How To

How do I know what token types are stored in the CTS in AM (All versions) and OpenAM 13.x?

Last updated Jan 31, 2019

The purpose of this article is to provide information on the OAuth2 and session token types stored in the CTS in AM/OpenAM with example token formats included. With this information, you can perform LDAP searches to retrieve token details from the CTS.


1 reader recommends this article

Overview

This is the second article in a two part series, which is designed to help you understand CTS token types (OAuth2 and session) in AM/OpenAM.

See How do I know what LDAP attributes are used by CTS tokens in AM (All versions) and OpenAM 13.x? for the first part.

LDAP searches

You can use the information in these articles to query the CTS using ldapsearch, where the other article provides the LDAP attributes and this article provides the data format. For example, if you want to list user OAuth2 refresh tokens, you would filter on coreTokenString03=<user> and coreTokenString10=refresh_token. For example:

$ ./ldapsearch --hostname ds1.example.com --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org" "(&(coreTokenString03=demo)(coreTokenString10=refresh_token))"

CTS token types

AM 5.5 introduced a number of improvements to the OAuth2 tokens stored in the CTS. The changes made were specifically designed to reduce the number of writes to the CTS, therefore improving the performance of the entire system. 

This article looks at the following CTS token types in detail (the token details apply to all AM and OpenAM 13.x releases unless otherwise stated):

OAuth2 Grant-Set token (AM 6.5 and later)

The OAuth2 Grant-Set token in AM 6.5 and later:

  • Stores the state of multiple authorizations for a given OAuth2 client and resource owner pair. Previously, this state was stored across multiple OAUTH and OAUTH2_STATELESS_GRANT entries.
  • Grant-Set acts as a container for all authorizations:
    • Stateless access code tokens and grant tokens.
    • Stateful access code tokens, access tokens and refresh tokens.
  • Reduces the amount of data stored in the CTS by removing duplication and reduces the number of operations to the CTS.

Stateless Grant-Set token example

dn: coreTokenId=kOrkxaDZ6fYcUrcE0c3PEMFIGNk,ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org
objectClass: frCoreToken
objectClass: top
coreTokenExpirationDate: 20190522143603.155Z
coreTokenId: kOrkxaDZ6fYcUrcE0c3PEMFIGNk
coreTokenMultiString03: {"g":"kOrkxaDZ6fYcUrcE0c3PEMFIGNk.xuPxwKKadXjWvMfKg9WFzvqIOC4","gx":1529062484276,"_s":["openid","profile"],"a":"kOrkxaDZ6fYcUrcE0c3PEMFIGNk.vm6gyeD5t8mF8nTYQ1XQBYTskMo","ax":1528454203638,"aati":"809b87b3-4fad-4ca1-9312-a7f0c669fd6c-34347","ai":true,"au":"https://www.example.com","asi":"UmR8fqI7iG1lmmbQdMBUVXvr2u8.*AAJTSQACMDIAAlNLABxFNXVzNDJlcnZyY1VnV0JQU2ZWbitkbEtiUms9AAR0eXBlAANDVFMAAlMxAAIwMQ..*","ast":"1234","_am":"DataStore","_acr":"0","gt":[]}
coreTokenString03: demo
coreTokenString08: /myRealm
coreTokenString09: OIDCclient1
coreTokenType: OAUTH2_GRANT_SET

Stateful Grant-Set token example

dn: coreTokenId=fx-GTfShtRhmJ89qMNVkxLx339U,ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org
objectClass: frCoreToken
objectClass: top
coreTokenExpirationDate: 20181211094355.401Z
coreTokenId: fx-GTfShtRhmJ89qMNVkxLx339U
coreTokenMultiString03: {"g":"fx-GTfShtRhmJ89qMNVkxLx339U.BwOWUGadbho7rKgCYj5Uq1XuRPc","gx":0,"_s":["openid","profile"],"a":"fx-GTfShtRhmJ89qMNVkxLx339U.0g7urZwlwyK_5gUOlC49t4PVUPo","ax":1540546982500,"aati":"fb479915-c2aa-42b3-ad76-b7eb3de950c5-338537161","ai":true,"au":"http://example.com","asi":"xE5imkWhvI66-6gg1lkGjQgmGdU.*AAJTSQACMDIAAlNLABxJNmxnTElxTXFQdEU0b040RUtzN2JUakV6dEk9AAR0eXBlAANDVFMAAlMxAAIwMQ..*","ast":"1234","_am":"DataStore","_acr":"0","r":"fx-GTfShtRhmJ89qMNVkxLx339U.vXS04FRzuWulPMomSoVDnZvj-6s","rx":1541151662549,"rgt":"authorization_code","rtt":"Bearer","rtn":"refresh_token","rati":"fb479915-c2aa-42b3-ad76-b7eb3de950c5-338537554","ro":"jS474J1xvNZwD-uLeJJeTDWjAzI","_at":1540546862,"_al":0,"gt":[{"t":"fx-GTfShtRhmJ89qMNVkxLx339U.SGEDFJ5BkuuKXKHVeV24_IzoHRg","tx":1540550462814,"tgt":"authorization_code","ts":["openid","profile"],"ttn":"access_token","tati":"fb479915-c2aa-42b3-ad76-b7eb3de950c5-338537841","tck":null}]}
coreTokenString03: demo
coreTokenString08: /myRealm
coreTokenString09: OIDCclient1
coreTokenType: OAUTH2_GRANT_SET

