There are two ways to validate an access token depending on the type:
- A JWT is validated by checking its signature. The tenant certificate is the public key.
- An opaque token is validated using the /oauth2//introspect/ endpoint and passing the access token or refresh token via the
token
body parameter:
POST https://tenant.my.centrify.net/oauth2/introspect/jamestest1234 HTTP/1.1Authorization: Basic amFtZ...Content-Type: application/x-www-form-urlencodedtoken=eyJhbGci...
The active
field in the response indicates if the token is currently active:
{ "active":false}
Validating ID Tokens
Validating ID Tokens
There are two ways to validate an ID token:
- Use the /oauth2//introspect/ endpoint to get the token's
active
status (see example above). - Use the /Security/whoami endpoint passing the code as a
Bearer
in theAuthorization
header:
POST https://tenant.my.centrify.net/security/whoamiAuthorization: Bearer eyJhbGci...Content-Type: application/json
The Result
field in the response contains information about the user who was authorized on the tenant using the specified token, which implies that the token is valid.
{ "success":true, "Result":{ "TenantId":"mytenant", "User":"[emailprotected]", "UserUuid":"c2c7..." }, "Message":null, "MessageID":null, "Exception":null, "ErrorID":null, "ErrorCode":null, "InnerExceptions":null}
Try the API in Postman:
.
Click here for help with using our sample Postman collection.
Updated about 3 years ago