How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I know what OAuth 2.0 and session token types are stored in the CTS in AM (All versions)?

Last updated Jan 16, 2023

The purpose of this article is to provide information on the OAuth2 and session token types stored in the CTS in AM with example token formats included. With this information, you can perform LDAP searches to retrieve token details from the CTS.


2 readers recommend this article

Overview

This is the second article in a two-part series, which is designed to help you understand CTS token types (OAuth2 and session) in AM. See How do I know what LDAP attributes are used by CTS tokens (OAuth 2.0 and session) in AM (All versions)? for the first part.

For SAML2 tokens, see How are SAML2 tokens stored in the CTS in AM (All versions)?

LDAP searches

You can use the information in these articles to query the CTS using ldapsearch, where the other article provides the LDAP attributes and this article provides the data format. For example, if you want to list user OAuth2 refresh tokens, you would filter on coreTokenString03=<user> and coreTokenString10=refresh_token. For example:

  • DS 7 and later: $ ./ldapsearch --hostname ds.example.com --port 1389 --bindDN uid=admin --bindPassword password --baseDN "ou=famrecords,ou=openam-session,ou=tokens,dc=am,dc=forgerock,dc=org" "(&(coreTokenString03=demo)(coreTokenString10=refresh_token))"
  • Pre-DS 7: $ ./ldapsearch --hostname ds.example.com --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "ou=famrecords,ou=openam-session,ou=tokens,dc=am,dc=forgerock,dc=org" "(&(coreTokenString03=demo)(coreTokenString10=refresh_token))"

CTS token types

This article looks at the following CTS token types in detail:

OAuth2 Grant-Set token (AM 6.5 and later)

The OAuth2 Grant-Set token in AM 6.5 and later:

  • Stores the state of multiple authorizations for a given OAuth2 client and resource owner pair. Previously, this state was stored across multiple OAUTH and OAUTH2_STATELESS_GRANT entries.
  • Grant-Set acts as a container for all authorizations:
    • Stateless access code tokens and grant tokens.
    • Stateful access code tokens, access tokens and refresh tokens.
  • Reduces the amount of data stored in the CTS by removing duplication and reduces the number of operations to the CTS.
  • The coreTokenMultiString03 attribute contains a JSON representation of the OAuth2 Grant, where the following abbreviations are used:
    • g = Unique identifier in CTS
    • gx = Issue time
    • _s = Scope
    • a = Authorization code
    • ax = Issue time
    • asi = Authentication session ID token
    • aati = Access token ID
    • au = Authorization audience
    • ast = state
    • _am = Authentication module in AM
    • _ac r= Authentication Context Class Reference if applicable
    • gt = grant type if applicable

Stateless Grant-Set token example

dn: coreTokenId=kOrkxaDZ6fYcUrcE0c3PEMFIGNk,ou=famrecords,ou=openam-session,ou=tokens,dc=am,dc=forgerock,dc=org objectClass: frCoreToken objectClass: top coreTokenExpirationDate: 20190522143603.155Z coreTokenId: kOrkxaDZ6fYcUrcE0c3PEMFIGNk coreTokenMultiString03: {"g":"kOrkxaDZ6fYcUrcE0c3PEMFIGNk.xuPxwKKadXjWvMfKg9WFzvqIOC4","gx":1529062484276,"_s":["openid","profile"],"a":"kOrkxaDZ6fYcUrcE0c3PEMFIGNk.vm6gyeD5t8mF8nTYQ1XQBYTskMo","ax":1528454203638,"aati":"809b87b3-4fad-4ca1-9312-a7f0c669fd6c-34347","ai":true,"au":"https://www.example.com","asi":"UmR8fqI7iG1lmmbQdMBUVXvr2u8.*AAJTSQACMDIAAlNLABxFNXVzNDJlcnZyY1VnV0JQU2ZWbitkbEtiUms9AAR0eXBlAANDVFMAAlMxAAIwMQ..*","ast":"1234","_am":"DataStore","_acr":"0","gt":[]} coreTokenMultiString03: {"g":"C7mzozs1XJKVvCT63JwQatoI-og.Xf_gOFNZOeGcY6ZLnGxX11N9NKQ","gx":1579098268014,"_s":["read"],"a":"C7mzozs1XJKVvCT63JwQatoI-og.BXUyATQtb9GoyrFvAacc6b20S4A","ax":1578489985511,"aati":"0e4db3cf-14e5-4d44-9f36-8e2fc6ac78a6-15583","ai":true,"an":"123456","au":"http://localhost","asi":"xHP1CNmGVN--sZceb3nki7-_Pzk.*AAJTSQACMDEAAlNLABxKL3FEeWllelhIZ1pGM1Y1SFg4MUFTL05zdms9AAR0eXBlAANDVFMAAlMxAAA.*","ast":"eHI6","_am":"DataStore","_acr":"0","r":"C7mzozs1XJKVvCT63JwQatoI-og.IbiBbTo1bCKelDu4hj5tb_2qbrk","gt":[]} coreTokenString03: demo coreTokenString08: /myRealm coreTokenString09: OIDCclient1 coreTokenType: OAUTH2_GRANT_SET