Stateless Access Code token (AM 5.5 and later)

The Stateless Access Code token in AM 5.5 and later:

  • Is used in the OAuth2/OIDC Authorization Code flow and the OIDC Hybrid flow.
  • Provides state for the code that is used by the client to retrieve an access token.
  • Does not contain the session token of the session that generated the request in an indexable attribute, which is different to the equivalent token in previous versions of AM/OpenAM.
  • Uses the value of the access code to form the unique identity of the subsequent grant token.
  • Sets the CoreTokenString06 to true when the code is used and consent is granted, which is different to the equivalent token in previous versions of AM/OpenAM.

Stateless access code example

dn: coreTokenId=4e915f7a-08ec-4c65-915f-2256d6c3a503,ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"redirectURI":["http://example.com"],"clientID":["OIDCclient1"],"ssoTokenId":["mJLebOGs9Y4rAE_JY0uSaS_SVwM.*AAJTSQACMDEAAlNLABwvbWJRSVJ4aGdVcUhHTmNUTkRZVjAxcVl4eFE9AAJTMQAA*"],"auditTrackingId":["a7180708-c39b-4f92-90ea-b2b8bb79ec75-83912"],"tokenName":["access_code"],"authModules":["DataStore"],"code_challenge_method":[],"userName":["demo"],"nonce":["abcdef"],"authGrantId":["f58f19f9-7f3f-43db-be90-466643414143"],"acr":[],"expireTime":["1523281431770"],"scope":["openid","profile"],"claims":[null],"realm":["/myRealm"],"id":["4e915f7a-08ec-4c65-915f-2256d6c3a503"],"state":[],"tokenType":["Bearer"],"code_challenge":[],"issued":["true"]}
coreTokenString11: abcdef
coreTokenString01: openid,profile
coreTokenString10: access_code
coreTokenString04: http://example.com
coreTokenString15: f58f19f9-7f3f-43db-be90-466643414143
coreTokenString03: demo
coreTokenExpirationDate: 20180409134351.770Z
coreTokenString08: /myRealm
coreTokenString09: OIDCclient1
coreTokenId: 4e915f7a-08ec-4c65-915f-2256d6c3a503
coreTokenString06: true
coreTokenString07: Bearer
coreTokenType: OAUTH

Stateless OAuth2 Grant token (AM 5.5 and later)

The Stateless OAuth2 Grant token in AM 5.5 and later:

  • Replaces stateless Access and Refresh tokens in previous versions of AM/OpenAM with a single token indicating that a grant took place.
  • Prevents additional data being written to the CTS if a new access token is issued based on an existing refresh token with an existing grant ID.
  • Uses the grant ID value from the preceding Access code if this token is generated in the OAuth2 Code flow.
  • The grant ID in the stateless OAuth2 JWT matches the DN of the token in the CTS.

Stateless grant token example 

dn: coreTokenId=f58f19f9-7f3f-43db-be90-466643414143,ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org
objectClass: top
objectClass: frCoreToken
coreTokenObject: {}
coreTokenString11: /myRealm
coreTokenString04: OIDCclient1
coreTokenExpirationDate: 20180416144152.757Z
coreTokenUserId: demo
coreTokenId: f58f19f9-7f3f-43db-be90-466643414143
coreTokenString06: openid,profile
coreTokenType: OAUTH2_STATELESS_GRANT

An access token issued from this CTS grant token may look like this:

{
  "sub": "demo",
  "auth_level": 0,
  "auditTrackingId": "610b705d-51a9-43e1-b59a-47b372b9d3ae",
  "iss": "http://am3.example.com:38080/am0551/oauth2/myRealm",
  "tokenName": "access_token",
  "token_type": "Bearer",
  "authGrantId": "f58f19f9-7f3f-43db-be90-466643414143",
  "nonce": "abcdef",
  "aud": "OIDCclient1",
  "nbf": 1523281312,
  "grant_type": "authorization_code",
  "scope": [
    "openid",
    "profile"
  ],
  "auth_time": 1523281311000,
  "realm": "/myRealm",
  "exp": 1523284912,
  "iat": 1523281312,
  "expires_in": 3600,
  "jti": "c35e5c2a-081b-417f-82c5-2708781816d6"
}

Access Code token (AM 5, 5.1.x and OpenAM 13.x)

The Access Code token in pre-AM 5.5:

  • Is used in the OAuth2/OIDC Authorization Code flow and the OIDC Hybrid flow.
  • Provides state for the code that is used by the client to retrieve an access token.
  • Is short lived - the lifetime is defined by Authorization Code Lifetime in the OAuth2 provider.
  • Has the same format in both stateless and stateful OAuth2 modes.
  • Contains a copy of the user SSO token - it is large when used in combination with a realm in client-based sessions mode.

