Manage sessions over REST

AM provides REST APIs under /json/sessions for the following use cases:

Get information about sessions over REST

To get information about a session, send an HTTP POST request to the /json/sessions/ endpoint, using the getSessionInfo action. This endpoint returns information about the session token provided in the iPlanetDirectoryPro header by default. To get information about a different session token, include it in the POST body as the value of the tokenId parameter.

For information about how to retrieve custom session properties:

If you are using authentication modules, see How do I retrieve user attributes from a session using the REST API? in the ForgeRock Knowledge Base.
For authentication trees, use the Scripted Decision node to retrieve user attributes and session properties, or the Set Session Properties node for session properties only.

The following example shows an administrative user passing their session token in the iPlanetDirectoryPro header, and the session token of the demo user as the tokenId parameter:

$ curl \
--request POST \
--header "iPlanetDirectoryPro: AQICS…NzEz*" \
--header "Accept-API-Version: resource=4.0" \
--header "Content-type: application/json" \
--data '{ "tokenId": "BXCCq…NX*1*" }' \
https://openam.example.com:8443/openam/json/realms/root/sessions/?_action=getSessionInfo
{
    "username": "demo",
    "universalId": "id=demo,ou=user,dc=openam,dc=forgerock,dc=org",
    "realm": "/",
    "latestAccessTime": "2020-02-21T14:31:18Z",
    "maxIdleExpirationTime": "2020-02-21T15:01:18Z",
    "maxSessionExpirationTime": "2020-02-21T16:29:56Z",
    "properties": {
        "AMCtxId": "aba7b4f3-16ff-4680-b06a-d7ba237d3730-91932"
    }
}

The getSessionInfo action does not refresh the session idle timeout. To obtain session information about a server-side session and also reset the idle timeout, use the getSessionInfoAndResetIdleTime endpoint, as follows. You cannot reset the idle timeout of client-side sessions.

$ curl \
--request POST \
--header "iPlanetDirectoryPro: AQICS…NzEz*" \
--header "Accept-API-Version: resource=4.0, protocol=1.0" \
--header "Content-type: application/json" \
--data '{ "tokenId": "BXCCq…NX*1*" }' \
https://openam.example.com:8443/openam/json/realms/root/sessions/?_action=getSessionInfoAndResetIdleTime
{
    "username": "demo",
    "universalId": "id=demo,ou=user,dc=openam,dc=forgerock,dc=org",
    "realm": "/",
    "latestAccessTime": "2020-02-21T14:32:49Z",
    "maxIdleExpirationTime": "2020-02-21T15:02:49Z",
    "maxSessionExpirationTime": "2020-02-21T16:29:56Z",
    "properties": {
        "AMCtxId": "aba7b4f3-16ff-4680-b06a-d7ba237d3730-91932"
    }
}

To return the AMCtxId property in the session query response as in this example, you must set AMCtxId in the Session Properties to return for session queries setting, under Realms > Realm Name > Services > Session Property Whitelist Service.

Validate sessions over REST

To check over REST whether a session token is valid, perform an HTTP POST to the /json/sessions/ endpoint using the validate action. Provide the session token in the POST data as the value of the tokenId parameter. You must also provide the session token of an administrative user in the iPlanetDirectoryPro header.

If you don’t specify the tokenId parameter, the session in the iPlanetDirectoryPro header is validated instead.

The following example shows an administrative user, such as amAdmin, validating a session token for the demo user:

$ curl \
--request POST \
--header "Content-type: application/json" \
--header "iPlanetDirectoryPro: AQICS…NzEz*" \
--header "Accept-API-Version: resource=2.1, protocol=1.0" \
--data '{ "tokenId": "BXCCq…NX*1*" }' \
https://openam.example.com:8443/openam/json/realms/root/sessions?_action=validate

If the session token is valid, the user ID and its realm is returned:

{
  "valid":true,
  "sessionUid":"209331b0-6d31-4740-8d5f-740286f6e69f-326295",
  "uid":"demo",
  "realm":"/"
}

By default, validating a session resets the session’s idle time, which triggers a write operation to the Core Token Service token store. To avoid this, perform a call using the validate&refresh=false action.

Refresh server-side sessions over REST

To reset the idle time of a server-side session using REST, perform an HTTP POST to the /json/sessions/ endpoint, using the refresh action. The endpoint will refresh the session token provided in the iPlanetDirectoryPro header by default. To refresh a different session token, include it in the POST body as the value of the tokenId query parameter.

The following example shows an administrative user passing their session token in the iPlanetDirectoryPro header, and the session token of the demo user as the tokenId parameter:

$ curl \
--request POST \
--header 'Content-Type: application/json' \
--header "iPlanetDirectoryPro: AQICS…NzEz*" \
--header "Accept-API-Version: resource=3.1, protocol=1.0" \
--data '{ "tokenId": "BXCCq…NX*1*" }' \
https://openam.example.com:8443/openam/json/realms/root/sessions/?_action=refresh
{
  "uid": "demo",
  "realm": "/",
  "idletime": 17,
  "maxidletime": 30,
  "maxsessiontime": 120,
  "maxtime": 7106
}

On success, AM resets the idle time for the server-side session, and returns timeout details of the session.

Resetting a server-side session’s idle time triggers a write operation to the Core Token Service token store. Therefore, to avoid the overhead of write operations to the token store, be careful to use the refresh action only if you want to reset a server-side session’s idle time. Because AM does not monitor idle time for client-side sessions, do not use the tokenId of a client-side session when refreshing a session’s idle time.

