See openid-connect Menu

Validate a Session


Use this API to check the status of a session that was started via either the Authentication or Username/Password flow.

Note that a successful request to this API will return a HTTP 200 - Success but this does not indicate the session is still valid. You need to check the boolean active attribute which is returned in the payload body.

Resource URL

https://<subdomain>.onelogin.com/oidc/token/introspection

Header Parameter

Authorization

required

string

Set to Basic <base64 encoded "clientId:clientSecret">.

The client_id and client_secret are generated when you configure your OpenId Connect app in OneLogin.

e.g. Using Node.js this would be

new Buffer(`${this.client_id}:${this.client_secret}`).toString('base64');

Content-Type

string

application/x-www-form-urlencoded

Resource Parameter

subdomain

required

integer

Set to the subdomain of your OneLogin instance.

e.g. oidc-sample where the instance is https://oidc-sample.onelogin.com

Request Parameter

token

required

string

Set to access_token that will be validated

token_type_hint

string

Set to “access_token”

Sample Request Body

token=MmVkMTIyNGUtODI5MC00YzQ4LThkZmQtYzUzYmMzODBkYjY3UV4nmxKh4z....&token_type_hint=access_token

Sample Response

The session is valid

{
    "active": true,
    "token_type": "access_token",
    "sub": "32916209",
    "client_id": "cc0e6bc0-644a-0135-fd0d-02d3582f0df061892",
    "exp": 1507952334,
    "iat": 1507948734,
    "iss": "https://openid-connect.onelogin.com/oidc",
    "jti": "OTY3MjhlZGMtNmVlMS00N2ZjLTk4OGItM2RhODgyYWExODNk"
}

The session has expired or been revoked

{
    "active": false
}
{
    "error": "invalid_request",
    "error_description": "missing required parameter(s). (token)"
}

Response Elements

active Indicates if the current session is valid
token_type The type of token that was validated
sub The OneLogin ID for the user that started the session
client_id The OneLogin generated Client ID for the OpenID Connect app that started the session.
exp A UNIX epoch time representing the expiry date/time of the token
iat A UNIX epoch time representing the issue date/time of the token
iss The issuing authority of the token
jti A unique identifier for the token

Sample Code

cURL

Replace sample values indicated by < > with your actual values.

curl -XPOST "https://<subdomain>.onelogin.com/oidc/token/introspection" \
-H "Authorization: Basic <base64 encoded client_id:client_secret>" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "token=<access_token>&token_type_hint=access_token"


Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.