See openid-connect Menu

Validate an Access Token


Deprecation Notice

There is a more recent version of this OpenId Connect API available. Learn more.

This endpoint will be deprecated on November 2nd 2020.

Use this API to check the status of a session that was started via either the Authentication or Username/Password flow.

Note that a successful request to this API will return a HTTP 200 - Success but this does not indicate the session is still valid. You need to check the boolean active attribute which is returned in the payload body.


Resource URL

https://<region>.onelogin.com/oidc/token/introspection

Header Parameter

Authorization

string

Required if Token Endpoint Authentication Method is set to Basic

Set to Basic <base64 encoded "clientId:clientSecret">.

The client_id and client_secret are generated when you configure your OpenId Connect app in OneLogin.

e.g. Using Node.js this would be

new Buffer(`${this.client_id}:${this.client_secret}`).toString('base64');

Content-Type

string

application/x-www-form-urlencoded

Resource Parameter

region

required

string

Set to the region of your OneLogin instance.

  • openid-connect
  • openid-connect-eu
e.g. If your OneLogin instance is located in Europe then use https://openid-connect-eu.onelogin.com/oidc

Request Parameter

token

required

string

Set to access_token that will be validated

token_type_hint

string

Set to “access_token”

client_id

string

The OneLogin generated Client ID for your OpenID Connect app.

Required if Token Endpoint Authentication method is set to POST.

client_secret

string

The OneLogin generated Client Secret for your OpenID Connect app.

Required if Token Endpoint Authentication method is set to POST.

Sample Request Body

token=MmVkMTIyNGUtODI5MC00YzQ4LThkZmQtYzUzYmMzODBkYjY3UV4nmxKh4z....&token_type_hint=access_token

Sample Response

The session is valid

{
    "active": true,
    "token_type": "access_token",
    "sub": "32916209",
    "client_id": "cc0e6bc0-644a-0135-fd0d-02d3582f0df061892",
    "exp": 1507952334,
    "iat": 1507948734,
    "iss": "https://openid-connect.onelogin.com/oidc",
    "jti": "OTY3MjhlZGMtNmVlMS00N2ZjLTk4OGItM2RhODgyYWExODNk"
}

The session has expired or been revoked

{
    "active": false
}
{
    "error": "invalid_request",
    "error_description": "missing required parameter(s). (token)"
}

Response Elements

active Indicates if the current session is valid
token_type The type of token that was validated
sub The OneLogin ID for the user that started the session
client_id The OneLogin generated Client ID for the OpenID Connect app that started the session.
exp A UNIX epoch time representing the expiry date/time of the token
iat A UNIX epoch time representing the issue date/time of the token
iss The issuing authority of the token
jti A unique identifier for the token

Sample Code

cURL

Replace sample values indicated by < > with your actual values.

curl -XPOST "https://<region>.onelogin.com/oidc/token/introspection" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "token=<access_token>&token_type_hint=access_token"

Postman Collection

Replace sample variables indicated by {{ }} with your actual values.

Download for the OpenId Connect API


Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.

StackOverflow discussions about "[onelogin] openid connect"

  • 6
    Votes

    A: SAML for Native Mobile Apps(Android and IOS)

    Answered Apr 02 2018

    session you've established with an SSO provider) between native apps that also support SAML the same way. https://spin.atomicobject.com/2016/09/01/sharing-web-data-wkwebview/ Basically, if you do this, you'll also be supporting SSO on mobile via SAML (or OpenID Connect, if you go that route) …

  • 5
    Votes
    1
    Answers

    Q: How to use onelogin SSO with AngularJS?

    Asked Jun 20 2016

    questions: 1> Onelogin is using SAML instead of OpenID Connect. I am not asking what's the difference between these two, but what is recommended since everyone is moving towards OpenID Connect? 2> Does Onelogin supports AngularJS? I don't see any documentation for onelogin API with AngularJS & Node See Here … I was looking into Onelogin for SSO. We have applications written in .NET, AngularJS + Node. None of these applications are mobile applications. After going through their documentation I have few …

  • 3
    Votes

    A: Does OneLogin support client session management via OIDC?

    Answered Nov 16 2018

    https://openid.net/specs/openid-connect-session-1_0.html: 2.1. OpenID Provider Discovery Metadata These OpenID Provider Metadata parameters MUST be included in the Server's discovery … responses when Session Management and Discovery are supported: check_session_iframe ... end_session_endpoint ... I don't see these metadata parameters in the OneLogin discovery metadata, so it looks like Session Management is not supported. …

  • 2
    Votes

    A: How to Validate an Access Token for OAuth2 + PCKE flow

    Answered Apr 25 2019

    returned from the auth code flow https://developers.onelogin.com/openid-connect/api/authorization-code-grant worked, and the access_token only returned {"active":false} after it expired. Make sure you are not setting the Authorization header, and only set your client_id in the payload. … I'm using OIDC with PKCE, and I managed to call the https://openid-connect.onelogin.com/oidc/token/introspection endpoint with a token retrieved via the authorization code flow: $ curl -i -d "token …

  • 2
    Votes

    Q: Python/Django library for registering multiple SSO Identity Providers(OpenID Connect)

    Asked Nov 08 2019

    I'm working on a project written in Python(Django) and i recently added an SSO option for logging in with OneLogin accounts. There's already support for Microsofts Azure SSO from an earlier feature … . I'm looking for a library which can somehow register different identity providers(Microsoft, OneLogin, Facebook, etc...) and then wrap the similar login logic into a single class, which would handle …

Loading...