CTS-based session realm token example

dn: coreTokenId=cafdd8cc-b155-464a-a020-15013532578c,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenString11: abcdef
coreTokenObject: {"redirectURI":["http://example.com"],"clientID":["OIDCclient1"],"ssoTokenId":["AQIC5wM2LY4S...kyNgACUzEAAjAx*"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-280"],"tokenName":["access_code"],"authModules":["DataStore"],"code_challenge_method":[],"userName":["demo"],"nonce":["abcdef"],"authGrantId":["6f10ad62-1be7-4ebe-aeea-81b7c9eb3735"],"acr":[],"expireTime":["1502142089100"],"scope":["openid","profile"],"claims":[null],"realm":["/statefulRealm"],"id":["cafdd8cc-b155-464a-a02015013532578c"],"tokenType":["Bearer"],"code_challenge":[],"issued":["true"]}
coreTokenString01: openid,profile
coreTokenString10: access_code
coreTokenString15: 6f10ad62-1be7-4ebe-aeea-81b7c9eb3735
coreTokenString04: http://example.com
coreTokenString13: AQIC5wM2LY4S...kyNgACUzEAAjAx*
coreTokenString03: demo
coreTokenString08: /statefulRealm
coreTokenExpirationDate: 20170807214129.100Z
coreTokenString09: OIDCclient1
coreTokenId: cafdd8cc-b155-464a-a020-15013532578c
coreTokenString06: true
coreTokenString07: Bearer
coreTokenType: OAUTH

