Introspect

URL https://<baseurl>/protocol/openid-connect/token/introspect
Request method

POST with parameters as application/x-www-form-urlencoded data

Client authentication See supported methods
Request parameters See below
Response elements See below
Example See below

Introspect is a standard endpoint used by Resource Servers to determine the particuar Authentication Context for a by-reference Access Token. A Resource Server needs such information to validate incomming tokens before granting access to Proteted Resources it hosts. Note in contrast that  self-contained Access Tokens can be validated by a Resource Server without calling the Introspection endpoint. Each of the particular types of by-reference tokens  supported by the OIDC Provider from BankID have corresponding support in the Introspect endpoint.

Request parameters

 In addition to the parameters shown below comes parameters related to Client authentication.

(tick) = According to standard. (error) = Feature restriction. 

Parameter Support Description
token (tick) String value of the by-reference token
token_hint (error) Not supported

Response parameters

JSON structure containing relevant attributes for the Access Token in question. The following attributes are supported

(tick) = According to standard. (error) = Feature restriction. (warning) = In progress / future support. (info) = Custom additions

Parameter Support Description
active
(tick) Indicator of whether or not the presented token is currently active 
scope (tick) Scopes associated with the access token in question 
client_id (tick) Identifier of the OIDC client that requested the token
username ??? TBD
token_type (tick) Type of token
exp (tick) Expiration time for the token
iat (tick) Issuing time for the token
nbf (error)   
sub (warning) Subject identifier of the end-user with which the token is associated
aud (error)   
iss (tick) Identifier for the issuer of the token
jti (error)   
nnin_altsub (info)(warning) Norwegian National Identity Number of the end-user with which the token is associated (corresponds to nnin_altsub in IDToken). Only available for eligible OAuth Resource Servers. Note: an eligible Resource Server may get access to nnin even of the OIDC Client that received the access token in question is not eligible.

Example

Introspection
POST /auth/realms/preprod/protocol/openid-connect/token/introspect HTTP/1.1
Host: oidc-preprod.bankidapis.no
Connection: close
Content-Length: 1321
Authorization: Basic UG9zdG1hbjo5YWE3NDBhZi03NGIxLTQ2ODMtOWFhNi02NWJiNDBmYmY1Zjk=
Postman-Token: 00976d86-f2ab-73ca-b0c4-78570bb367bd
Cache-Control: no-cache
Origin: chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8


token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3VkZaSVp2UlBOY1lSUUZUcEQ4MHVJaElpVVB4WUNkaEtoUjZudjJDQnJnIn0.eyJqdGkiOiI0NTIyNGYyYS02MmQwLTRlNTgtODY1Yi1iODA2NjZlMjM3NzEiLCJleHAiOjE1MTA4MzgzNzYsIm5iZiI6MCwiaWF0IjoxNTEwODM4MDc2LCJpc3MiOiJodHRwczovL29pZGMtcHJlcHJvZC5iYW5raWRhcGlzLm5vL2F1dGgvcmVhbG1zL3ByZXByb2QiLCJhdWQiOiJ0aW5mbyIsInN1YiI6ImIzZjRkOTE5LThjYzUtNDEzYy05ZTExLTNjMmM2NzViMmY4ZiIsInR5cCI6IkJlYXJlciIsImF6cCI6IlBvc3RtYW4iLCJhdXRoX3RpbWUiOjE1MTA4MzgwNTAsInNlc3Npb25fc3RhdGUiOiJiZjBhNGM5Zi0yZDAwLTQzZDgtODI4OC0wMWI4M2FiMWU1ODAiLCJuYW1lIjoiRnJvZGUgQmVja21hbm4gTmlsc2VuIiwiZ2l2ZW5fbmFtZSI6IkZyb2RlIEJlY2ttYW5uIiwiZmFtaWx5X25hbWUiOiJOaWxzZW4iLCJhY3IiOiI0IiwiYWxsb3dlZC1vcmlnaW5zIjpbXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm5uaW5fYWx0c3ViIiwicHJvZmlsZSJdfSwicmVzb3VyY2VfYWNjZXNzIjp7InRpbmZvIjp7InJvbGVzIjpbImFkZHJlc3MiLCJwaG9uZSIsImVtYWlsIl19fSwiYW1yIjoiQklEIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiTmlsc2VuLCBGcm9kZSBCZWNrbWFubiIsImJhbmtpZF9hbHRzdWIiOiI5NTc4LTYwMDAtNC0zMDc5OSJ9.EWLAWLfy4FFGa4UACJfLfCBiPKyNOoLJxUoEirrcR3JR81ruJW3T3SyTP4iMZ74nFbHclS9z4j8AhzBYfhdj9ZpCqAnYiJUGdwyMLPTRMoY_qW57qd1ZXoP93nAK9yhByLEI-N4U6wsC_FJado2EfyT_9oyKFx5YGa9Rg4wldbyt9EcUXsl-AuoLEhDbNjr3O-O9eixCXkyCj_sSptOlu4bdzTDpkYaAenXahncST6H_-n7Pe1Q1eZJuDjx2ofLsn3TGXlAb5zuOdiNUdmBk9jkUZiTz-5CxR-z9JQDZPfwJYSuC-z4X-rnknfDw06OnlbY7zGYPL827Nzw74snnRg


HTTP/1.1 200 OK
Date: Thu, 16 Nov 2017 13:15:21 GMT
Server: WildFly/10
X-Powered-By: Undertow/1
Content-Type: application/json
Content-Length: 717
Via: 1.1 oidc-preprod.bankidapis.no
Connection: close

{
    "jti": "45224f2a-62d0-4e58-865b-b80666e23771",
    "exp": 1510838376,
    "nbf": 0,
    "iat": 1510838076,
    "iss": "https://oidc-preprod.bankidapis.no/auth/realms/preprod",
    "aud": "tinfo",
    "sub": "b3f4d919-8cc5-413c-9e11-3c2c675b2f8f",
    "typ": "Bearer",
    "azp": "Postman",
    "auth_time": 1510838050,
    "session_state": "bf0a4c9f-2d00-43d8-8288-01b83ab1e580",
    "name": "Frode Beckmann Nilsen",
    "given_name": "Frode Beckmann",
    "family_name": "Nilsen",
    "preferred_username": "Nilsen, Frode Beckmann",
    "acr": "4",
    "allowed-origins": [],
    "realm_access": {
        "roles": [
            "nnin_altsub",
            "profile"
        ]
    },
    "resource_access": {
        "tinfo": {
            "roles": [
                "address",
                "phone",
                "email"
            ]
        }
    },
    "amr": "BID",
    "bankid_altsub": "9578-6000-4-30799",
    "client_id": "Postman",
    "username": "Nilsen, Frode Beckmann",
    "active": true
}