Validate an Access Token
Deprecation Notice
There is a more recent version of this OpenId Connect API available. Learn more.
This endpoint will be removed from service on April 20th 2021.
Use this API to check the status of a session that was started via either the Authentication or Username/Password flow.
Note that a successful request to this API will return a HTTP 200 - Success
but this does not indicate the session is still valid. You need to check the boolean active
attribute which is returned in the payload body.
Resource URL
https://<region>.onelogin.com/oidc/token/introspection
Header Parameter
Authorization string |
Required if Token Endpoint Authentication Method is set to Basic Set to The e.g. Using Node.js this would be
|
Content-Type string | application/x-www-form-urlencoded |
Resource Parameter
region required string |
Set to the
https://openid-connect-eu.onelogin.com/oidc
|
Request Parameter
token required string |
Set to |
token_type_hint string |
Set to “access_token” |
client_id string |
The OneLogin generated Client ID for your OpenID Connect app. Required if Token Endpoint Authentication method is set to POST. |
client_secret string |
The OneLogin generated Client Secret for your OpenID Connect app. Required if Token Endpoint Authentication method is set to POST. |
Sample Request Body
token=MmVkMTIyNGUtODI5MC00YzQ4LThkZmQtYzUzYmMzODBkYjY3UV4nmxKh4z....&token_type_hint=access_token
Sample Response
- 200 OK
- 400 Bad Request
The session is valid
{
"active": true,
"token_type": "access_token",
"sub": "32916209",
"client_id": "cc0e6bc0-644a-0135-fd0d-02d3582f0df061892",
"exp": 1507952334,
"iat": 1507948734,
"iss": "https://openid-connect.onelogin.com/oidc",
"jti": "OTY3MjhlZGMtNmVlMS00N2ZjLTk4OGItM2RhODgyYWExODNk"
}
The session has expired or been revoked
{
"active": false
}
{
"error": "invalid_request",
"error_description": "missing required parameter(s). (token)"
}
Response Elements
active |
Indicates if the current session is valid |
token_type |
The type of token that was validated |
sub |
The OneLogin ID for the user that started the session |
client_id |
The OneLogin generated Client ID for the OpenID Connect app that started the session. |
exp |
A UNIX epoch time representing the expiry date/time of the token |
iat |
A UNIX epoch time representing the issue date/time of the token |
iss |
The issuing authority of the token |
jti |
A unique identifier for the token |
Sample Code
cURL
Replace sample values indicated by < >
with your actual values.
curl -XPOST "https://<region>.onelogin.com/oidc/token/introspection" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "token=<access_token>&token_type_hint=access_token"
Postman Collection
Replace sample variables indicated by {{ }}
with your actual values.
Download for the OpenId Connect API
Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.
StackOverflow discussions about "[onelogin] openid connect"
-
A: SAML for Native Mobile Apps(Android and IOS)
Answered Apr 02 2018https://spin.atomicobject.com/2016/09/01/sharing-web-data-wkwebview/ Basically, if you do this, you'll also be supporting SSO on mobile via SAML (or OpenID Connect, if you go that route) …
-
Q: How to use onelogin SSO with AngularJS?
Asked Jun 20 2016After going through their documentation I have few questions: 1> Onelogin is using SAML instead of OpenID Connect. … I am not asking what's the difference between these two, but what is recommended since everyone is moving towards OpenID Connect? 2> Does Onelogin supports AngularJS? …
-
A: Does OneLogin support client session management via OIDC?
Answered Nov 16 2018https://openid.net/specs/openid-connect-session-1_0.html: 2.1. … I don't see these metadata parameters in the OneLogin discovery metadata, so it looks like Session Management is not supported. …
-
A: How to Validate an Access Token for OAuth2 + PCKE flow
Answered Apr 25 2019,"iss":"https://openid-connect.onelogin.com/oidc","jti":"..." … ,"scope":"openid profile email"} Both the access_token and refresh_token returned from the auth code flow https://developers.onelogin.com/openid-connect/api/authorization-code-grant worked, and the access_token …
-
Q: Python/Django library for registering multiple SSO Identity Providers(OpenID Connect)
Asked Nov 08 2019I'm working on a project written in Python(Django) and i recently added an SSO option for logging in with OneLogin accounts. There's already support for Microsofts Azure SSO from an earlier feature. … I'm looking for a library which can somehow register different identity providers(Microsoft, OneLogin, Facebook, etc...) and then wrap the similar login logic into a single class, which would handle all …

Loading...