Client-based session realm token example

dn: coreTokenId=60742780-8ad6-4091-a277-8d24bd69938d,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenString11: abcdef
coreTokenObject: {"redirectURI":["http://example.com"],"clientID":["OIDCclient2"],"ssoTokenId":["AQIC5wM2LY4SfcyvKEBc-PhbFqsHH5ULidH1FMscUOKScfg.*AAJTSQACMDIAAlNLABQtMTkyNTUxMDA4NzgzNDA2ODIzNwACUzEAAjAx*eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAic2VyaWFsaXplZF9zZXNzaW9uIjogIntcInNlY3JldFwiOlwiZDk3Y2FhYTktZmU3ZS00MTBlLWEzNzgtM2Q3ZDAyZWMwNzlmXCIsXCJleHBpcnlUaW1lXCI6MTUwMjE0OTE2OTQwNyxcImxhc3RBY3Rpdml0eVRpbWVcIjoxNTAyMTQxOTY5NDA3LFwic3RhdGVcIjpcInZhbGlkXCIsXCJwcm9wZXJ0aWVzXCI6e1wiQ2hhclNldFwiOlwiVVRGLThcIixcIlVzZXJJZFwiOlwiZGVtb1wiLFwiRnVsbExvZ2luVVJMXCI6XCIvYW0xMzUwL1VJL0xvZ2luP3JlYWxtPSUyRnN0YXRlbGVzc1JlYWxtXCIsXCJzdWNjZXNzVVJMXCI6XCIvYW0xMzUwL2NvbnNvbGVcIixcImNvb2tpZVN1cHBvcnRcIjpcInRydWVcIixcIkF1dGhMZXZlbFwiOlwiMFwiLFwiU2Vzc2lvbkhhbmRsZVwiOlwic2hhbmRsZTpBUUlDNXdNMkxZNFNmY3ctY0hYaWZDR1VIdU1Gb3VxMDlkTnIxQVZMc3hGVUVQay4qQUFKVFNRQUNNRElBQWxOTEFCUXROekUwTnpjNE56VXlOalkyTkRjeU1EZ3lOQUFDVXpFQUFqQXgqXCIsXCJVc2VyVG9rZW5cIjpcImRlbW9cIixcImxvZ2luVVJMXCI6XCIvYW0xMzUwL1VJL0xvZ2luXCIsXCJQcmluY2lwYWxzXCI6XCJkZW1vXCIsXCJTZXJ2aWNlXCI6XCJsZGFwU2VydmljZVwiLFwic3VuLmFtLlVuaXZlcnNhbElkZW50aWZpZXJcIjpcImlkPWRlbW8sb3U9dXNlcixvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCIsXCJhbWxiY29va2llXCI6XCIwMVwiLFwiT3JnYW5pemF0aW9uXCI6XCJvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCIsXCJMb2NhbGVcIjpcImVuX1VTXCIsXCJIb3N0TmFtZVwiOlwiMTI3LjAuMC4xXCIsXCJBdXRoVHlwZVwiOlwiRGF0YVN0b3JlXCIsXCJIb3N0XCI6XCIxMjcuMC4wLjFcIixcIlVzZXJQcm9maWxlXCI6XCJSZXF1aXJlZFwiLFwiQU1DdHhJZFwiOlwiZTNlZWRmMGRmMTY1Y2M5ZjAxXCIsXCJjbGllbnRUeXBlXCI6XCJnZW5lcmljSFRNTFwiLFwiYXV0aEluc3RhbnRcIjpcIjIwMTctMDgtMDdUMjE6Mzk6MjlaXCIsXCJQcmluY2lwYWxcIjpcImlkPWRlbW8sb3U9dXNlcixvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCJ9LFwibWF4VGltZVwiOjEyMCxcInNlc3Npb25UeXBlXCI6XCJ1c2VyXCIsXCJtYXhJZGxlXCI6MzAsXCJtYXhDYWNoaW5nXCI6MyxcIm5ldmVyRXhwaXJpbmdcIjpmYWxzZSxcInNlc3Npb25JRFwiOm51bGwsXCJjbGllbnRJRFwiOlwiaWQ9ZGVtbyxvdT11c2VyLG89c3RhdGVsZXNzcmVhbG0sb3U9c2VydmljZXMsbz1vcGVuYW1cIixcImNsaWVudERvbWFpblwiOlwibz1zdGF0ZWxlc3NyZWFsbSxvdT1zZXJ2aWNlcyxvPW9wZW5hbVwifSIgfQ.2O4EYXM7sPN0YwW78aF2TzjLSEm-NQizNkzOpVCP2mw"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-330"],"tokenName":["access_code"],"authModules":["DataStore"],"code_challenge_method":[],"userName":["demo"],"nonce":["abcdef"],"authGrantId":["1e70b499-2860-4b06-9bd8-3b202197a3a7"],"acr":[],"expireTime":["1502142089432"],"scope":["openid","profile"],"claims":[null],"realm":["/statelessRealm"],"id":["60742780-8ad6-4091-a277-8d24bd69938d"],"tokenType":["Bearer"],"code_challenge":[],"issued":["true"]}
coreTokenString01: openid,profile
coreTokenString10: access_code
coreTokenString15: 1e70b499-2860-4b06-9bd8-3b202197a3a7
coreTokenString04: http://example.com
coreTokenString13: AQIC5wM2LY4SfcyvKEBc-PhbFqsHH5ULidH1FMscUOKScfg.*AAJTSQACMDIAAlNLABQtMTkyNTUxMDA4NzgzNDA2ODIzNwACUzEAAjAx*eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAic2VyaWFsaXplZF9zZXNzaW9uIjogIntcInNlY3JldFwiOlwiZDk3Y2FhYTktZmU3ZS00MTBlLWEzNzgtM2Q3ZDAyZWMwNzlmXCIsXCJleHBpcnlUaW1lXCI6MTUwMjE0OTE2OTQwNyxcImxhc3RBY3Rpdml0eVRpbWVcIjoxNTAyMTQxOTY5NDA3LFwic3RhdGVcIjpcInZhbGlkXCIsXCJwcm9wZXJ0aWVzXCI6e1wiQ2hhclNldFwiOlwiVVRGLThcIixcIlVzZXJJZFwiOlwiZGVtb1wiLFwiRnVsbExvZ2luVVJMXCI6XCIvYW0xMzUwL1VJL0xvZ2luP3JlYWxtPSUyRnN0YXRlbGVzc1JlYWxtXCIsXCJzdWNjZXNzVVJMXCI6XCIvYW0xMzUwL2NvbnNvbGVcIixcImNvb2tpZVN1cHBvcnRcIjpcInRydWVcIixcIkF1dGhMZXZlbFwiOlwiMFwiLFwiU2Vzc2lvbkhhbmRsZVwiOlwic2hhbmRsZTpBUUlDNXdNMkxZNFNmY3ctY0hYaWZDR1VIdU1Gb3VxMDlkTnIxQVZMc3hGVUVQay4qQUFKVFNRQUNNRElBQWxOTEFCUXROekUwTnpjNE56VXlOalkyTkRjeU1EZ3lOQUFDVXpFQUFqQXgqXCIsXCJVc2VyVG9rZW5cIjpcImRlbW9cIixcImxvZ2luVVJMXCI6XCIvYW0xMzUwL1VJL0xvZ2luXCIsXCJQcmluY2lwYWxzXCI6XCJkZW1vXCIsXCJTZXJ2aWNlXCI6XCJsZGFwU2VydmljZVwiLFwic3VuLmFtLlVuaXZlcnNhbElkZW50aWZpZXJcIjpcImlkPWRlbW8sb3U9dXNlcixvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCIsXCJhbWxiY29va2llXCI6XCIwMVwiLFwiT3JnYW5pemF0aW9uXCI6XCJvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCIsXCJMb2NhbGVcIjpcImVuX1VTXCIsXCJIb3N0TmFtZVwiOlwiMTI3LjAuMC4xXCIsXCJBdXRoVHlwZVwiOlwiRGF0YVN0b3JlXCIsXCJIb3N0XCI6XCIxMjcuMC4wLjFcIixcIlVzZXJQcm9maWxlXCI6XCJSZXF1aXJlZFwiLFwiQU1DdHhJZFwiOlwiZTNlZWRmMGRmMTY1Y2M5ZjAxXCIsXCJjbGllbnRUeXBlXCI6XCJnZW5lcmljSFRNTFwiLFwiYXV0aEluc3RhbnRcIjpcIjIwMTctMDgtMDdUMjE6Mzk6MjlaXCIsXCJQcmluY2lwYWxcIjpcImlkPWRlbW8sb3U9dXNlcixvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCJ9LFwibWF4VGltZVwiOjEyMCxcInNlc3Npb25UeXBlXCI6XCJ1c2VyXCIsXCJtYXhJZGxlXCI6MzAsXCJtYXhDYWNoaW5nXCI6MyxcIm5ldmVyRXhwaXJpbmdcIjpmYWxzZSxcInNlc3Npb25JRFwiOm51bGwsXCJjbGllbnRJRFwiOlwiaWQ9ZGVtbyxvdT11c2VyLG89c3RhdGVsZXNzcmVhbG0sb3U9c2VydmljZXMsbz1vcGVuYW1cIixcImNsaWVudERvbWFpblwiOlwibz1zdGF0ZWxlc3NyZWFsbSxvdT1zZXJ2aWNlcyxvPW9wZW5hbVwifSIgfQ.2O4EYXM7sPN0YwW78aF2TzjLSEm-NQizNkzOpVCP2mw
coreTokenString03: demo
coreTokenString08: /statelessRealm
coreTokenExpirationDate: 20170807214129.432Z
coreTokenString09: OIDCclient2
coreTokenId: 60742780-8ad6-4091-a277-8d24bd69938d
coreTokenString06: true
coreTokenString07: Bearer
coreTokenType: OAUTH 

