Token management is a necessity. OA4MP allows for an admin to query what tokens are currently in use by a user. This is done at the token endpoint by using a specific grant and the response includes all outstanding tokens of this user for every client that the admin administers.
An admin client makes a request to the
authorization server's token endpoint using the extension grant type
mechanism defined in Section 4.5 of RFC 6749.
Client authentication server is done using basic authorization.
The request is made using either HTTP GET (preferred on philosophical
grounds) or HTTP POST. The parameters are
If the request is valid and meets all policy and other criteria of the authorization server, the successful token response has character set of "UTF-8", a media type of "application/json" and an HTTP 200 status code.
The structure of the clients array is best described as follows.
{"clients":[CLIENT+],
"user_uid":USER_ID}
CLIENT:
{"client_id":CLIENT_ID,
"transactions" : [TRANSACTION+]}
TRANSACTION:
{"code": AUTH_GRANT,
"tokens":[{"access_token"|"refresh_token":TOKEN}+]
TOKEN:
{"is_valid":BOOLEAN,
"lifetime":LONG,
"issued_at":LONG,
"jti":TOKEN_ID,
"token":JWT
}
USER_UID: String
CLIENT_ID: String
AUTH_GRANT: String
TOKEN_ID: String
JWT: JSON Web Token
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-cache, no-store
{
"clients": [
{
"transactions": [
{
"code": "https://localhost:9443/oauth2/262005d0f72e0803828c0a098e87d1b1?type=authzGrant&ts=1654791488268&version=v2.0&lifetime=750000",
"tokens": [
{
"access_token": {
"is_valid": true,
"lifetime": 300000,
"issued_at": 1654791499644,
"jti": "https://localhost:9443/oauth2/468cfbff8cbe412393dd34d62ca2dc28?type=accessToken&ts=1654791499644&version=v2.0&lifetime=300000",
"token": "eyJ0eXAiOiJKV1QiLCJraWQiOiIyOTc4RkY1NDhBNTVBNzM5NTAyRTNCQzY0QTU4RTJCMiIsImFsZyI6IlJTMjU2In0.eyJ3bGNnLnZlciI6IjEuMCIsImF1ZCI6Imh0dHBzOi8vbG9jYWxob3N0L2Zlcm1pbGFiIiwibXlfYXRfY2xhaW0iOiJteV9hdF9jbGFpbSIsIm5iZiI6MTY1NDc5MTQ4NywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo5NDQzL2N1c3RvbS9pc3N1ZXIiLCJleHAiOjE2NTQ3OTE3OTIsImlhdCI6MTY1NDc5MTQ5MiwianRpIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6OTQ0My9vYXV0aDIvNDY4Y2ZiZmY4Y2JlNDEyMzkzZGQzNGQ2MmNhMmRjMjg_dHlwZT1hY2Nlc3NUb2tlbiZ0cz0xNjU0NzkxNDk5NjQ0JnZlcnNpb249djIuMCZsaWZldGltZT0zMDAwMDAiLCJzY29wZSI6InJlYWQ6L2hvbWUvaHR0cDovL2NpbG9nb24ub3JnL3NlcnZlclQvdXNlcnMvMjEzNDAzNjMgd3JpdGU6L2RhdGEvaHR0cDovL2NpbG9nb24ub3JnL3NlcnZlclQvdXNlcnMvMjEzNDAzNjMvY2x1c3RlciB4Lnk6L2FiYy9kZWYiLCJzdWIiOiJodHRwOi8vY2lsb2dvbi5vcmcvc2VydmVyVC91c2Vycy8yMTM0MDM2MyJ9.j9wK9EkNy19oKNKPqP0uGxuFB7il4Ddoq2gWlrt1Mk_oISDMOnVnzGn35HjGP2XuNDIjrVIRE3D5JyylEw_CL19_sXlNqEmNnyCq4Um4fuGZ5d0evpA0n_G2v8U59fEZf98I1WJ0KsMB2L5SJOXJzMce9Pvt5DC56He8GruFt3IkSEq6d1J1kwCGymyul_izmXUlQ5XMs2r5EeinERElkmPaB2jsj56H5TLrbet_7Z8nk5Ds3DGT59OtfhRGc_HRaRGG6x2J0imHgn4JvyPPgR80nX3yoGmmw5gU3HvEbrqG39XjFzSwnWqQv-XiaRZspjzy5Ns7_-v5oeczXZYAsA"
},
"refresh_token": {
"is_valid": true,
"lifetime": 900000,
"issued_at": 1654791499644,
"jti": "https://localhost:9443/oauth2/5040b30aaa66b0889284738917de4ae?type=refreshToken&ts=1654791499644&version=v2.0&lifetime=900000",
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiJodHRwczovL2xvY2FsaG9zdC90ZXN0IiwibmJmIjoxNjU0NzkxNDg3LCJteV9ydF9jbGFpbSI6Im15X3J0X2NsYWltIiwiZXhwIjoxNjU0NzkyMzkyLCJpYXQiOjE2NTQ3OTE0OTIsImp0aSI6Imh0dHBzOi8vbG9jYWxob3N0Ojk0NDMvb2F1dGgyLzUwNDBiMzBhYWE2NmIwODg5Mjg0NzM4OTE3ZGU0YWU_dHlwZT1yZWZyZXNoVG9rZW4mdHM9MTY1NDc5MTQ5OTY0NCZ2ZXJzaW9uPXYyLjAmbGlmZXRpbWU9OTAwMDAwIn0."
}
}
]
},
"user_uid": "http://cilogon.org/serverT/users/21340363"
}
If the user has been extremely active and has a lot of tokens, this may be a truly massive listing. It is best assume that and pipe it someplace safe. It is also possible to get missing tokens. This means that the user started a flow and either has abandoned it, or not come back yet to finish it.
Admin clients may be allowed to list the user in other clients, meaning, if they have been granted the privilege, this call will return every token for this user regardless of which clients the user has used. Default is to restrict tokens to those clients that the admin owns.