By: Paul Haggerty user 09 Dec 2016 at 2:32 p.m. CST

10 Responses
Paul Haggerty gravatar
Hi, I'm looking to do access token validation from resource server. Specifically I'm looking to do the RFC7662 introspection. I see there are 2 different endpoints on the gluu server one is called introspection "hostx/oxauth/seam/resource/restv1/introspection" and the other is called validate "Hostx/oxauth/seam/resource/restv1/oxauth/validate". So I have a couple of questions. Which of these does the RFC7662 introspection? The second question do the endpoints require a specific type of oauth authorization. I'm using basic client secret and I'm getting access denied.

By Michael Schwartz Account Admin 09 Dec 2016 at 2:46 p.m. CST

Michael Schwartz gravatar
The introspection endpoint... See []( Although I just noticed the response docs are not being rendered. I just opened a bug on that: [](

By Paul Haggerty user 09 Dec 2016 at 4:23 p.m. CST

Paul Haggerty gravatar
I've seen this document, thanks. Is that endpoint in the document correct? "/rpt/status" For instance would I post to /my_Gluu_server_host/**rpt/status** ? I see the endpoint called "introspection" and thought would be the one to use. The only issue is I get an access error. So that's why I'm wondering if only certain types of oauth2 authorizations are accepted.

By Yuriy Zabrovarnyy staff 09 Dec 2016 at 5:27 p.m. CST

Yuriy Zabrovarnyy gravatar
Documentation is updated (it may take some time to be live). Sample response of RPT introspection endpoint is: ``` HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store { "active": true, "exp": 1256953732, "iat": 1256912345, "permissions": [ { "resource_set_id": "112210f47de98100", "scopes": [ "view", "" ], "exp" : 1256953732 } ] } ``` The best way to know exact endpoint path is to call UMA discovery, usually `https://<gluu server>/.well-known/uma-configuration` In response of discovery request one of the json keys is: ``` "introspection_endpoint" : "https://<gluu server>/oxauth/seam/resource/restv1/rpt/status", ``` About authorization, Gluu Server sticks to UMA 1.0.1 and requires token to have `uma_protection` scope. Make sure that during token creation you requested scope=uma_protection. Here is sample of token creation in Java: `` Full UMA Flow test ``

By Paul Haggerty user 12 Dec 2016 at 9:14 a.m. CST

Paul Haggerty gravatar
Thanks Yuriy, It looks like this is for UMA token introspection. Does this mean I have to use the complete UMA flow? I was hoping to just do simple access token introspection using the RFC7662 flow without extra UMA message flow. My server just needs to validate that the (OpenId connect) access token is active and validate the scopes that the user has. Paul

By Paul Haggerty user 12 Dec 2016 at 9:34 a.m. CST

Paul Haggerty gravatar
I have one other quick question. On my Gluu server there are a couple of other endpoints that seem to be related to access token validation. What are these endpoints for? "validate_token_endpoint":"https://my_gluu_server/oxauth/seam/resource/restv1/oxauth/validate" "introspection_endpoint":"https://my_gluu_server/oxauth/seam/resource/restv1/introspection"

By Yuriy Zabrovarnyy staff 12 Dec 2016 at 9:48 a.m. CST

Yuriy Zabrovarnyy gravatar
Ok, those are two different introspection. 1. access_token introspection, usually located here: ``` "introspection_endpoint": "", ``` This endpoint is protected by access_token. See `` 2. UMA Introspection endpoint. If your goal is just to introspect access_token then you don't need RPT introspection of course.

By Paul Haggerty user 12 Dec 2016 at 10:07 a.m. CST

Paul Haggerty gravatar
Thanks, this is very helpful.

By Yuriy Zabrovarnyy staff 13 Dec 2016 at 2:55 a.m. CST

Yuriy Zabrovarnyy gravatar
Should we close this ticket or there is anything open regarding access_token introspection?

By Paul Haggerty user 13 Dec 2016 at 8:07 a.m. CST

Paul Haggerty gravatar
Yes, the access token introspection endpoint is working for me. thanks

By Yuriy Zabrovarnyy staff 13 Dec 2016 at 11:50 a.m. CST

Yuriy Zabrovarnyy gravatar
Great, closing it.