Stateless OAuth2 Access token (AM 5, 5.1.x and OpenAM 13.x)

The Stateless OAuth2 Access token in pre-AM 5.5 is:

  • Issued when the OAuth2 provider is in stateless mode (no relationship to client-based sessions).
  • Used in all OAuth2 and OIDC flows.
  • Usually short lived.
  • A JWT containing the information provided by the relevant scopes. Clients can introspect the token without having to visit an additional endpoint; the stored token contains a reference found in the issued JWT.

Stateless access token example

dn: coreTokenId=7fdce636-eede-4f0a-90d3-34e0ea24374c,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenString12: Bearer
coreTokenString01: openid,profile
coreTokenString10: refresh_token
coreTokenString15: 1e70b499-2860-4b06-9bd8-3b202197a3a7
coreTokenString03: demo
coreTokenString08: /statelessRealm
coreTokenExpirationDate: 20170814213929.460Z
coreTokenUserId: demo
coreTokenString09: OIDCclient2
coreTokenId: 7fdce636-eede-4f0a-90d3-34e0ea24374c
coreTokenType: OAUTH_STATELESS

Stateless OAuth2 Refresh token (AM 5, 5.1.x and OpenAM 13.x)

The Stateless OAuth2 Refresh token in pre-AM 5.5 is:

  • Issued when the OAuth2 provider is in stateless mode (no relationship to client-based sessions).
  • Used in the OAuth2 Code flow and the OIDC Code / Hybrid flow.
  • Usually long lived.
  • Exchanged for access tokens by clients.
  • A JWT containing the information provided by the relevant scopes. Clients can introspect the token without having to visit an additional endpoint; the stored token contains a reference found in the issued JWT.

Stateless refresh token example 

dn: coreTokenId=7fdce636-eede-4f0a-90d3-34e0ea24374c,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenString12: Bearer
coreTokenString01: openid,profile
coreTokenString10: refresh_token
coreTokenString15: 1e70b499-2860-4b06-9bd8-3b202197a3a7
coreTokenString03: demo
coreTokenString08: /statelessRealm
coreTokenExpirationDate: 20170814213929.460Z
coreTokenUserId: demo
coreTokenString09: OIDCclient2
coreTokenId: 7fdce636-eede-4f0a-90d3-34e0ea24374c
coreTokenType: OAUTH_STATELESS 

Stateful OAuth2 Access token

The Stateful OAuth2 Access token in AM/OpenAM is:

  • Issued when the OAuth2 provider is not in stateless mode (no relationship to client-based sessions).
  • Used in all OAuth2 and OIDC flows.
  • Typically short lived.

Stateful access token example

dn: coreTokenId=daaa2a39-ffe9-40a0-b0df-71dc6e278628,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenString11: abcdef
coreTokenObject: {"redirectURI":["http://example.com"],"parent":["cafdd8cc-b155-464a-a020-15013532578c"],"clientID":["OIDCclient1"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-290"],"tokenName":["access_token"],"userName":["demo"],"authGrantId":["6f10ad62-1be7-4ebe-aeea-81b7c9eb3735"],"nonce":["abcdef"],"expireTime":["1502145569132"],"grant_type":["authorization_code"],"scope":["openid","profile"],"realm":["/statefulRealm"],"id":["daaa2a39-ffe9-40a0-b0df-71dc6e278628"],"tokenType":["Bearer"],"refreshToken":["21f89047-4bcf-4d62-853b-d4fa22d632e5"]}
coreTokenString12: authorization_code
coreTokenString01: openid,profile
coreTokenString10: access_token
coreTokenString15: 6f10ad62-1be7-4ebe-aeea-81b7c9eb3735
coreTokenString04: http://example.com
coreTokenString05: 21f89047-4bcf-4d62-853b-d4fa22d632e5
coreTokenString02: cafdd8cc-b155-464a-a020-15013532578c
coreTokenString03: demo
coreTokenString08: /statefulRealm
coreTokenExpirationDate: 20170807223929.132Z
coreTokenString09: OIDCclient1
coreTokenId: daaa2a39-ffe9-40a0-b0df-71dc6e278628
coreTokenString07: Bearer
coreTokenType: OAUTH

Stateful OAuth2 Refresh token

The Stateful OAuth2 Refresh token in AM/OpenAM is:

  • Issued when the OAuth2 provider is not in stateless mode (no relationship to client-based sessions).
  • Used in the OAuth2 Code Grant flow, the Resource Owner Password flow and the OIDC Code / Hybrid flow.
  • Usually long lived.
  • Exchanged for access tokens by clients.

