Blog »

Connect2id server 3.6 adds standard token introspection

2015-11-25

We are delighted to announce the release of Connect2id server 3.6 which implements the latest standard that has come out of the OAuth work group - an endpoint for token introspection.

Token introspection

The token introspection spec (RFC 7662) defines a simple protocol and endpoint to let OAuth 2.0 secured resource servers check identifier-based tokens. Self-contained (JWT-encoded) tokens, which carry a signed authorisation in their payload, and as such are intended to be checked on the spot, can also be examined at this new endpoint.

The use of the introspection endpoint is explained in the Connect2id server docs.

Example token introspection request, where the resource server authenticates as a registered OAuth client:

POST /token/introspect HTTP/1.1
Host: c2id.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

token=45ghiukldjahdnhzdauz

Example response for a valid token:

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8

{
  "active"     : true,
  "scope"      : "https://example.com/accounts https://example.com/groups",
  "client_id"  : "izad7cqy34bg4",
  "token_type" : "Bearer",
  "exp"        : 1448367412,
  "sub"        : "izad7cqy34bg4",
  "iss"        : "https://c2id.com"
}

We would like to thank Justin Richer (editor) and Hannes Tschofenig for their help in interpreting some edge cases around the spec.

Note that support for this endpoint is also added to the OAuth 2.0 / OpenID Connect SDK that is maintained by Connect2id.

Download

To download a ZIP package of Connect2id server 3.6:

https://connect2id.com/assets/products/server/download/3.6/Connect2id-server.zip

As WAR package only:

https://connect2id.com/assets/products/server/download/3.6/c2id.war https://connect2id.com/assets/products/server/download/3.6/c2id-3.6.war

Questions?

Please contact Connect2id support.

Connect2id Server 3.6 release notes

Configuration

  • /WEB-INF/clientGrantHandler.properties

    • Reduces default access token lifetime for client credentials grant to 10 minutes.

Web API

  • Adds /token/introspect endpoint for access tokens (RFC 7662).

Bug fixes

  • Fixes inspection of expired JWT-encoded access tokens at authz-store/rest/v2/inspection endpoint (issuer authz-store/106).

  • Fixes OP6000 client authentication log message (issue server/168).

Dependencies

  • Upgrades to com.nimbusds:oauth2-authz-store:3.1.4

  • Upgrades to com.nimbusds:oauth2-oidc-sdk:5.0-alpha12

  • Upgrades to com.nimbusds:nimbus-jose-jwt:4.7

  • Upgrades to com.thetransactioncompany:cors-filter:2.5

Other

  • Writes direct authorisation messages to the Log4j "DIRECT-AUTHZ" logger.

  • Writes token introspection messages to the Log4j "TOKEN-INTROSPECT" logger.

  • Writes token revocation messages to the Log4j "TOKEN-REVOKE" logger.