APIs#
Token Introspection#
This API defines a method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token.
Configuration properties:
introspectionAccessTokenMustHaveUmaProtectionScope- oxauth configuration which defines whetheraccess_tokenused in Authorization header must haveuma_protectionscope or not. If set to true andaccess_tokenin Authorization header does not haveuma_protectionscope then request is rejected with 403 forbidden HTTP code with appropriate log message in oxauth.log file.
Path#
/restv1/introspection
introspect#
GET or POST
/restv1/introspection
Client introspects OAuth 2 token.
URL http://sample.com/restv1/introspection
Parameters
- token - REQUIRED. The string value of the token. For access tokens, this is the "access_token" value returned from the token endpoint.
- response_as_jwt - OPTIONAL. Boolean value with default value false. If true, returns introspection response as JWT (signed based on client configuration used for authentication to Introspection Endpoint).
Response
Sample request/response
POST /introspect HTTP/1.1
Host: sample.com
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer 23410913-abewfq.123483
token=2YotnFZFEjr1zCsicMWpAA
response_as_jwt=false
HTTP/1.1 200 OK
Content-Type: application/json
{
"active": true,
"client_id": "l238j323ds-23ij4",
"username": "jdoe",
"scope": "read write dolphin",
"sub": "Z5O3upPC88QrAjx00dis",
"aud": "https://protected.example.net/resource",
"iss": "https://server.example.com/",
"exp": 1419356238,
"iat": 1419350238,
"extension_field": "twenty-seven"
}
Errors
| Status Code | Reason |
|---|---|
| 401 | Unauthorized if access_token in Authorization header is not valid |
| 400 | Bad request if request is malformed. |
Token Revocation#
This API defines a method for a client to notify an OAuth 2.0 authorization server that a previously obtained refresh or access token is no longer needed, allowing the server to clean up security credentials.
When a token is revoked, all related tokens and the underlying authorization grant are also revoked. If the revoked token is a refresh token, the authorization server will also invalidate all access tokens based on the same authorization grant. If the revoked token is an access token, the server will also revoke the respective refresh token.
Path#
oxauth/restv1/revoke
revoke#
POST
oxauth/restv1/revoke
Client introspects OAuth 2 token.
URL
http://sample.com/oxauth/restv1/revoke
Parameters
- token - REQUIRED - The token that the client wants to get revoked
- token_type_hint - OPTIONAL - A hint about the type of the token submitted for revocation. Passing this parameter can help the authorization server optimize the token lookup. May be one of the following:
- access_token
- refresh_token
Response
Sample Request
POST /restv1/revoke HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: ce.gluu.info
Authorization: Basic JTQwJTIxOTBDQy4yRTM4Ljc3NEMuNjEwQiUyMTAwMDElMjFGRDNCLkIwQTAlMjEwMDA4JTIxMjc5MC40NzIwLjU3NUQuQTRBRjpjNzJiMjNiZC1lMjQ5LTRkZTktODBlMS02YTk1NGY1MTBiOGM=
token=0e175b7e-3ee8-4981-b32d-427f11f3d0d9&token_type_hint=access_token
Sample Response
HTTP/1.1 200
Cache-Control: no-store
Content-Length: 0
Pragma: no-cache
Server: Jetty(9.4.11.v20180605)
Errors
| Status Code | Reason |
|---|---|
| 400 | Bad request if request is malformed |
| 401 | Client authentication fails if client is invalid |
ID Generation API#
This section will discuss a few APIs used in the Gluu Server for ID generation.
Path#
/restv1/id
Overview#
The API convention is set as id followed by prefix and type or /id/{prefix}/{type}/.
Please see the following table to specify what type you are generating. The prefix is used in the
inum to make it possible to know the type of object just by looking at the identifier.
prefix |
type |
description |
|---|---|---|
| 0000 | people | Person object |
| 0001 | organization | Organization object |
| 0002 | appliance | Appliance object |
| 0003 | group | Group object |
| 0004 | server | Server object |
| 0005 | attribute | User attribute (claim) object |
| 0006 | tRelationship | SAML Trust Relationship object |
| 0008 | client | OAuth2 Client object |
| 0009 | scope | OAuth2 Scope Object |
| 0010 | uma-resource-set | UMA Resource Set Object |
| 0011 | interception-script | Gluu Server interception script object |
| 0012 | sector-identifier | Managed Sector Identifier URI |
generateJsonInum
GET/id/{prefix}/{type}/
Generates ID for given prefix and type.
URL
http://gluu.org/id/{prefix}/{type}/
Parameters
- path
| Parameter | Required | Description | Data Type |
|---|---|---|---|
| prefix | true | Prefix for id. E.g. if prefix is @!1111 and server will generate id: !0000 then ID returned by service would be: @!1111!0000 | string |
| type | true | Type of id | string |
- header
|Parameter|Required|Description|Data Type| |Authorization|false||string|
Response
String[Response]
generateHtmlInum
GET**/id/{prefix}/{type}/
Generates ID for given prefix and type.
URL
http://gluu.org/id/{prefix}/{type}/
Parameters
- path
| Parameter | Required | Description | Data Type |
|---|---|---|---|
| prefix | true | Prefix for id. E.g. if prefix is @!1111 and server will generate id: !0000 then ID returned by service would be: @!1111!0000 | string |
| type | true | Type of id | string |
| - header |
| Parameter | Required | Description | Data Type |
|---|---|---|---|
| Authorization | false | The authorization sent as a String | string |
Response
String[Response]
Errors
generateTextInum
GET/id/{prefix}/{type}/
Generates ID for given prefix and type.
URL
http://gluu.org/id/{prefix}/{type}/
Parameters
- path
| Parameter | Required | Description | Data Type |
|---|---|---|---|
| prefix | true | string | |
| type | true | string |
- header
| Parameter | Required | Description | Data Type |
|---|---|---|---|
| Authorization | false | string |
Response
String[Response]
Errors
generateXmlInum
GET/id/{prefix}/{type}/
Generates ID for given prefix and type.
URL
http://gluu.org/id/{prefix}/{type}/
Parameters
- path
| Parameter | Required | Description | Data Type |
|---|---|---|---|
| prefix | true | Prefix for id. E.g. if prefix is @!1111 and server will generate id: !0000 then ID returned by service would be: @!1111!0000 | string |
| type | true | Type of id | string |
| - header |
| Parameter | Required | Description | Data Type |
|---|---|---|---|
| Authorization | false | string |
Response
String[Response]
Errors
| Status Code| | Reason| |
|---|
generateHtmlInum
GET/id/{prefix}/{type}/
Generates ID for given prefix and type.
URL
http://gluu.org/id/{prefix}/{type}/
Parameters
- path
| Parameter | Required | Description | Data Type |
|---|---|---|---|
| prefix | true | Prefix for id. E.g. if prefix is @!1111 and server will generate id: !0000 then ID returned by service would be: @!1111!0000 | string |
| type | true | Type of id | string |
| - header |
| Parameter | Required | Description | Data Type |
|---|---|---|---|
| Authorization | false | string |
Response
String[Response]
Errors
| Status Code| | Reason| |
|---|