How do I know what LDAP attributes are used by CTS tokens (OAuth2 and session) in AM (All versions)?
The purpose of this article is to provide information on the LDAP attributes used by OAuth2 and session tokens in the CTS in AM. With this information, you can perform LDAP searches to retrieve token details from the CTS.
2 readers recommend this article
Overview
This is the first article in a two-part series, which is designed to help you understand CTS token types (OAuth2 and session) in AM. See How do I know what OAuth2 and session token types are stored in the CTS in AM (All versions)? for the second part.
For SAML2 tokens, see How are SAML2 tokens stored in the CTS in AM (All versions)?
LDAP searches
You can use the information in these articles to query the CTS using ldapsearch, where this article provides the LDAP attributes and the other article provides the data format. For example, if you want to list user OAuth2 refresh tokens, you would filter on coreTokenString03=<user> and coreTokenString10=refresh_token. For example:
- DS 7 and later: $ ./ldapsearch --hostname ds1.example.com --port 1389 --bindDN uid=admin --bindPassword password --baseDN "ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org" "(&(coreTokenString03=demo)(coreTokenString10=refresh_token))"
- Pre-DS 7: $ ./ldapsearch --hostname ds1.example.com --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org" "(&(coreTokenString03=demo)(coreTokenString10=refresh_token))"
LDAP attributes used by tokens
The CTS uses a generic LDAP schema for all token types.
The following sections describe which tokens use which LDAP attributes and for what purpose:
- OAuth2 Grant-Set Tokens (AM 6.5 and later) - replacement for pre-AM 6.5
-
Stateless OAuth2 Tokens (AM 5.5 and later) - replacement for pre-AM 5.5:
- Stateless Access Code token
- Stateless OAuth2 Grant token
-
OAuth2 Tokens (AM 5 and 5.1.x):
- Access Code token
- Stateless OAuth2 Access token
- Stateless OAuth2 Refresh token
-
Other OAuth2 tokens:
- Stateful OAuth2 Access token
- Stateful OAuth2 Refresh token
- OpenID Connect OPS token
- OAuth2 Device Code token
-
Session Tokens:
- CTS-based Session token
- Client-based Session Blacklist token
OAuth2 Grant-Set Tokens (AM 6.5 and later)
The following table details which LDAP attributes are used by OAuth2 Grant-Set tokens in AM 6.5 and later, where:
- Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
- Items shown in italic describe the type of data that is contained in the given LDAP attribute.
| OAuth2 Grant-Set token | |
|---|---|
| coreTokenUserId | |
| coreTokenType | OAUTH2_GRANT_SET |
| coreTokenString01 | |
| coreTokenString02 | |
| coreTokenString03 | user |
| coreTokenString04 | |
| coreTokenString05 | |
| coreTokenString06 | |
| coreTokenString07 | |
| coreTokenString08 | realm |
| coreTokenString09 | client ID |
| coreTokenString10 | |
| coreTokenString11 | |
| coreTokenString12 | |
| coreTokenString13 | |
| coreTokenString14 | |
| coreTokenString15 | |
| coreTokenString16 | |
| coreTokenMultiString03 | JSON representation of the OAuth2 Grant (access codes, refresh tokens and access tokens) |
Stateless OAuth2 Tokens (AM 5.5 and later)
The following table details which LDAP attributes are used by stateless OAuth2 tokens in AM 5.5 and later, where:
- Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
- Items shown in italic describe the type of data that is contained in the given LDAP attribute.
