How to check the validity of OIDC refresh and Access Token
Article ID: 235049
Updated On:
Products
Issue/Introduction
IS there anyway to check the validity of the OIDC refresh and Access Token in Siteminder OIDC flow ?
Environment
Release : 12.8
Component : SITEMINDER -SMPLC
Resolution
Access Gateway publishes ‘Introspection Endpoint’ where the OIDC client can send the token to know its current validity and expiry. Introspection endpoint response includes claims ‘active’ to indicate the current validity of the token and ‘exp’ to denote the expiry time of the token.
Both refresh_token and access_token are supported on an introspection endpoint.
SiteMinder Introspection Endpoint:
The introspection endpoint URL can be read from the OIDC client page on AdminUI or dynamically from a well-known endpoint response.
https://<AG_FQDN>/affwebservices/CASSO/oidc/<client_name> /introspect
https:// <AG_FQDN>/affwebservices/CASSO/oidc/introspect
Sample response:
{
"active": true,
"client_id": "clientid",
"token_type": "access_token",
"scope": "openid email",
"sub": "uid=user1,ou=People,o=security.com",
"exp": "1587641569",
"iat": "1587637669",
"iss": "https://<AG_FQDN>/affwebservices/CASSO/oidc/<client_name>"
}
Technical documentation:
Access token is also supported in JWT format from 12.8.05. If this is enabled, an OIDC client can directly parse the access token JWT format to know its expiry time without further contacting the OIDC provider.
JWT format is only supported for access_token. Refresh token is still in opaque bearer format.
Technical documentation:
Title: Support for Generating Access Token in JWT Format in SiteMinder OpenID Connect Provider
Feedback
