How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I know what LDAP attributes are used by CTS tokens (OAuth 2.0 and session) in AM (All versions)?

Last updated Jan 16, 2023

The purpose of this article is to provide information on the LDAP attributes used by OAuth2 and session tokens in the CTS in AM. With this information, you can perform LDAP searches to retrieve token details from the CTS.

2 readers recommend this article

Overview

This is the first article in a two-part series, which is designed to help you understand CTS token types (OAuth2 and session) in AM. See How do I know what OAuth 2.0 and session token types are stored in the CTS in AM (All versions)? for the second part.

For SAML2 tokens, see How are SAML2 tokens stored in the CTS in AM (All versions)?

LDAP searches

You can use the information in these articles to query the CTS using ldapsearch, where this article provides the LDAP attributes and the other article provides the data format. For example, if you want to list user OAuth2 refresh tokens, you would filter on coreTokenString03=<user> and coreTokenString10=refresh_token. For example:

  • DS 7 and later: $ ./ldapsearch --hostname ds.example.com --port 1389 --bindDN uid=admin --bindPassword password --baseDN "ou=famrecords,ou=openam-session,ou=tokens,dc=am,dc=forgerock,dc=org" "(&(coreTokenString03=demo)(coreTokenString10=refresh_token))"
  • Pre-DS 7: $ ./ldapsearch --hostname ds.example.com --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "ou=famrecords,ou=openam-session,ou=tokens,dc=am,dc=forgerock,dc=org" "(&(coreTokenString03=demo)(coreTokenString10=refresh_token))"

LDAP attributes used by tokens

The CTS uses a generic LDAP schema for all token types.

The following sections describe which tokens use which LDAP attributes and for what purpose:

OAuth2 Grant-Set Tokens (AM 6.5 and later)

The following table details which LDAP attributes are used by OAuth2 Grant-Set tokens in AM 6.5 and later, where:

  • Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
  • Items shown in italic describe the type of data that is contained in the given LDAP attribute.
OAuth2 Grant-Set token
coreTokenUserId
coreTokenType OAUTH2_GRANT_SET
coreTokenString01
coreTokenString02
coreTokenString03 user
coreTokenString04
coreTokenString05
coreTokenString06
coreTokenString07
coreTokenString08 realm
coreTokenString09 client ID
coreTokenString10
coreTokenString11
coreTokenString12
coreTokenString13
coreTokenString14
coreTokenString15
coreTokenString16
coreTokenMultiString03 JSON representation of the OAuth2 Grant (access codes, refresh tokens and access tokens)

Stateless OAuth2 Tokens

The following table details which LDAP attributes are used by stateless OAuth2 tokens in AM, where:

  • Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
  • Items shown in italic describe the type of data that is contained in the given LDAP attribute.
Stateless Access Code token Stateless OAuth2 Grant token
coreTokenUserId user
coreTokenType OAUTH OAUTH2_STATELESS_GRANT
coreTokenString01 scopes
coreTokenString02
coreTokenString03 user
coreTokenString04 redirect_uri client ID
coreTokenString05
coreTokenString06 equal to true when code used scope
coreTokenString07 Bearer
coreTokenString08 realm
coreTokenString09 client ID
coreTokenString10 access_code
coreTokenString11 nonce realm
coreTokenString12
coreTokenString13
coreTokenString14
coreTokenString15 grant ID
coreTokenString16

Other OAuth2 Tokens

The following table details which LDAP attributes are used by other OAuth2 tokens in AM, where:

  • Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
  • Items shown in italic describe the type of data that is contained in the given LDAP attribute.
LDAP Attribute Stateful OAuth2 Access token Stateful OAuth2 Refresh token OpenID Connect OPS token OAuth2 Device Code token
coreTokenUserId
coreTokenType OAUTH OAUTH OAUTH OAUTH
coreTokenString01 scopes scopes
coreTokenString02
coreTokenString03 user user
coreTokenString04 redirect_uri redirect_uri redirect_uri
coreTokenString05
coreTokenString06
coreTokenString07 Bearer Bearer
coreTokenString08 realm realm realm
coreTokenString09 client ID client ID client ID
coreTokenString10 access_token refresh_token device_code
coreTokenString11
coreTokenString12
coreTokenString13
coreTokenString14 device_code
coreTokenString15 grant type grant type
coreTokenString16

Session Tokens

The following table details which LDAP attributes are used by session tokens, where:

  • Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
  • Items shown in italic describe the type of data that is contained in the given LDAP attribute.
LDAP Attribute Server-side Session token Client-side Session Blacklist token
coreTokenUserId AM internal user DN user
coreTokenType SESSION SESSION_BLACKLIST
coreTokenString01 server id
coreTokenString02
coreTokenString03
coreTokenString04
coreTokenString05 session token
coreTokenString06 session handle
coreTokenString07
coreTokenString08
coreTokenString09
coreTokenString10
coreTokenString11 realm
coreTokenString12
coreTokenString13
coreTokenString14
coreTokenString15
coreTokenString16
coreTokenMultiString01 listeners

See Also

Core Token Service (CTS) and sessions in AM

Core Token Service (CTS)

SNMP CTS object identifiers

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.