IAM Token management API

The IAM server has a RESTful API used to list and revoke active access and refresh tokens.

Access to the API is limited to users with administrator privileges (either authenticated via a web session or through OAuth). All examples assume authorization via OAuth2 bearer token; e.g.

GET /access-tokens/13 HTTP/1.1
Host: example.com
Authorization: Bearer h480djs93hd8

These are the tokens REST API endpoints:

Accessing tokens:

Deleting tokens:

GET /access-tokens

Retrieves the paginated list of all the active access tokens. Returns results in application/json.

Requires ROLE_ADMIN.

Parameters:

Name Description
count
integer
Specifies the desired maximum number of query results per page.
startIndex
integer
The 1-based index of the first query result.
userId
string
Filters by userId.
clientId
string
Filters by clientId.

Example:

GET http://example.com:8080/access-tokens
{
  "totalResults": 1,
  "itemsPerPage": 1,
  "startIndex": 1,
  "resources": [
    {
      "id": 6,
      "value": "eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0MDEzMTQ1MjksImF1ZCI6WyJhOGFmNzUzYy1mMzI0LTRlNDAtYTE3Ny04N2RmYzA2MjQ5YjciXSwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODBcL29wZW5pZC1jb25uZWN0LXNlcnZlci13ZWJhcHBcLyIsImp0aSI6Ijg4ZjM4OGE4LTk1NzctNGQyMC1hZTZjLWMyMDMxOGQ1OWJjNiIsImlhdCI6MTQwMTMxMDkyOX0.HYnNxRvGRdKFykVChL-hdxszcFBvygkeUmc8_iv2Jl4MU-jPJVzMnTwKJbCMWBjeBp8hrb0Dgd9XbnHUDyXxwj8MDrWQEH3QnwYJGRW9JFWjHMGfKDQDFY6Ffl3OFERVbyoB2ObiGTUgbw4Nkl1L1ihuMpMAc5nKi0rk3QXcS1M",
      "scopes": [
        "openid",
        "phone",
        "email",
        "address",
        "profile"
      ],
      "expiration": "2014-05-28T18:02:09-0400",
      "client": {
        "id": 2,
        "clientId": "iam-test-client",
        "contacts": [
          "andrea.ceccanti@cnaf.infn.it"
        ],
        "ref": "https://iam-test.indigo-datacloud.eu/api/clients/2"
      },
      "user": {
        "id": "e1eb758b-b73c-4761-bfff-adc793da409c",
        "userName": "andrea",
        "ref": "https://iam-test.indigo-datacloud.eu/scim/Users/e1eb758b-b73c-4761-bfff-adc793da409c"
      },
      "idToken": {
        "id": 5,
        "ref": "https://iam-test.indigo-datacloud.eu/access-tokens/5"
      }
    }
  ]
}

GET /access-tokens/:id

Retrieves all the information about the access token identified by id and returns results in application/json.

Requires ROLE_ADMIN.

GET http://example.com:8080/access-tokens/6
{
  "id": 6,
  "value": "eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0MDEzMTQ1MjksImF1ZCI6WyJhOGFmNzUzYy1mMzI0LTRlNDAtYTE3Ny04N2RmYzA2MjQ5YjciXSwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODBcL29wZW5pZC1jb25uZWN0LXNlcnZlci13ZWJhcHBcLyIsImp0aSI6Ijg4ZjM4OGE4LTk1NzctNGQyMC1hZTZjLWMyMDMxOGQ1OWJjNiIsImlhdCI6MTQwMTMxMDkyOX0.HYnNxRvGRdKFykVChL-hdxszcFBvygkeUmc8_iv2Jl4MU-jPJVzMnTwKJbCMWBjeBp8hrb0Dgd9XbnHUDyXxwj8MDrWQEH3QnwYJGRW9JFWjHMGfKDQDFY6Ffl3OFERVbyoB2ObiGTUgbw4Nkl1L1ihuMpMAc5nKi0rk3QXcS1M",
  "scopes": [
    "openid",
    "phone",
    "email",
    "address",
    "profile"
  ],
  "expiration": "2014-05-28T18:02:09-0400",
  "client": {
    "id": 2,
    "clientId": "iam-test-client",
    "contacts": [
      "andrea.ceccanti@cnaf.infn.it"
    ],
    "ref": "https://iam-test.indigo-datacloud.eu/api/clients/2"
  },
  "user": {
    "id": "e1eb758b-b73c-4761-bfff-adc793da409c",
    "userName": "andrea",
    "ref": "https://iam-test.indigo-datacloud.eu/scim/Users/e1eb758b-b73c-4761-bfff-adc793da409c"
  },
  "idToken": {
    "id": 5,
    "ref": "https://iam-test.indigo-datacloud.eu/access-tokens/5"
  }
}

