Skip to main content
Skip table of contents

Verify IAM Access Token

Verify IAM Access Token policy can be used to verify the access token issued by third-party IAM services like Gluu. This serves out-of-the-box functionality of invoking the access token verification endpoint of the third party IAM service (issuer of the token) and thereby validating/invalidating the request based on the response received from that endpoint.

Configuration

The properties that have to be configured to use the policy are described below.

Access Token

Configure the Message Part Identifier with the source as header/Query parameter/context variable/constant through which the access token is passed.

Target(s) Configuration

Refer to the Service Callout section to understand the configuration.

This endpoint config is intended to specify the verification endpoints of the IAM service.

Additional parameters

Specify parameters other than the access token that is understood by the endpoint specified.

Variable prefix

This prefix is used at two junctures:

  1. To filter context variables/headers to be sent to the target specified.

  2. To populate the JSON response attributes into the context variables.

    Example

    The subject claim value of the token will be populated in a context variable by name as below:

    CODE 
    <prefix>.body.sub

Example

  1. Install Gluu server and configure its hostname as: fioiam.gluu.org.

  2. Configure the introspection endpoint under targets: https://fioiam.gluu.org/oxauth/restv1/introspection with target id as t1.
  3. Set Access token's source as parameter and add t1 under selected targets.

Request

Below is a sample request with a valid Authorization Header (credentials of the OpenID client created in Gluu dashboard: https://fioiam.gluu.org/identity/home.htm) and Content Type as application/x-www-form-urlencoded:

http://192.168.2.149:1860/iam/1.0/?token=c9a76aca-fa78-4d62-b51e-1269905ecfc7

For the above request, make sure that the Body type is not left empty. Set it as below:

CODE 
x-www-form-urlencoded

Response

For Valid access token:

CODE 
{
	"sub": "PyCkQLfQpBlz77YuE_hdFTV5VKWhPm1JGboxVMRu1gg",
	"aud": "c44ab377-8a7e-4d4a-92af-030880883eab",
	"scope": "",
	"acr_values": "simple_password_auth",
	"iss": "https://fioiam.gluu.org",
	"active": true,
	"token_type": "bearer",
	"exp": 1612874392,
	"iat": 1612874092,
	"client_id": "c44ab377-8a7e-4d4a-92af-030880883eab",
	"jti": null,
	"username": "sampleuser"
}

For Expired access token:

CODE 
 {
	"ErrorMessage": "Invalid Access Token",
	"ErrorCode": "Not Authorized",
	"MoreInfo": "Policy Name - iam, Type - VERIFY_IAM_TOKEN"
}


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close