How to check the validity of OIDC refresh and Access Token
search cancel

How to check the validity of OIDC refresh and Access Token


Article ID: 235049


Updated On:


CA Single Sign On Agents (SiteMinder) SITEMINDER


IS there anyway to check the validity of the OIDC refresh and Access Token in Siteminder OIDC flow ? 



Release : 12.8



Access Gateway publishes ‘Introspection Endpoint’ where the OIDC client can send the token to know its current validity and expiry. Introspection endpoint response includes claims ‘active’ to indicate the current validity of the token and ‘exp’ to denote the expiry time of the token.

Both refresh_token and access_token are supported on an introspection endpoint.

SiteMinder Introspection Endpoint:

The introspection endpoint URL can be read from the OIDC client page on AdminUI or dynamically from a well-known endpoint response.

https://<AG_FQDN>/affwebservices/CASSO/oidc/<client_name> /introspect

https:// <AG_FQDN>/affwebservices/CASSO/oidc/introspect

              Sample response:


"active": true,

"client_id": "clientid",

"token_type": "access_token",

"scope": "openid email",

"sub": "uid=user1,ou=People,",

"exp": "1587641569",

"iat": "1587637669",

"iss": "https://<AG_FQDN>/affwebservices/CASSO/oidc/<client_name>"



Technical documentation:


Access token is also supported in JWT format from 12.8.05. If this is enabled, an OIDC client can directly parse the access token JWT format to know its expiry time without further contacting the OIDC provider.

JWT format is only supported for access_token. Refresh token is still in opaque bearer format.

Technical documentation:

Title: Support for Generating Access Token in JWT Format in SiteMinder OpenID Connect Provider