| Stateless Access Code token | Stateless OAuth2 Grant token | |
|---|---|---|
| coreTokenUserId | user | |
| coreTokenType | OAUTH | OAUTH2_STATELESS_GRANT |
| coreTokenString01 | scopes | |
| coreTokenString02 | ||
| coreTokenString03 | user | |
| coreTokenString04 | redirect_uri | client ID |
| coreTokenString05 | ||
| coreTokenString06 | equal to true when code used | scope |
| coreTokenString07 | Bearer | |
| coreTokenString08 | realm | |
| coreTokenString09 | client ID | |
| coreTokenString10 | access_code | |
| coreTokenString11 | nonce | realm |
| coreTokenString12 | ||
| coreTokenString13 | ||
| coreTokenString14 | ||
| coreTokenString15 | grant ID | |
| coreTokenString16 |
OAuth2 Tokens (AM 5 and 5.1.x)
The following table details which LDAP attributes are used by OAuth2 tokens in pre-AM 5.5, where:
- Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
- Items shown in italic describe the type of data that is contained in the given LDAP attribute.
| LDAP Attribute | Access Code token | Stateless OAuth2 Access token | Stateless OAuth2 Refresh token |
|---|---|---|---|
| coreTokenUserId | user | user | |
| coreTokenType | OAUTH | OAUTH_STATELESS | OAUTH_STATELESS |
| coreTokenString01 | scopes | scopes | scopes |
| coreTokenString02 | |||
| coreTokenString03 | user | user | user |
| coreTokenString04 | redirect_uri | redirect_uri | redirect_uri |
| coreTokenString05 | |||
| coreTokenString06 | |||
| coreTokenString07 | Bearer | ||
| coreTokenString08 | realm | realm | realm |
| coreTokenString09 | client ID | client ID | client ID |
| coreTokenString10 | access_code | access_token | refresh_token |
| coreTokenString11 | nonce | Bearer | Bearer |
| coreTokenString12 | |||
| coreTokenString13 | session token | ||
| coreTokenString14 | access code | ||
| coreTokenString15 | grant type | ||
| coreTokenString16 |
Other OAuth2 Tokens
The following table details which LDAP attributes are used by other OAuth2 tokens in AM, where:
- Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
- Items shown in italic describe the type of data that is contained in the given LDAP attribute.
| LDAP Attribute | Stateful OAuth2 Access token | Stateful OAuth2 Refresh token | OpenID Connect OPS token | OAuth2 Device Code token |
|---|---|---|---|---|
| coreTokenUserId | ||||
| coreTokenType | OAUTH | OAUTH | OAUTH | OAUTH |
| coreTokenString01 | scopes | scopes | ||
| coreTokenString02 | ||||
| coreTokenString03 | user | user | ||
| coreTokenString04 | redirect_uri | redirect_uri | redirect_uri | |
| coreTokenString05 | ||||
| coreTokenString06 | ||||
| coreTokenString07 | Bearer | Bearer | ||
| coreTokenString08 | realm | realm | realm | |
| coreTokenString09 | client ID | client ID | client ID | |
| coreTokenString10 | access_token | refresh_token | device_code | |
| coreTokenString11 | ||||
| coreTokenString12 | ||||
| coreTokenString13 | ||||
| coreTokenString14 | device_code | |||
| coreTokenString15 | grant type | grant type | ||
| coreTokenString16 |
Session Tokens
The following table details which LDAP attributes are used by session tokens, where:
- Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
- Items shown in italic describe the type of data that is contained in the given LDAP attribute.
| LDAP Attribute | CTS-based Session token | Client-based Session Blacklist token |
|---|---|---|
| coreTokenUserId | AM internal user DN | user |
| coreTokenType | SESSION | SESSION_BLACKLIST |
| coreTokenString01 | server id | |
| coreTokenString02 | ||
| coreTokenString03 | ||
| coreTokenString04 | ||
| coreTokenString05 | session token | |
| coreTokenString06 | session handle | |
| coreTokenString07 | ||
| coreTokenString08 | ||
| coreTokenString09 | ||
| coreTokenString10 | ||
| coreTokenString11 | realm | |
| coreTokenString12 | ||
| coreTokenString13 | ||
| coreTokenString14 | ||
| coreTokenString15 | ||
| coreTokenString16 | ||
| coreTokenMultiString01 | listeners |
See Also
Core Token Service (CTS) and sessions in AM
Related Training
N/A
Related Issue Tracker IDs
N/A