Validate an Access Token
Deprecation Notice
There is a more recent version of this OpenId Connect API available. Learn more.
This endpoint will be deprecated on November 2nd 2020.
Use this API to check the status of a session that was started via either the Authentication or Username/Password flow.
Note that a successful request to this API will return a HTTP 200 - Success but this does not indicate the session is still valid. You need to check the boolean active attribute which is returned in the payload body.
Resource URL
https://<region>.onelogin.com/oidc/token/introspectionHeader Parameter
Authorization string |
Required if Token Endpoint Authentication Method is set to Basic Set to The e.g. Using Node.js this would be |
Content-Type string | application/x-www-form-urlencoded |
Resource Parameter
region required string |
Set to the
https://openid-connect-eu.onelogin.com/oidc
|
Request Parameter
token required string |
Set to |
token_type_hint string |
Set to “access_token” |
client_id string |
The OneLogin generated Client ID for your OpenID Connect app. Required if Token Endpoint Authentication method is set to POST. |
client_secret string |
The OneLogin generated Client Secret for your OpenID Connect app. Required if Token Endpoint Authentication method is set to POST. |
Sample Request Body
token=MmVkMTIyNGUtODI5MC00YzQ4LThkZmQtYzUzYmMzODBkYjY3UV4nmxKh4z....&token_type_hint=access_tokenSample Response
- 200 OK
- 400 Bad Request
The session is valid
{
"active": true,
"token_type": "access_token",
"sub": "32916209",
"client_id": "cc0e6bc0-644a-0135-fd0d-02d3582f0df061892",
"exp": 1507952334,
"iat": 1507948734,
"iss": "https://openid-connect.onelogin.com/oidc",
"jti": "OTY3MjhlZGMtNmVlMS00N2ZjLTk4OGItM2RhODgyYWExODNk"
}The session has expired or been revoked
{
"active": false
}{
"error": "invalid_request",
"error_description": "missing required parameter(s). (token)"
}Response Elements
active |
Indicates if the current session is valid |
token_type |
The type of token that was validated |
sub |
The OneLogin ID for the user that started the session |
client_id |
The OneLogin generated Client ID for the OpenID Connect app that started the session. |
exp |
A UNIX epoch time representing the expiry date/time of the token |
iat |
A UNIX epoch time representing the issue date/time of the token |
iss |
The issuing authority of the token |
jti |
A unique identifier for the token |
Sample Code
cURL
Replace sample values indicated by < > with your actual values.
curl -XPOST "https://<region>.onelogin.com/oidc/token/introspection" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "token=<access_token>&token_type_hint=access_token"
Postman Collection
Replace sample variables indicated by {{ }} with your actual values.
Download for the OpenId Connect API
Have a Question?
Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.
Found a bug? Submit a support ticket.
Have a product idea or request? Share it with us in our Ideas Portal.
StackOverflow discussions about "[onelogin] openid connect"
-
A: SAML for Native Mobile Apps(Android and IOS)
Answered Apr 02 2018session you've established with an SSO provider) between native apps that also support SAML the same way. https://spin.atomicobject.com/2016/09/01/sharing-web-data-wkwebview/ Basically, if you do this, you'll also be supporting SSO on mobile via SAML (or OpenID Connect, if you go that route) …
-
Q: How to use onelogin SSO with AngularJS?
Asked Jun 20 2016questions: 1> Onelogin is using SAML instead of OpenID Connect. I am not asking what's the difference between these two, but what is recommended since everyone is moving towards OpenID Connect? 2> Does Onelogin supports AngularJS? I don't see any documentation for onelogin API with AngularJS & Node See Here … I was looking into Onelogin for SSO. We have applications written in .NET, AngularJS + Node. None of these applications are mobile applications. After going through their documentation I have few …
-
A: Does OneLogin support client session management via OIDC?
Answered Nov 16 2018https://openid.net/specs/openid-connect-session-1_0.html: 2.1. OpenID Provider Discovery Metadata These OpenID Provider Metadata parameters MUST be included in the Server's discovery … responses when Session Management and Discovery are supported: check_session_iframe ... end_session_endpoint ... I don't see these metadata parameters in the OneLogin discovery metadata, so it looks like Session Management is not supported. …
-
A: How to Validate an Access Token for OAuth2 + PCKE flow
Answered Apr 25 2019returned from the auth code flow https://developers.onelogin.com/openid-connect/api/authorization-code-grant worked, and the access_token only returned {"active":false} after it expired. Make sure you are not setting the Authorization header, and only set your client_id in the payload. … I'm using OIDC with PKCE, and I managed to call the https://openid-connect.onelogin.com/oidc/token/introspection endpoint with a token retrieved via the authorization code flow: $ curl -i -d "token …
-
Q: Python/Django library for registering multiple SSO Identity Providers(OpenID Connect)
Asked Nov 08 2019I'm working on a project written in Python(Django) and i recently added an SSO option for logging in with OneLogin accounts. There's already support for Microsofts Azure SSO from an earlier feature … . I'm looking for a library which can somehow register different identity providers(Microsoft, OneLogin, Facebook, etc...) and then wrap the similar login logic into a single class, which would handle …
Loading...