Stateful Grant-Set token example

dn: coreTokenId=fx-GTfShtRhmJ89qMNVkxLx339U,ou=famrecords,ou=openam-session,ou=tokens,dc=am,dc=forgerock,dc=org objectClass: frCoreToken objectClass: top coreTokenExpirationDate: 20181211094355.401Z coreTokenId: fx-GTfShtRhmJ89qMNVkxLx339U coreTokenMultiString03: {"g":"fx-GTfShtRhmJ89qMNVkxLx339U.BwOWUGadbho7rKgCYj5Uq1XuRPc","gx":0,"_s":["openid","profile"],"a":"fx-GTfShtRhmJ89qMNVkxLx339U.0g7urZwlwyK_5gUOlC49t4PVUPo","ax":1540546982500,"aati":"fb479915-c2aa-42b3-ad76-b7eb3de950c5-338537161","ai":true,"au":"http://example.com","asi":"xE5imkWhvI66-6gg1lkGjQgmGdU.*AAJTSQACMDIAAlNLABxJNmxnTElxTXFQdEU0b040RUtzN2JUakV6dEk9AAR0eXBlAANDVFMAAlMxAAIwMQ..*","ast":"1234","_am":"DataStore","_acr":"0","r":"fx-GTfShtRhmJ89qMNVkxLx339U.vXS04FRzuWulPMomSoVDnZvj-6s","rx":1541151662549,"rgt":"authorization_code","rtt":"Bearer","rtn":"refresh_token","rati":"fb479915-c2aa-42b3-ad76-b7eb3de950c5-338537554","ro":"jS474J1xvNZwD-uLeJJeTDWjAzI","_at":1540546862,"_al":0,"gt":[{"t":"fx-GTfShtRhmJ89qMNVkxLx339U.SGEDFJ5BkuuKXKHVeV24_IzoHRg","tx":1540550462814,"tgt":"authorization_code","ts":["openid","profile"],"ttn":"access_token","tati":"fb479915-c2aa-42b3-ad76-b7eb3de950c5-338537841","tck":null}]} coreTokenString03: demo coreTokenString08: /myRealm coreTokenString09: OIDCclient1 coreTokenType: OAUTH2_GRANT_SET

Stateless Access Code token

The Stateless Access Code token in AM:

  • Is used in the OAuth2/OIDC Authorization Code flow and the OIDC Hybrid flow.
  • Provides state for the code that is used by the client to retrieve an access token.
  • Does not contain the session token of the session that generated the request in an indexable attribute, which is different to the equivalent token in previous versions of AM.
  • Uses the value of the access code to form the unique identity of the subsequent grant token.
  • Sets the CoreTokenString06 to true when the code is used and consent is granted, which is different to the equivalent token in previous versions of AM.

Stateless access code example

dn: coreTokenId=4e915f7a-08ec-4c65-915f-2256d6c3a503,ou=famrecords,ou=openam-session,ou=tokens,dc=am,dc=forgerock,dc=org objectClass: top objectClass: frCoreToken coreTokenObject: {"redirectURI":["http://example.com"],"clientID":["OIDCclient1"],"ssoTokenId":["mJLebOGs9Y4rAE_JY0uSaS_SVwM.*AAJTSQACMDEAAlNLABwvbWJRSVJ4aGdVcUhHTmNUTkRZVjAxcVl4eFE9AAJTMQAA*"],"auditTrackingId":["a7180708-c39b-4f92-90ea-b2b8bb79ec75-83912"],"tokenName":["access_code"],"authModules":["DataStore"],"code_challenge_method":[],"userName":["demo"],"nonce":["abcdef"],"authGrantId":["f58f19f9-7f3f-43db-be90-466643414143"],"acr":[],"expireTime":["1523281431770"],"scope":["openid","profile"],"claims":[null],"realm":["/myRealm"],"id":["4e915f7a-08ec-4c65-915f-2256d6c3a503"],"state":[],"tokenType":["Bearer"],"code_challenge":[],"issued":["true"]} coreTokenString11: abcdef coreTokenString01: openid,profile coreTokenString10: access_code coreTokenString04: http://example.com coreTokenString15: f58f19f9-7f3f-43db-be90-466643414143 coreTokenString03: demo coreTokenExpirationDate: 20180409134351.770Z coreTokenString08: /myRealm coreTokenString09: OIDCclient1 coreTokenId: 4e915f7a-08ec-4c65-915f-2256d6c3a503 coreTokenString06: true coreTokenString07: Bearer coreTokenType: OAUTH

