3.1 Example Scenarios

A client application can use the Access Manager token to access an Access Manager OAuth protected resource. The following is the workflow of accessing a protected resource when the client uses the Access Manager token:

A resource server can validate a token that is issued by Access Manager through resource server keys or through Access Manager keys. By default, the token encryption is done by using Access Manager keys. The resource server sends a request to Access Manager to validate the token. If you provide the resource server's key and encryption algorithm details in Access Manager, the resource server does not require to send a request to Access Manager. Instead, the resource server can use its key to validate the token.

Only an Access Manager administrator can register a new resource server. To validate a token, the resource server must know how the token is encrypted.

Encrypted by Access Manager: This is an older way of validating the token. You need to send the token to Access Manager's token info endpoint for validation.

Encrypted using configured resource server keys: No need to validate through Access Manager. The resource server cryptokeys can be configured in Access Manager. Access Manager uses this key to encrypt the access token. This enables a resource server to validate the token itself, without sending it to the Access Manager token verification endpoint.

The following is a sample in Java code about how to validate the token:

//Step1: decrypt the JWT Token (JWE Standard)
String jwtAccessToken = "eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwidHlwIjoiSldUIiwia2lkIjoibmFtLTEifQ.ZjE0jRb5oh3suQZHFmaB-m....";

JsonWebEncryption jwe = new JsonWebEncryption();
jwe.setCompactSerialization(jwtAccessToken);
JsonWebKeySet jsonWebKeySet = new JsonWebKeySet(jwks);
List<JsonWebKey> jsonWebKeys = jsonWebKeySet.getJsonWebKeys();
JsonWebKey jsonWebkey = jsonWebKeys.stream().filter( p ->
p.getKeyId().equalsIgnoreCase(jwe.getKeyIdHeaderValue())).findFirst().orElse(jsonWebKeys.get(0));
if(jsonWebkey instanceof RsaJsonWebKey){
RsaJsonWebKey rsa = (RsaJsonWebKey) jsonWebkey;
jwe.setKey(rsa.getPrivateKey());
}else
{
jwe.setKey(jsonWebkey.getKey());
}
String decryptedToken = jwe.getPlaintextString(); 

//Step 2: Verify the JWT Signature (JWS Standard) 
JsonWebKeySet jsonWebKeySet = new JsonWebKeySet(jwks);

JsonWebKey jsonWebkey = jsonWebKeySet.getJsonWebKeys().get(0);
JsonWebSignature jws = new JsonWebSignature();
jws.setKey(jsonWebkey.getKey());;
jws.setCompactSerialization(decryptedToken);
if(true == jws.verifySignature()){
System.out.println("Signature is valid.");
String payload = jws.getPayload(); //
}

For detailed sample code and tool for validating the JWT access token, see JWT Validation tool under Additional Resources on the Access Manager documentation page.

No encryption: Trust and accept the token. As access token is not encrypted, use the sample in Java code mentioned in the previous step to verify the signature and trust the token.

For information about configuring access token encryption keys, see Section 3.2.3, Registering a Resource Server.

Access Manager revokes only the refresh token and its corresponding Access token. Only the refresh tokens that are generated by Access Manager Version 4.4 or later can be revoked.

You can perform the following tasks by using Access Manager API:

For example, a user lost his device and wants to revoke all tokens that are issued to that device.

Using Mobile Access SDK: Use the Access Manager user portal for deregistering a device. When device is deregistered, the refresh token and associated access token are revoked.

Not using Mobile Access SDK: If you are not using Mobile Access SDK to revoke a device, you must provide the device ID in the access token request so that the device can be associated with the token. You can use this device ID later for revoking the tokens issued to the device. For more information, see Revoking Token Issued to a Device.