How to check the validity of OIDC refresh and Access Token
search cancel

How to check the validity of OIDC refresh and Access Token

book

Article ID: 235049

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

IS there anyway to check the validity of the OIDC refresh and Access Token in Siteminder OIDC flow ? 

 

Environment

Release : 12.8

Component : SITEMINDER -SMPLC

Resolution

Access Gateway publishes ‘Introspection Endpoint’ where the OIDC client can send the token to know its current validity and expiry. Introspection endpoint response includes claims ‘active’ to indicate the current validity of the token and ‘exp’ to denote the expiry time of the token.

Both refresh_token and access_token are supported on an introspection endpoint.

SiteMinder Introspection Endpoint:

The introspection endpoint URL can be read from the OIDC client page on AdminUI or dynamically from a well-known endpoint response.

https://<AG_FQDN>/affwebservices/CASSO/oidc/<client_name> /introspect

https:// <AG_FQDN>/affwebservices/CASSO/oidc/introspect

              Sample response:

                             {

"active": true,

"client_id": "clientid",

"token_type": "access_token",

"scope": "openid email",

"sub": "uid=user1,ou=People,o=security.com",

"exp": "1587641569",

"iat": "1587637669",

"iss": "https://<AG_FQDN>/affwebservices/CASSO/oidc/<client_name>"

}

 

Technical documentation:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/use-siteminder-as-openid-connect-provider/authentication-using-authorization-code-flow.html#concept.dita_00b756e30ce1599f89d9e9fb3e45f0491a4234e4_IntrospectionTokenEndpoint

 

Access token is also supported in JWT format from 12.8.05. If this is enabled, an OIDC client can directly parse the access token JWT format to know its expiry time without further contacting the OIDC provider.

JWT format is only supported for access_token. Refresh token is still in opaque bearer format.

Technical documentation:

Title: Support for Generating Access Token in JWT Format in SiteMinder OpenID Connect Provider

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/New-Features/New-Features-in-12-8-05.html#concept.dita_d393827c-a066-4ac5-b978-935984923f9f_oidcenhancements