Stateless OAuth2 Grant token

The Stateless OAuth2 Grant token in AM:

  • Replaces stateless Access and Refresh tokens in previous versions of AM with a single token indicating that a grant took place.
  • Prevents additional data being written to the CTS if a new access token is issued based on an existing refresh token with an existing grant ID.
  • Uses the grant ID value from the preceding Access code if this token is generated in the OAuth2 Code flow.
  • The grant ID in the stateless OAuth2 JWT matches the DN of the token in the CTS.

Stateless grant token example

dn: coreTokenId=f58f19f9-7f3f-43db-be90-466643414143,ou=famrecords,ou=openam-session,ou=tokens,dc=am,dc=forgerock,dc=org objectClass: top objectClass: frCoreToken coreTokenObject: {} coreTokenString11: /myRealm coreTokenString04: OIDCclient1 coreTokenExpirationDate: 20180416144152.757Z coreTokenUserId: demo coreTokenId: f58f19f9-7f3f-43db-be90-466643414143 coreTokenString06: openid,profile coreTokenType: OAUTH2_STATELESS_GRANT

An access token issued from this CTS grant token may look like this:

{ "sub": "demo", "auth_level": 0, "auditTrackingId": "610b705d-51a9-43e1-b59a-47b372b9d3ae", "iss": "http://am3.example.com:38080/am0551/oauth2/myRealm", "tokenName": "access_token", "token_type": "Bearer", "authGrantId": "f58f19f9-7f3f-43db-be90-466643414143", "nonce": "abcdef", "aud": "OIDCclient1", "nbf": 1523281312, "grant_type": "authorization_code", "scope": [ "openid", "profile" ], "auth_time": 1523281311000, "realm": "/myRealm", "exp": 1523284912, "iat": 1523281312, "expires_in": 3600, "jti": "c35e5c2a-081b-417f-82c5-2708781816d6" }

Stateful OAuth2 Access token

The Stateful OAuth2 Access token in AM is:

  • Issued when the OAuth2 provider is not in stateless mode (no relationship to client-side sessions).
  • Used in all OAuth2 and OIDC flows.
  • Typically short-lived.

Stateful access token example

dn: coreTokenId=daaa2a39-ffe9-40a0-b0df-71dc6e278628,ou=famrecords,ou=openam-session,ou=tokens,o=openam objectClass: top objectClass: frCoreToken coreTokenString11: abcdef coreTokenObject: {"redirectURI":["http://example.com"],"parent":["cafdd8cc-b155-464a-a020-15013532578c"],"clientID":["OIDCclient1"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-290"],"tokenName":["access_token"],"userName":["demo"],"authGrantId":["6f10ad62-1be7-4ebe-aeea-81b7c9eb3735"],"nonce":["abcdef"],"expireTime":["1502145569132"],"grant_type":["authorization_code"],"scope":["openid","profile"],"realm":["/statefulRealm"],"id":["daaa2a39-ffe9-40a0-b0df-71dc6e278628"],"tokenType":["Bearer"],"refreshToken":["21f89047-4bcf-4d62-853b-d4fa22d632e5"]} coreTokenString12: authorization_code coreTokenString01: openid,profile coreTokenString10: access_token coreTokenString15: 6f10ad62-1be7-4ebe-aeea-81b7c9eb3735 coreTokenString04: http://example.com coreTokenString05: 21f89047-4bcf-4d62-853b-d4fa22d632e5 coreTokenString02: cafdd8cc-b155-464a-a020-15013532578c coreTokenString03: demo coreTokenString08: /statefulRealm coreTokenExpirationDate: 20170807223929.132Z coreTokenString09: OIDCclient1 coreTokenId: daaa2a39-ffe9-40a0-b0df-71dc6e278628 coreTokenString07: Bearer coreTokenType: OAUTH

Stateful OAuth2 Refresh token

The Stateful OAuth2 Refresh token in AM is:

  • Issued when the OAuth2 provider is not in stateless mode (no relationship to client-side sessions).
  • Used in the OAuth2 Code Grant flow, the Resource Owner Password flow and the OIDC Code / Hybrid flow.
  • Usually long-lived.
  • Exchanged for access tokens by clients.

