Validate an Access Token
Deprecation Notice
There is a more recent version of this OpenId Connect API available. Learn more.
This endpoint will be deprecated on November 2nd 2020.
Use this API to check the status of a session that was started via either the Authentication or Username/Password flow.
Note that a successful request to this API will return a HTTP 200 - Success but this does not indicate the session is still valid. You need to check the boolean active attribute which is returned in the payload body.
Resource URL
https://<region>.onelogin.com/oidc/token/introspectionHeader Parameter
Authorization string |
Required if Token Endpoint Authentication Method is set to Basic Set to The e.g. Using Node.js this would be |
Content-Type string | application/x-www-form-urlencoded |
Resource Parameter
region required string |
Set to the
https://openid-connect-eu.onelogin.com/oidc
|
Request Parameter
token required string |
Set to |
token_type_hint string |
Set to “access_token” |
client_id string |
The OneLogin generated Client ID for your OpenID Connect app. Required if Token Endpoint Authentication method is set to POST. |
client_secret string |
The OneLogin generated Client Secret for your OpenID Connect app. Required if Token Endpoint Authentication method is set to POST. |
Sample Request Body
token=MmVkMTIyNGUtODI5MC00YzQ4LThkZmQtYzUzYmMzODBkYjY3UV4nmxKh4z....&token_type_hint=access_tokenSample Response
- 200 OK
- 400 Bad Request
The session is valid
{
"active": true,
"token_type": "access_token",
"sub": "32916209",
"client_id": "cc0e6bc0-644a-0135-fd0d-02d3582f0df061892",
"exp": 1507952334,
"iat": 1507948734,
"iss": "https://openid-connect.onelogin.com/oidc",
"jti": "OTY3MjhlZGMtNmVlMS00N2ZjLTk4OGItM2RhODgyYWExODNk"
}The session has expired or been revoked
{
"active": false
}{
"error": "invalid_request",
"error_description": "missing required parameter(s). (token)"
}Response Elements
active |
Indicates if the current session is valid |
token_type |
The type of token that was validated |
sub |
The OneLogin ID for the user that started the session |
client_id |
The OneLogin generated Client ID for the OpenID Connect app that started the session. |
exp |
A UNIX epoch time representing the expiry date/time of the token |
iat |
A UNIX epoch time representing the issue date/time of the token |
iss |
The issuing authority of the token |
jti |
A unique identifier for the token |
Sample Code
cURL
Replace sample values indicated by < > with your actual values.
curl -XPOST "https://<region>.onelogin.com/oidc/token/introspection" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "token=<access_token>&token_type_hint=access_token"
Postman Collection
Replace sample variables indicated by {{ }} with your actual values.
Download for the OpenId Connect API
Have a Question?
Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.
Found a bug? Submit a support ticket.
Have a product idea or request? Share it with us in our Ideas Portal.
StackOverflow discussions about "[onelogin] openid connect"
-
A: SAML for Native Mobile Apps(Android and IOS)
Answered Apr 02 2018session you've established with an SSO provider) between native apps that also support SAML the same way. https://spin.atomicobject.com/2016/09/01/sharing-web-data-wkwebview/ Basically, if you do this, you'll also be supporting SSO on mobile via SAML (or OpenID Connect, if you go that route) …
-
Q: How to use onelogin SSO with AngularJS?
Asked Jun 20 2016questions: 1> Onelogin is using SAML instead of OpenID Connect. I am not asking what's the difference between these two, but what is recommended since everyone is moving towards OpenID Connect? 2> Does Onelogin supports AngularJS? I don't see any documentation for onelogin API with AngularJS & Node See Here … I was looking into Onelogin for SSO. We have applications written in .NET, AngularJS + Node. None of these applications are mobile applications. After going through their documentation I have few …
-
A: Does OneLogin support client session management via OIDC?
Answered Nov 16 2018https://openid.net/specs/openid-connect-session-1_0.html: 2.1. OpenID Provider Discovery Metadata These OpenID Provider Metadata parameters MUST be included in the Server's discovery … responses when Session Management and Discovery are supported: check_session_iframe ... end_session_endpoint ... I don't see these metadata parameters in the OneLogin discovery metadata, so it looks like Session Management is not supported. …
-
A: How to Validate an Access Token for OAuth2 + PCKE flow
Answered Apr 25 2019returned from the auth code flow https://developers.onelogin.com/openid-connect/api/authorization-code-grant worked, and the access_token only returned {"active":false} after it expired. Make sure you are not setting the Authorization header, and only set your client_id in the payload. … I'm using OIDC with PKCE, and I managed to call the https://openid-connect.onelogin.com/oidc/token/introspection endpoint with a token retrieved via the authorization code flow: $ curl -i -d "token …
-
A: XMLHttpRequest has been blocked by CORS policy - https://openid-connect-eu.onelogin.com/oidc/token
Answered May 23 2019, which is documented here: https://developers.onelogin.com/openid-connect/api/id-token OneLogin also has sample code for this: https://github.com/onelogin/onelogin-oidc-node/tree/master/2.%20Implicit%20Flow … Javascript prevents POST calls to other domains at the browser level unless they are expressly permitted by the service (and OneLogin doesn't permit this, for security reasons) I'll add that doing …
Loading...