Stateful refresh token example

dn: coreTokenId=21f89047-4bcf-4d62-853b-d4fa22d632e5,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"redirectURI":["http://example.com"],"clientID":["OIDCclient1"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-289"],"tokenName":["refresh_token"],"authModules":["DataStore"],"userName":["demo"],"authGrantId":["6f10ad62-1be7-4ebe-aeea-81b7c9eb3735"],"acr":[],"expireTime":["1502746769129"],"grant_type":["authorization_code"],"scope":["openid","profile"],"realm":["/statefulRealm"],"id":["21f89047-4bcf-4d62-853b-d4fa22d632e5"],"tokenType":["Bearer"]}
coreTokenString12: authorization_code
coreTokenString01: openid,profile
coreTokenString10: refresh_token
coreTokenString15: 6f10ad62-1be7-4ebe-aeea-81b7c9eb3735
coreTokenString04: http://example.com
coreTokenString03: demo
coreTokenString08: /statefulRealm
coreTokenExpirationDate: 20170814213929.129Z
coreTokenString09: OIDCclient1
coreTokenId: 21f89047-4bcf-4d62-853b-d4fa22d632e5
coreTokenString07: Bearer
coreTokenType: OAUTH

OpenID Connect OPS token

The OpenID Connect OPS token in AM/OpenAM:

  • Provides a link between the OIDC ID token and the user session that generated it.
  • Is required for the endSession and checkSession endpoints to function.
  • Can be disabled in the OAuth2 provider. It is good practice to disable this token if you are not using the endSession and checkSession endpoints; doing so can dramatically reduce the load on the CTS.
  • Is issued in the Code or Implicit flow if the openid scope is requested and it is enabled in the OAuth2 provider.
  • Contains a copy of the user SSO token (same as the access code token) - again, it is large when used in combination with a realm in client-based sessions mode.

CTS-based session realm OPS token example

dn: coreTokenId=c23b5787-ace5-43c4-aeb3-369bbf4e07be,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"id":["c23b5787-ace5-43c4-aeb3-369bbf4e07be"],"ops":["AQIC5wM2LY4S...kyNgACUzEAAjAx*"],"expireTime":["1502145569141"]}
coreTokenExpirationDate: 20170807223929.141Z
coreTokenId: c23b5787-ace5-43c4-aeb3-369bbf4e07be
coreTokenType: OAUTH

Client-based session realm OPS token example

dn: coreTokenId=938fbe6a-cab6-48fc-ba42-3dbe82af61f3,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"id":["938fbe6a-cab6-48fc-ba42-3dbe82af61f3"],"ops":["AQIC5wM2LY4SfcyvKEBc-PhbFqsHH5ULidH1FMscUOKScfg.*AAJTSQACMDIAAlNLABQtMTkyNTUxMDA4NzgzNDA2ODIzNwACUzEAAjAx*eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAic2VyaWFsaXplZF9zZXNzaW9uIjogIntcInNlY3JldFwiOlwiZDk3Y2FhYTktZmU3ZS00MTBlLWEzNzgtM2Q3ZDAyZWMwNzlmXCIsXCJleHBpcnlUaW1lXCI6MTUwMjE0OTE2OTQwNyxcImxhc3RBY3Rpdml0eVRpbWVcIjoxNTAyMTQxOTY5NDA3LFwic3RhdGVcIjpcInZhbGlkXCIsXCJwcm9wZXJ0aWVzXCI6e1wiQ2hhclNldFwiOlwiVVRGLThcIixcIlVzZXJJZFwiOlwiZGVtb1wiLFwiRnVsbExvZ2luVVJMXCI6XCIvYW0xMzUwL1VJL0xvZ2luP3JlYWxtPSUyRnN0YXRlbGVzc1JlYWxtXCIsXCJzdWNjZXNzVVJMXCI6XCIvYW0xMzUwL2NvbnNvbGVcIixcImNvb2tpZVN1cHBvcnRcIjpcInRydWVcIixcIkF1dGhMZXZlbFwiOlwiMFwiLFwiU2Vzc2lvbkhhbmRsZVwiOlwic2hhbmRsZTpBUUlDNXdNMkxZNFNmY3ctY0hYaWZDR1VIdU1Gb3VxMDlkTnIxQVZMc3hGVUVQay4qQUFKVFNRQUNNRElBQWxOTEFCUXROekUwTnpjNE56VXlOalkyTkRjeU1EZ3lOQUFDVXpFQUFqQXgqXCIsXCJVc2VyVG9rZW5cIjpcImRlbW9cIixcImxvZ2luVVJMXCI6XCIvYW0xMzUwL1VJL0xvZ2luXCIsXCJQcmluY2lwYWxzXCI6XCJkZW1vXCIsXCJTZXJ2aWNlXCI6XCJsZGFwU2VydmljZVwiLFwic3VuLmFtLlVuaXZlcnNhbElkZW50aWZpZXJcIjpcImlkPWRlbW8sb3U9dXNlcixvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCIsXCJhbWxiY29va2llXCI6XCIwMVwiLFwiT3JnYW5pemF0aW9uXCI6XCJvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCIsXCJMb2NhbGVcIjpcImVuX1VTXCIsXCJIb3N0TmFtZVwiOlwiMTI3LjAuMC4xXCIsXCJBdXRoVHlwZVwiOlwiRGF0YVN0b3JlXCIsXCJIb3N0XCI6XCIxMjcuMC4wLjFcIixcIlVzZXJQcm9maWxlXCI6XCJSZXF1aXJlZFwiLFwiQU1DdHhJZFwiOlwiZTNlZWRmMGRmMTY1Y2M5ZjAxXCIsXCJjbGllbnRUeXBlXCI6XCJnZW5lcmljSFRNTFwiLFwiYXV0aEluc3RhbnRcIjpcIjIwMTctMDgtMDdUMjE6Mzk6MjlaXCIsXCJQcmluY2lwYWxcIjpcImlkPWRlbW8sb3U9dXNlcixvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCJ9LFwibWF4VGltZVwiOjEyMCxcInNlc3Npb25UeXBlXCI6XCJ1c2VyXCIsXCJtYXhJZGxlXCI6MzAsXCJtYXhDYWNoaW5nXCI6MyxcIm5ldmVyRXhwaXJpbmdcIjpmYWxzZSxcInNlc3Npb25JRFwiOm51bGwsXCJjbGllbnRJRFwiOlwiaWQ9ZGVtbyxvdT11c2VyLG89c3RhdGVsZXNzcmVhbG0sb3U9c2VydmljZXMsbz1vcGVuYW1cIixcImNsaWVudERvbWFpblwiOlwibz1zdGF0ZWxlc3NyZWFsbSxvdT1zZXJ2aWNlcyxvPW9wZW5hbVwifSIgfQ.2O4EYXM7sPN0YwW78aF2TzjLSEm-NQizNkzOpVCP2mw"],"expireTime":["1502145569471"]}
coreTokenExpirationDate: 20170807223929.471Z
coreTokenId: 938fbe6a-cab6-48fc-ba42-3dbe82af61f3
coreTokenType: OAUTH 