Stateful refresh token example

dn: coreTokenId=21f89047-4bcf-4d62-853b-d4fa22d632e5,ou=famrecords,ou=openam-session,ou=tokens,o=openam objectClass: top objectClass: frCoreToken coreTokenObject: {"redirectURI":["http://example.com"],"clientID":["OIDCclient1"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-289"],"tokenName":["refresh_token"],"authModules":["DataStore"],"userName":["demo"],"authGrantId":["6f10ad62-1be7-4ebe-aeea-81b7c9eb3735"],"acr":[],"expireTime":["1502746769129"],"grant_type":["authorization_code"],"scope":["openid","profile"],"realm":["/statefulRealm"],"id":["21f89047-4bcf-4d62-853b-d4fa22d632e5"],"tokenType":["Bearer"]} coreTokenString12: authorization_code coreTokenString01: openid,profile coreTokenString10: refresh_token coreTokenString15: 6f10ad62-1be7-4ebe-aeea-81b7c9eb3735 coreTokenString04: http://example.com coreTokenString03: demo coreTokenString08: /statefulRealm coreTokenExpirationDate: 20170814213929.129Z coreTokenString09: OIDCclient1 coreTokenId: 21f89047-4bcf-4d62-853b-d4fa22d632e5 coreTokenString07: Bearer coreTokenType: OAUTH

OpenID Connect OPS token

The OpenID Connect OPS token in AM:

  • Provides a link between the OIDC ID token and the user session that generated it.
  • Is required for the endSession and checkSession endpoints to function.
  • Can be disabled in the OAuth2 provider. It is good practice to disable this token if you are not using the endSession and checkSession endpoints; doing so can dramatically reduce the load on the CTS.
  • Is issued in the Code or Implicit flow if the openid scope is requested and it is enabled in the OAuth2 provider.
  • Contains a copy of the user SSO token (same as the access code token) - again, it is large when used in combination with a realm in client-side sessions mode.

Server-side session realm OPS token example

dn: coreTokenId=c23b5787-ace5-43c4-aeb3-369bbf4e07be,ou=famrecords,ou=openam-session,ou=tokens,o=openam objectClass: top objectClass: frCoreToken coreTokenObject: {"id":["c23b5787-ace5-43c4-aeb3-369bbf4e07be"],"ops":["AQIC5wM2LY4S...kyNgACUzEAAjAx*"],"expireTime":["1502145569141"]} coreTokenExpirationDate: 20170807223929.141Z coreTokenId: c23b5787-ace5-43c4-aeb3-369bbf4e07be coreTokenType: OAUTH

