/json/token/macaroon
The /json/token/macaroon endpoint lets you inspect and manipulate
macaroon tokens.
Specify the realm in the request URL; for example:
https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/token/macaroonThis endpoint supports these parameters:
| Field | Description |
|---|---|
|
Return details about the macaroon. |
|
Add a caveat to the macaroon, returning a new macaroon. |
You can manipulate macaroons locally using a macaroon library. Anyone in possession of a macaroon token can inspect and restrict the macaroon securely.
The following example restricts the scope of a macaroon token and inspects the result.
The original scope of the unrestricted token is openid profile:
$ curl \
--request POST \
--header "Content-Type: application/json" \
--header "cache-control: no-cache" \
--data '{
"macaroon": "<macaroon-token>",
"caveat": {"type": "first-party", "identifier": {"scope": "profile"}}
}' \
'https://<tenant-env-fqdn>/am/json/realms/root/realms/alpha/token/macaroon?_action=restrict'
{
"macaroon": "<restricted-macaroon-token>"
}
$ curl \
--request POST \
--header "Content-Type: application/json" \
--header "cache-control: no-cache" \
--data '{"macaroon": "<restricted-macaroon-token>"}' \
'https://<tenant-env-fqdn>/am/json/realms/root/realms/alpha/token/macaroon?_action=inspect'
{
"identifier": "<identifier>",
"location": "",
"caveats": [{
"type": "first-party",
"identifier": {
"scope": "profile"
}
}],
"signature": "<signature>"
}|
OpenID Connect clients must ensure the following information is present in the JSON:
|