now": 1487166577
}

For further details refer to OAuth 2.0 Token Introspection.

Local token introspection

The JWT access token is signed asymmetrically, and SPiD publishes the set of valid public keys at the endpoint /oauth/jwks, e.g. https://identity-pre.schibsted.com/oauth/jwks.

To verify the token locally, follow these steps:

  1. Fetch the JSON Web Key Set (JWKS) containing all valid keys from SPiD /oauth/jwks.
  2. Look at the JWS header to find the key id in the kid parameter.
  3. Find the key with the matching key id in the JWKS, and use it to verify the signature of the JWT token.
  4. Verify that the claims in the payload match what you expect (the correct scope, audience, etc.).

A list of libraries in different programming languages that implements JWS can be found on https://jwt.io.

Table of Contents

Prerequisites

In order to make use of this information, you need to know your:

  • client ID
  • client secret

See also

Help us improve

Did you spot an error? Or maybe you just have a suggestion for how we can improve? Leave a comment, or better yet, send us a pull request on GitHub to fix it (in-browser editing, only takes a moment).

History of this page

Comments/feedback

Do you have questions, or just want to contribute some newly gained insight? Want to share an example? Please leave a comment. SPiD reads and responds to every question. Additionally, your experience can help others using SPiD, and it can help us continuously improve our documentation.