Client-side session realm OPS token example

dn: coreTokenId=938fbe6a-cab6-48fc-ba42-3dbe82af61f3,ou=famrecords,ou=openam-session,ou=tokens,o=openam objectClass: top objectClass: frCoreToken coreTokenObject: {"id":["938fbe6a-cab6-48fc-ba42-3dbe82af61f3"],"ops":["AQIC5wM2LY4SfcyvKEBc-PhbFqsHH5ULidH1FMscUOKScfg.*AAJTSQACMDIAAlNLABQtMTkyNTUxMDA4NzgzNDA2ODIzNwACUzEAAjAx*eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAic2VyaWFsaXplZF9zZXNzaW9uIjogIntcInNlY3JldFwiOlwiZDk3Y2FhYTktZmU3ZS00MTBlLWEzNzgtM2Q3ZDAyZWMwNzlmXCIsXCJleHBpcnlUaW1lXCI6MTUwMjE0OTE2OTQwNyxcImxhc3RBY3Rpdml0eVRpbWVcIjoxNTAyMTQxOTY5NDA3LFwic3RhdGVcIjpcInZhbGlkXCIsXCJwcm9wZXJ0aWVzXCI6e1wiQ2hhclNldFwiOlwiVVRGLThcIixcIlVzZXJJZFwiOlwiZGVtb1wiLFwiRnVsbExvZ2luVVJMXCI6XCIvYW0xMzUwL1VJL0xvZ2luP3JlYWxtPSUyRnN0YXRlbGVzc1JlYWxtXCIsXCJzdWNjZXNzVVJMXCI6XCIvYW0xMzUwL2NvbnNvbGVcIixcImNvb2tpZVN1cHBvcnRcIjpcInRydWVcIixcIkF1dGhMZXZlbFwiOlwiMFwiLFwiU2Vzc2lvbkhhbmRsZVwiOlwic2hhbmRsZTpBUUlDNXdNMkxZNFNmY3ctY0hYaWZDR1VIdU1Gb3VxMDlkTnIxQVZMc3hGVUVQay4qQUFKVFNRQUNNRElBQWxOTEFCUXROekUwTnpjNE56VXlOalkyTkRjeU1EZ3lOQUFDVXpFQUFqQXgqXCIsXCJVc2VyVG9rZW5cIjpcImRlbW9cIixcImxvZ2luVVJMXCI6XCIvYW0xMzUwL1VJL0xvZ2luXCIsXCJQcmluY2lwYWxzXCI6XCJkZW1vXCIsXCJTZXJ2aWNlXCI6XCJsZGFwU2VydmljZVwiLFwic3VuLmFtLlVuaXZlcnNhbElkZW50aWZpZXJcIjpcImlkPWRlbW8sb3U9dXNlcixvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCIsXCJhbWxiY29va2llXCI6XCIwMVwiLFwiT3JnYW5pemF0aW9uXCI6XCJvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCIsXCJMb2NhbGVcIjpcImVuX1VTXCIsXCJIb3N0TmFtZVwiOlwiMTI3LjAuMC4xXCIsXCJBdXRoVHlwZVwiOlwiRGF0YVN0b3JlXCIsXCJIb3N0XCI6XCIxMjcuMC4wLjFcIixcIlVzZXJQcm9maWxlXCI6XCJSZXF1aXJlZFwiLFwiQU1DdHhJZFwiOlwiZTNlZWRmMGRmMTY1Y2M5ZjAxXCIsXCJjbGllbnRUeXBlXCI6XCJnZW5lcmljSFRNTFwiLFwiYXV0aEluc3RhbnRcIjpcIjIwMTctMDgtMDdUMjE6Mzk6MjlaXCIsXCJQcmluY2lwYWxcIjpcImlkPWRlbW8sb3U9dXNlcixvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCJ9LFwibWF4VGltZVwiOjEyMCxcInNlc3Npb25UeXBlXCI6XCJ1c2VyXCIsXCJtYXhJZGxlXCI6MzAsXCJtYXhDYWNoaW5nXCI6MyxcIm5ldmVyRXhwaXJpbmdcIjpmYWxzZSxcInNlc3Npb25JRFwiOm51bGwsXCJjbGllbnRJRFwiOlwiaWQ9ZGVtbyxvdT11c2VyLG89c3RhdGVsZXNzcmVhbG0sb3U9c2VydmljZXMsbz1vcGVuYW1cIixcImNsaWVudERvbWFpblwiOlwibz1zdGF0ZWxlc3NyZWFsbSxvdT1zZXJ2aWNlcyxvPW9wZW5hbVwifSIgfQ.2O4EYXM7sPN0YwW78aF2TzjLSEm-NQizNkzOpVCP2mw"],"expireTime":["1502145569471"]} coreTokenExpirationDate: 20170807223929.471Z coreTokenId: 938fbe6a-cab6-48fc-ba42-3dbe82af61f3 coreTokenType: OAUTH

OAuth2 Device Code token

The OAuth2 Device Code token in AM is:

  • Used to persist the code in the Device Code flow.
  • Typically short-lived.
  • In the same format in OAuth2 stateless and stateful modes.

Device code token example

dn: coreTokenId=501905e0-b350-47d5-92cc-161a4291116f,ou=famrecords,ou=openam-session,ou=tokens,o=openam objectClass: top objectClass: frCoreToken coreTokenObject: {"clientID":["OIDCclient1"],"expireTime":["1502142269359"],"user_code":["PDRxhXht"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-311"],"scope":["profile"],"tokenName":["device_code"],"response_type":["token"],"realm":["/statefulRealm"],"id":["501905e0-b350-47d5-92cc-161a4291116f"],"userName":["demo"],"AUTHORIZED":["true"]} coreTokenString01: profile coreTokenString10: device_code coreTokenString14: PDRxhXht coreTokenString03: demo coreTokenString08: /statefulRealm coreTokenExpirationDate: 20170807214429.359Z coreTokenString09: OIDCclient1 coreTokenId: 501905e0-b350-47d5-92cc-161a4291116f coreTokenType: OAUTH

Server-side Session token

The server-side Session token in AM:

  • Is created in the CTS when a user authenticates to a realm that is in server-side session mode (called CTS-based session mode in pre-AM 7.2).
  • Allows a user to remain authenticated even when the AM instance they authenticated with has been shutdown.