OAuth2 Device Code token

The OAuth2 Device Code token in AM/OpenAM is:

  • Used to persist the code in the Device Code flow.
  • Typically short lived.
  • In the same format in OAuth2 stateless and stateful modes.

Device code token example

dn: coreTokenId=501905e0-b350-47d5-92cc-161a4291116f,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"clientID":["OIDCclient1"],"expireTime":["1502142269359"],"user_code":["PDRxhXht"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-311"],"scope":["profile"],"tokenName":["device_code"],"response_type":["token"],"realm":["/statefulRealm"],"id":["501905e0-b350-47d5-92cc-161a4291116f"],"userName":["demo"],"AUTHORIZED":["true"]}
coreTokenString01: profile
coreTokenString10: device_code
coreTokenString14: PDRxhXht
coreTokenString03: demo
coreTokenString08: /statefulRealm
coreTokenExpirationDate: 20170807214429.359Z
coreTokenString09: OIDCclient1
coreTokenId: 501905e0-b350-47d5-92cc-161a4291116f
coreTokenType: OAUTH 

CTS-based Session token (AM 5 and later)

The CTS-based Session token in AM 5 and later:

  • Is created in the CTS when a user authenticates to a realm that is in CTS-based session mode.
  • Allows a user to remain authenticated even when the AM instance they authenticated with has been shutdown.
  • Is not compatible with the equivalent token in OpenAM 13.5.x and earlier.

CTS-based Session token example

dn: coreTokenId=-8288022266790569769,ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org
objectClass: top
objectClass: frCoreToken
coreTokenString11: /
coreTokenObject: {"clientDomain":"dc=openam,dc=forgerock,dc=org","clientID":"id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org","cookieMode":true,"cookieStr":null,"creationTimeInMillis":1502229535517,"isSessionUpgrade":false,"listeners":{"9d16b2e1-50c2-43f8-86ce-97a67be1661a":true,"4bd2e5b4-22c8-4172-a2a6-b9f028e86dc8":true},"maxCachingTimeInMinutes":3,"maxIdleTimeInMinutes":30,"maxSessionTimeInMinutes":120,"restrictedTokensBySessionID":{},"sessionEventURLs":{},"sessionID":{"comingFromAuth":false,"cookieMode":null,"encryptedString":"AQIC5wM2LY4S...kyNgACUzEAAjAx*","sessionDomain":"dc=openam,dc=forgerock,dc=org","sessionServer":"am3.example.com","sessionServerID":"01","sessionServerPort":"38080","sessionServerProtocol":"http","sessionServerURI":"/am5"},"sessionProperties":{"Locale":"en","authInstant":"2017-08-08T21:58:55Z","Organization":"dc=openam,dc=forgerock,dc=org","UserProfile":"Required","Principals":"amadmin","successURL":"/am5/console","CharSet":"UTF8","Service":"ldapService","Host":"127.0.0.1","cookieSupport":"true","FullLoginURL":"/am5/UI/Login?realm=%2F","AuthLevel":"0","clientType":"genericHTML","AMCtxId":"77a740625b90bc6301","loginURL":"/am5/UI/Login","UserId":"amadmin","AuthType":"DataStore","sun.am.UniversalIdentifier":"id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org","amlbcookie":"01","HostName":"127.0.0.1","Principal":"id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org","UserToken":"amadmin"},"sessionState":"VALID","sessionType":"USER","timedOutTimeInSeconds":0}
coreTokenInteger07: 30
coreTokenString12: 1502229535517
coreTokenInteger06: 120
coreTokenString04: 1502229797863
coreTokenString05: AQIC5wM2LY4S...kyNgACUzEAAjAx*
coreTokenMultiString01: 9d16b2e1-50c2-43f8-86ce-97a67be1661a
coreTokenMultiString01: 4bd2e5b4-22c8-4172-a2a6-b9f028e86dc8
coreTokenExpirationDate: 20170809003317.863+0200
coreTokenUserId: id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org
coreTokenId: -8288022266790569769
coreTokenString06: shandle:AQIC5wM2LY4S...kyNgACUzEAAjAx*
coreTokenType: SESSION

