How to validate token

By: valsaraj viswanathan user 22 Jan 2018 at 6:29 a.m. CST

10 Responses
valsaraj viswanathan gravatar
I followed auth code flow and retrived token from Gluu OpenID provider. Is there any way to check access token is valid? https://gluu.org/docs/ce/3.1.0/api-guide/openid-connect-api/ I checked here & not found any API for token validation. I see additional APIs in Gluu server oxAuth conf but not in API docs: - https://glue-37.lychee.com/oxauth/restv1/id - https://glue-37.lychee.com/oxauth/restv1/introspection - https://glue-37.lychee.com/oxauth/restv1/uma2-configuration I would like to know about the use of these end points also.
CentOS 7.0
closed

Answers

By William Lowe user 22 Jan 2018 at 8:27 a.m. CST

Copy
William Lowe gravatar
[OpenID Connect API docs](https://gluu.org/docs/ce/api-guide/openid-connect-api/).

By valsaraj viswanathan user 22 Jan 2018 at 8:56 a.m. CST

Copy
valsaraj viswanathan gravatar
The similar link is already specified in question. Can you answer how access token can be validated?

By William Lowe user 26 Jan 2018 at 9:04 a.m. CST

Copy
William Lowe gravatar
What client software are you using?

By valsaraj viswanathan user 26 Jan 2018 at 9:17 a.m. CST

Copy
valsaraj viswanathan gravatar
I am calling gluu open id connect api from java application. Using oxauth client api.

By William Lowe user 26 Jan 2018 at 9:19 a.m. CST

Copy
William Lowe gravatar
You should use one of the existing client software projects listed on our [integration guide](https://gluu.org/docs/ce/integration/). We are unable to support custom OAuth/OpenID client development. Thanks, Will

By valsaraj viswanathan user 26 Jan 2018 at 9:31 a.m. CST

Copy
valsaraj viswanathan gravatar
We are using the existing one. Followed same guide: Client Software# Client software performs some of the heavy lifting for developers around leveraging OAuth 2.0 directly in their applications. Calling the API’s directly will enable “smarter” handling of authentication in your applications. For example, transaction level security can be more easily implemented by calling the OAuth 2.0 APIs directly. This can have a positive impact on usability. Also, giving developers more ability to leverage centralized policies increases re-use of policies, and ultimately results in better security. We recommend the following client software to implement OpenID Connect in server-side web applications: oxd Not using oxd since it is paid. The same can be done by calling APIs in gluu api section. But not seeing much details documented regarding validation of access token by calling gluu api. I have checked oxd apis also,it also lacks this api information. I wonder whether it need validation.

By William Lowe user 26 Jan 2018 at 9:33 a.m. CST

Copy
William Lowe gravatar
> We are using the existing one. No, you aren't. If you were using one of the recommended client software projects, you would actually be using it. By your own admission, you are not using it: > Not using oxd since it is paid. That's my point. You need to use one of the recommended software projects. Try mod_auth_openidc if you want a free open source client. As mentioned, we do not support custom client development, which is what you are trying to do.

By valsaraj viswanathan user 26 Jan 2018 at 9:37 a.m. CST

Copy
valsaraj viswanathan gravatar
We need it from application level not from apache server. Can you tell what to do to validate access token if I am using oxd?

By William Lowe user 26 Jan 2018 at 9:39 a.m. CST

Copy
William Lowe gravatar
oxd does all the validation for you. That's why we wrote oxd--it handles much of the protocol implementation for you. It's taken us many years to write a good client. It's not a trivial undertaking.

By Venkat bandlamudi user 12 Nov 2018 at 12:34 a.m. CST

Copy
Venkat bandlamudi gravatar
Hi valsaraj viswanathan, can you please give me your phone number, i am also trying to write client for oauth,saml and ldap. i need some clarifications. please give me the reply. u can whatsapp your no to 7411417149

Post an answer