Invalidate sessions over REST

To invalidate a session, perform an HTTP POST to the /json/sessions/ endpoint using the logout action. The endpoint will invalidate the session token provided in the iPlanetDirectoryPro header:

$ curl \
--request POST \
--header "Content-type: application/json" \
--header "iPlanetDirectoryPro: AQICS…NzEz*" \
--header "Accept-API-Version: resource=3.1, protocol=1.0" \
https://openam.example.com:8443/openam/json/realms/root/sessions/?_action=logout
{
    "result": "Successfully logged out"
}

On success, AM invalidates the session and returns a success message.

If the token is not valid and cannot be invalidated an error message is returned:

{
  "result": "Token has expired"
}

To invalidate a different session token, include it in the POST body as the value of the tokenId parameter.

For example, the following command shows an administrative user passing their session token in the iPlanetDirectoryPro header, and the session token of the demo user as the tokenId parameter:

$ curl \
--request POST \
--header "Content-type: application/json" \
--header "iPlanetDirectoryPro: AQICS…NzEz*" \
--header "Accept-API-Version: resource=3.1, protocol=1.0" \
--data '{ "tokenId": "BXCCq…NX*1*" }' \
"https://openam.example.com:8443/openam/json/realms/root/sessions/?_action=logout"
{
    "result": "Successfully logged out"
}

Get and set session properties using REST

AM lets you read and update properties on users' sessions using REST API calls.

Before you can perform operations on session properties using the REST API, you must first define the properties you want to set in the session property allowlist service configuration. For information on allowlisting session properties, see Session Property Whitelist service.

You can use REST API calls for the following purposes:

To retrieve the names of the properties that you can read or update. This is the same set of properties configured in the Session Property Whitelist Service.
To read property values.
To update property values.

Session state affects the ability to set and delete properties as follows:

You can set and delete properties on a server-side session at any time during the session’s lifetime.
You can only set and update properties on a client-side session during the authentication process, before the user receives the session token from AM. For example, you could set or delete properties on a client-side session from within a post-authentication plugin.

Differentiate the user who performs the operation on session properties from the session affected by the operation as follows:

Specify the session token of the user performing the operation on session properties in the iPlanetDirectoryPro header.
Specify the session token of the user whose session is to be read or modified as the tokenId parameter in the body of the REST API call.
Omit the tokenId parameter from the body of the REST API call if the session of the user performing the operation is the same session that you want to read or modify.

The following examples assume that you configured a property named LoginLocation in the Session Property Whitelist Service configuration.

To retrieve the names of the properties you can get or set, and their values, perform an an HTTP POST to the sessions endpoint, /json/sessions/, using the getSessionProperties action:

$ curl \
--request POST \
--header "Content-type: application/json" \
--header "iPlanetDirectoryPro: AQICS…NzEz*" \
--header "Accept-API-Version: resource=3.1, protocol=1.0" \
--data '{ "tokenId": "BXCCq…NX*1*" }' \
https://openam.example.com:8443/openam/json/realms/root/sessions/?_action=getSessionProperties
{
    "LoginLocation": ""
}

To set the value of a session property, perform an HTTP POST to the sessions endpoint, /json/sessions/, using the updateSessionProperties action. If no tokenId parameter is present in the body of the REST API call, the session affected by the operation is the session specified in the iPlanetDirectoryPro header:

$ curl \
--request POST \
--header "Content-Type: application/json" \
--header "iPlanetDirectoryPro: AQICS…NzEz*" \
--header "Accept-API-Version: resource=3.1, protocol=1.0" \
--data '{"LoginLocation":"40.748440, -73.984559"}' \
https://openam.example.com:8443/openam/json/realms/root/sessions/?_action=updateSessionProperties
{
    "LoginLocation": "40.748440, -73.984559"
}

You can set multiple properties in a single REST API call by specifying a set of fields and their values in the JSON data. For example:

--data '{"property1":"value1", "property2":"value2"}'

To set the value of a session property on another user’s session, specify the session token of the user performing the updateSessionProperties action in iPlanetDirectoryPro, and specify the session token to be modified in the POST body as the value of the tokenId parameter:

$ curl \
--request POST \
--header "Content-Type: application/json" \
--header "iPlanetDirectoryPro: AQICS…NzEz*" \
--header "Accept-API-Version: resource=3.1, protocol=1.0" \
--data '{"LoginLocation": "40.748440, -73.984559", "tokenId": "BXCCq…NX*1*"}' \
https://openam.example.com:8443/openam/json/realms/root/sessions/?_action=updateSessionProperties
{
    "LoginLocation": "40.748440, -73.984559"
}

If the user attempting to modify the session does not have sufficient access privileges, the preceding examples result in a 403 Forbidden error.

You cannot set properties internal to AM sessions. If you try to modify an internal property in a REST API call, a 403 Forbidden error is returned. For example:

$ curl \
--request POST \
--header "Content-Type: application/json" \
--header "iPlanetDirectoryPro: AQICS…NzEz*" \
--header "Accept-API-Version: resource=3.1, protocol=1.0" \
--data '{"AuthLevel":"5", "tokenId": "BXCCq…NX*1*"}' \
https://openam.example.com:8443/openam/json/realms/root/sessions/?_action=updateSessionProperties
{
    "code": 403,
    "reason": "Forbidden",
    "message": "Forbidden"
}

For a list of the default session properties, see Session properties.

Access Management 7.2.2