GET /refresh-tokens

Retrieves the paginated list of all the active refresh tokens. Returns results in application/json.

Requires ROLE_ADMIN.

Parameters:

Name Description
count
integer
Specifies the desired maximum number of query results per page.
startIndex
integer
The 1-based index of the first query result.
userId
string
Filters by userId.
clientId
string
Filters by clientId.

Example:

GET http://example.com:8080/refresh-tokens
{
  "totalResults": 1,
  "itemsPerPage": 1,
  "startIndex": 1,
  "resources": [
  	 {
	  "id": 1083,
	  "value": "eyJhbGciOiJub25lIn0.eyJqdGkiOiIxMTdmMWRkOS1iOWViLTQ5MjctYThkMS1hYzQ4NjIwYWQzOWYifQ.",
	  "scopes": [
	    "openid",
	    "phone",
	    "email",
	    "address",
	    "profile"
	  ],
	  "expiration": "2014-05-28T18:02:09-0400",
	  "client": {
	    "id": 2,
	    "clientId": "iam-test-client",
	    "contacts": [
	      "andrea.ceccanti@cnaf.infn.it"
	    ],
	    "ref": "https://iam-test.indigo-datacloud.eu/api/clients/2"
	  },
	  "user": {
	    "id": "e1eb758b-b73c-4761-bfff-adc793da409c",
	    "userName": "andrea",
	    "ref": "https://iam-test.indigo-datacloud.eu/scim/Users/e1eb758b-b73c-4761-bfff-adc793da409c"
	  }
	}
  ]
}

GET /refresh-tokens/:id

Retrieves all the information about the refresh token identified by id and returns results in application/json.

Requires ROLE_ADMIN.

GET http://example.com:8080/refresh-tokens/1083
{
  "id": 1083,
  "value": "eyJhbGciOiJub25lIn0.eyJqdGkiOiIxMTdmMWRkOS1iOWViLTQ5MjctYThkMS1hYzQ4NjIwYWQzOWYifQ.",
  "scopes": [
    "openid",
    "phone",
    "email",
    "address",
    "profile"
  ],
  "expiration": "2014-05-28T18:02:09-0400",
  "client": {
    "id": 2,
    "clientId": "iam-test-client",
    "contacts": [
      "andrea.ceccanti@cnaf.infn.it"
    ],
    "ref": "https://iam-test.indigo-datacloud.eu/api/clients/2"
  },
  "user": {
    "id": "e1eb758b-b73c-4761-bfff-adc793da409c",
    "userName": "andrea",
    "ref": "https://iam-test.indigo-datacloud.eu/scim/Users/e1eb758b-b73c-4761-bfff-adc793da409c"
  }
}

DELETE /access-tokens/:id

Revoke the access token identified by id.

Requires ROLE_ADMIN.

DELETE http://example.com:8080/access-tokens/6
204  AccessToken revoked

DELETE /refresh-tokens/:id

Revoke the access token identified by id.

Requires ROLE_ADMIN.

DELETE http://example.com:8080/refresh-tokens/1083
204  RefreshToken revoked

More details can be read at the complete API Reference.


Last modified September 9, 2021: Massive renaming (6830714)