CTS-based Session token (OpenAM 13.x )

The CTS-based Session token in OpenAM 13.x:

  • Is created in the CTS when a user authenticates to a realm that is in CTS-based session mode and the OpenAM deployment has session failover enabled.
  • Allows a user to remain authenticated even when the OpenAM instance they authenticated with has been shutdown.
  • Is not compatible with the equivalent token in AM 5 and later.

CTS-based Session token example

dn: coreTokenId=-6412296181144271926,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"clientDomain":"o=statefulrealm,ou=services,o=openam","clientID":"id=demo,ou=user,o=statefulrealm,ou=services,o=openam","cookieMode":null,"cookieStr":null,"creationTime":1502141969,"isISStored":true,"maxCachingTime":3,"maxIdleTime":30,"maxSessionTime":120,"reschedulePossible":false,"restrictedTokensBySid":{},"sessionEventURLs":{"http://am1.example.com:18080/am1350/notificationservice":[{"comingFromAuth":false,"cookieMode":null,"encryptedString":"AQIC5wM2LY4S...kyNgACUzEAAjAx*","sessionDomain":"","sessionServer":"am.example.com","sessionServerID":"02","sessionServerPort":"8000","sessionServerProtocol":"http","sessionServerURI":"/am1350"}]},"sessionID":{"comingFromAuth":false,"cookieMode":null,"encryptedString":"AQIC5wM2LY4S...kyNgACUzEAAjAx*","sessionDomain":"o=statefulrealm,ou=services,o=openam","sessionServer":"am.example.com","sessionServerID":"02","sessionServerPort":"8000","sessionServerProtocol":"http","sessionServerURI":"/am1350"},"sessionProperties":{"CharSet":"UTF-8","UserId":"demo","FullLoginURL":"/am1350/UI/Login?realm=%2FstatefulRealm","successURL":"/am1350/console","cookieSupport":"true","AuthLevel":"0","UserToken":"demo","loginURL":"/am1350/UI/Login","Principals":"demo","Service":"ldapService","sun.am.UniversalIdentifier":"id=demo,ou=user,o=statefulrealm,ou=services,o=openam","amlbcookie":"01","Organization":"o=statefulrealm,ou=services,o=openam","Locale":"en_US","HostName":"127.0.0.1","AuthType":"DataStore","Host":"127.0.0.1","UserProfile":"Required","AMCtxId":"f0444f0bf43ab5d701","clientType":"genericHTML","authInstant":"2017-08-07T21:39:29Z","Principal":"id=demo,ou=user,o=statefulrealm,ou=services,o=openam"},"sessionState":1,"sessionType":0,"timedOutAt":0,"willExpireFlag":true}
coreTokenString01: 1502141969
coreTokenString02: AQIC5wM2LY4S...kyNgACUzEAAjAx*
coreTokenString03: shandle:AQIC5wM2LY4S...kyNgACUzEAAjAx*
coreTokenExpirationDate: 20170808001429.080+0200
coreTokenUserId: id=demo,ou=user,o=statefulrealm,ou=services,o=openam
coreTokenId: -6412296181144271926
coreTokenType: SESSION 

Client-based Session Blacklist token

The Client-based Session Blacklist token in AM/OpenAM is:

  • Used to keep a record of client-based sessions that have been ended by logging out.
  • Created only when client-based sessions blacklist is enabled in global session properties.

Client-based session blacklist token example

dn: coreTokenId=7fac1a04-f358-4ed5-958b-48aac6dd5a34,ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org
objectClass: top
objectClass: frCoreToken
coreTokenString01: 01
coreTokenDate01: 20170824151809.429Z
coreTokenExpirationDate: 20170824171908Z
coreTokenId: 7fac1a04-f358-4ed5-958b-48aac6dd5a34
coreTokenType: SESSION_BLACKLIST

See Also

Core Token Service (CTS) and sessions in AM/OpenAM

Installation Guide › Implementing the Core Token Service

Installation Guide › Core Token Service (CTS) Object Identifiers

Related Training

N/A

Related Issue Tracker IDs

N/A



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...