Server-side Session token example

dn: coreTokenId=-8288022266790569769,ou=famrecords,ou=openam-session,ou=tokens,dc=am,dc=forgerock,dc=org objectClass: top objectClass: frCoreToken coreTokenString11: / coreTokenObject: {"clientDomain":"dc=am,dc=forgerock,dc=org","clientID":"id=amadmin,ou=user,dc=am,dc=forgerock,dc=org","cookieMode":true,"cookieStr":null,"creationTimeInMillis":1502229535517,"isSessionUpgrade":false,"listeners":{"9d16b2e1-50c2-43f8-86ce-97a67be1661a":true,"4bd2e5b4-22c8-4172-a2a6-b9f028e86dc8":true},"maxCachingTimeInMinutes":3,"maxIdleTimeInMinutes":30,"maxSessionTimeInMinutes":120,"restrictedTokensBySessionID":{},"sessionEventURLs":{},"sessionID":{"comingFromAuth":false,"cookieMode":null,"encryptedString":"AQIC5wM2LY4S...kyNgACUzEAAjAx*","sessionDomain":"dc=am,dc=forgerock,dc=org","sessionServer":"am3.example.com","sessionServerID":"01","sessionServerPort":"38080","sessionServerProtocol":"http","sessionServerURI":"/am"},"sessionProperties":{"Locale":"en","authInstant":"2017-08-08T21:58:55Z","Organization":"dc=am,dc=forgerock,dc=org","UserProfile":"Required","Principals":"amadmin","successURL":"/am/console","CharSet":"UTF8","Service":"ldapService","Host":"127.0.0.1","cookieSupport":"true","FullLoginURL":"/am/UI/Login?realm=%2F","AuthLevel":"0","clientType":"genericHTML","AMCtxId":"77a740625b90bc6301","loginURL":"/am/UI/Login","UserId":"amadmin","AuthType":"DataStore","sun.am.UniversalIdentifier":"id=amadmin,ou=user,dc=am,dc=forgerock,dc=org","amlbcookie":"01","HostName":"127.0.0.1","Principal":"id=amadmin,ou=user,dc=am,dc=forgerock,dc=org","UserToken":"amadmin"},"sessionState":"VALID","sessionType":"USER","timedOutTimeInSeconds":0} coreTokenInteger07: 30 coreTokenString12: 1502229535517 coreTokenInteger06: 120 coreTokenString04: 1502229797863 coreTokenString05: AQIC5wM2LY4S...kyNgACUzEAAjAx* coreTokenMultiString01: 9d16b2e1-50c2-43f8-86ce-97a67be1661a coreTokenMultiString01: 4bd2e5b4-22c8-4172-a2a6-b9f028e86dc8 coreTokenExpirationDate: 20170809003317.863+0200 coreTokenUserId: id=amadmin,ou=user,dc=am,dc=forgerock,dc=org coreTokenId: -8288022266790569769 coreTokenString06: shandle:AQIC5wM2LY4S...kyNgACUzEAAjAx* coreTokenType: SESSION

Client-side Session Blacklist token

The Client-side Session Blacklist token in AM is:

  • Used to keep a record of client-side sessions that have been ended by logging out.
  • Created only when client-side sessions blacklist is enabled in global session properties.

Client-side session blacklist token example

dn: coreTokenId=7fac1a04-f358-4ed5-958b-48aac6dd5a34,ou=famrecords,ou=openam-session,ou=tokens,dc=am,dc=forgerock,dc=org objectClass: top objectClass: frCoreToken coreTokenString01: 01 coreTokenDate01: 20170824151809.429Z coreTokenExpirationDate: 20170824171908Z coreTokenId: 7fac1a04-f358-4ed5-958b-48aac6dd5a34 coreTokenType: SESSION_BLACKLIST

See Also

Core Token Service (CTS) and sessions in AM

Core Token Service (CTS)

SNMP CTS object identifiers

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.