The introspect token endpoint is an option for clients to get long expiring refresh tokens, opaque access and id tokens in JWT format validated.
The token recation endpoint is implemented according to RFC 7662 OAuth 2.0 Token Introspection.
URI:https://<Cloud Identity Services domain>/oauth2/introspect
The domain part has the following pattern:
<tenant ID>.accounts.ondemand.comor<tenant ID>.accounts.cloud.sap. If you have a configured custom domain, the domain has the following pattern: <your custom domain>.Tenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation email with a URL in it. This URL contains the tenant ID. For more information about your tenants, see View Assigned Tenants and Admins.
**HTTP Method:**POST
|
Header |
Required |
Values |
|---|---|---|
|
|
Yes |
application/x-www-form-urlencoded |
|
|
Yes |
|
|
Parameter |
Required |
Data Type |
Description |
Parameter Type |
|---|---|---|---|---|
|
|
Yes |
string |
Must contain the JWT or opaque token from the issuer. |
Request body |
|
|
No |
string |
|
Request body |
|
|
No |
string |
Used to identify the corresponding Identity Authentication application.
|
Request body |
token=0ab82505123c12ffe7c4e9a2b0158cn7
If token is valid:
Content-Type: application/json
{
"active": true,
"aud": "a123456e-314a-4923-899c-05c535c3d7f9",
"username": "P12345",
"sub": "P12345",
"user_uuid": "158a1b2c7-981az-69ab9-8079-d824da69c681",
"mail": "[email protected]",
"iss": "https://my-_tenant.accounts.ondemand.com",
"last_name": "Moore",
"exp": 1588019044,
"iat": 158801376,
"first_name": "Dona",
"jti": "38e42330-de7a-4130-a3a1-b582b528da98"
}
If token is not valid/expired/not known or any other token related issue:
Content-Type: application/json
{
"active": false
}
|
Code |
Reason |
|---|---|
|
200 OK |
Successful operation. |
|
401 Unauthorized |
The client is not authenticated. |