Skip to content

/AWS1/IF_SIS=>INTROSPECTOAUTH2TOKENWITHIAM()

About IntrospectOAuth2TokenWithIAM

Grants permission to inspect the metadata and state of an OAuth 2.0 access token or refresh token

Implements RFC 7662 OAuth 2.0 Token Introspection over a SigV4-authenticated endpoint. Inspects the metadata of an access_token or refresh_token issued by AWS Sign-In and returns the claims associated with it.

Inactive token semantics (RFC 7662 §2.2): when the supplied token is unknown, expired, revoked, malformed, or owned by a different account, the response body is exactly { "active": false } with all other claims omitted.

Method Signature

METHODS /AWS1/IF_SIS~INTROSPECTOAUTH2TOKENWITHIAM
  IMPORTING
    !IV_TOKEN TYPE /AWS1/SISINTROSPECTIONTOKEN OPTIONAL
    !IV_TOKENTYPEHINT TYPE /AWS1/SISTOKENTYPEHINT OPTIONAL
  RETURNING
    VALUE(OO_OUTPUT) TYPE REF TO /aws1/cl_sisintrospecto2tokw01
  RAISING
    /AWS1/CX_SISACCESSDENIEDEX
    /AWS1/CX_SISINTERNALSERVEREX
    /AWS1/CX_SISTOOMANYREQSERROR
    /AWS1/CX_SISVLDTNEXCEPTION
    /AWS1/CX_SISCLIENTEXC
    /AWS1/CX_SISSERVEREXC
    /AWS1/CX_RT_TECHNICAL_GENERIC
    /AWS1/CX_RT_SERVICE_GENERIC.

IMPORTING

Required arguments:

iv_token TYPE /AWS1/SISINTROSPECTIONTOKEN /AWS1/SISINTROSPECTIONTOKEN

The string value of the token to introspect. May be either an access_token or a refresh_token issued by AWS Sign-In.

Optional arguments:

iv_tokentypehint TYPE /AWS1/SISTOKENTYPEHINT /AWS1/SISTOKENTYPEHINT

Optional hint about the type of the token submitted for introspection. The server uses this hint to optimize lookup, but still falls back to the other token type on miss. Allowed values: access_token, refresh_token.

RETURNING

oo_output TYPE REF TO /aws1/cl_sisintrospecto2tokw01 /AWS1/CL_SISINTROSPECTO2TOKW01

Examples

Syntax Example

This is an example of the syntax for calling the method. It includes every possible argument and initializes every possible value. The data provided is not necessarily semantically accurate (for example the value "string" may be provided for something that is intended to be an instance ID, or in some cases two arguments may be mutually exclusive). The syntax shows the ABAP syntax for creating the various data structures.

DATA(lo_result) = lo_client->introspectoauth2tokenwithiam(
  iv_token = |string|
  iv_tokentypehint = |string|
).

This is an example of reading all possible response values

lo_result = lo_result.
IF lo_result IS NOT INITIAL.
  lv_boolean = lo_result->get_active( ).
  lv_string = lo_result->get_clientid( ).
  lv_string = lo_result->get_userid( ).
  lv_introspectedtokentype = lo_result->get_tokentype( ).
  lv_long = lo_result->get_exp( ).
  lv_long = lo_result->get_iat( ).
  lv_long = lo_result->get_nbf( ).
  lv_string = lo_result->get_sub( ).
  lv_string = lo_result->get_aud( ).
  lv_string = lo_result->get_iss( ).
  lv_string = lo_result->get_jti( ).
  lv_accountid = lo_result->get_accountid( ).
  lv_string = lo_result->get_signinsession( ).
  lv_string = lo_result->get_resource( ).
ENDIF.