How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I know what LDAP attributes are used by CTS tokens (OAuth2 and session) in AM (All versions)?

Last updated Apr 13, 2021

The purpose of this article is to provide information on the LDAP attributes used by OAuth2 and session tokens in the CTS in AM. With this information, you can perform LDAP searches to retrieve token details from the CTS.


1 reader recommends this article

Overview

This is the first article in a two-part series, which is designed to help you understand CTS token types (OAuth2 and session) in AM. See How do I know what OAuth2 and session token types are stored in the CTS in AM (All versions)? for the second part.

For SAML2 tokens, see How are SAML2 tokens stored in the CTS in AM (All versions)?

LDAP searches

You can use the information in these articles to query the CTS using ldapsearch, where this article provides the LDAP attributes and the other article provides the data format. For example, if you want to list user OAuth2 refresh tokens, you would filter on coreTokenString03=<user> and coreTokenString10=refresh_token. For example:

  • DS 7 and later: $ ./ldapsearch --hostname ds1.example.com --port 1389 --bindDN uid=admin --bindPassword password --baseDN "ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org" "(&(coreTokenString03=demo)(coreTokenString10=refresh_token))"
  • Pre-DS 7: $ ./ldapsearch --hostname ds1.example.com --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org" "(&(coreTokenString03=demo)(coreTokenString10=refresh_token))"

LDAP attributes used by tokens

The CTS uses a generic LDAP schema for all token types.

The following sections describe which tokens use which LDAP attributes and for what purpose:

OAuth2 Grant-Set Tokens (AM 6.5 and later)

The following table details which LDAP attributes are used by OAuth2 Grant-Set tokens in AM 6.5 and later, where:

  • Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
  • Items shown in italic describe the type of data that is contained in the given LDAP attribute.
  OAuth2 Grant-Set token
coreTokenUserId  
coreTokenType OAUTH2_GRANT_SET 
coreTokenString01  
coreTokenString02  
coreTokenString03 user 
coreTokenString04  
coreTokenString05  
coreTokenString06  
coreTokenString07  
coreTokenString08 realm 
coreTokenString09 client ID 
coreTokenString10  
coreTokenString11  
coreTokenString12  
coreTokenString13  
coreTokenString14  
coreTokenString15  
coreTokenString16  
coreTokenMultiString03 JSON representation of the OAuth2 Grant (access codes, refresh tokens and access tokens) 

Stateless OAuth2 Tokens (AM 5.5 and later)

The following table details which LDAP attributes are used by stateless OAuth2 tokens in AM 5.5 and later, where:

  • Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
  • Items shown in italic describe the type of data that is contained in the given LDAP attribute.
  Stateless Access Code token Stateless OAuth2 Grant token
coreTokenUserId   user 
coreTokenType OAUTH  OAUTH2_STATELESS_GRANT  
coreTokenString01 scopes   
coreTokenString02    
coreTokenString03 user   
coreTokenString04 redirect_uri  client ID 
coreTokenString05    
coreTokenString06 equal to true when code used  scope 
coreTokenString07 Bearer   
coreTokenString08 realm   
coreTokenString09 client ID   
coreTokenString10 access_code   
coreTokenString11 nonce  realm 
coreTokenString12    
coreTokenString13    
coreTokenString14    
coreTokenString15 grant ID   
coreTokenString16    

OAuth2 Tokens (AM 5 and 5.1.x)

The following table details which LDAP attributes are used by OAuth2 tokens in pre-AM 5.5, where:

  • Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
  • Items shown in italic describe the type of data that is contained in the given LDAP attribute.
LDAP Attribute Access Code token Stateless OAuth2 Access token Stateless OAuth2 Refresh token
coreTokenUserId   user  user 
coreTokenType OAUTH  OAUTH_STATELESS  OAUTH_STATELESS 
coreTokenString01 scopes  scopes  scopes 
coreTokenString02      
coreTokenString03 user  user  user 
coreTokenString04 redirect_uri  redirect_uri  redirect_uri 
coreTokenString05      
coreTokenString06      
coreTokenString07 Bearer     
coreTokenString08 realm  realm  realm 
coreTokenString09 client ID  client ID  client ID 
coreTokenString10 access_code  access_token  refresh_token 
coreTokenString11 nonce  Bearer  Bearer 
coreTokenString12      
coreTokenString13 session token     
coreTokenString14 access code     
coreTokenString15 grant type     
coreTokenString16      

Other OAuth2 Tokens

The following table details which LDAP attributes are used by other OAuth2 tokens in AM, where:

  • Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
  • Items shown in italic describe the type of data that is contained in the given LDAP attribute.
LDAP Attribute Stateful OAuth2 Access token Stateful OAuth2 Refresh token OpenID Connect OPS token OAuth2 Device Code token
coreTokenUserId        
coreTokenType OAUTH  OAUTH  OAUTH  OAUTH 
coreTokenString01 scopes  scopes     
coreTokenString02        
coreTokenString03 user  user     
coreTokenString04 redirect_uri  redirect_uri    redirect_uri 
coreTokenString05        
coreTokenString06        
coreTokenString07 Bearer  Bearer     
coreTokenString08 realm  realm    realm 
coreTokenString09 client ID  client ID    client ID 
coreTokenString10 access_token  refresh_token    device_code 
coreTokenString11        
coreTokenString12        
coreTokenString13        
coreTokenString14       device_code 
coreTokenString15 grant type  grant type     
coreTokenString16        

Session Tokens

The following table details which LDAP attributes are used by session tokens, where:

  • Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
  • Items shown in italic describe the type of data that is contained in the given LDAP attribute.
LDAP Attribute CTS-based Session token Client-based Session Blacklist token
coreTokenUserId AM internal user DN  user 
coreTokenType SESSION  SESSION_BLACKLIST 
coreTokenString01   server id 
coreTokenString02    
coreTokenString03    
coreTokenString04    
coreTokenString05 session token   
coreTokenString06 session handle   
coreTokenString07    
coreTokenString08    
coreTokenString09    
coreTokenString10    
coreTokenString11 realm   
coreTokenString12    
coreTokenString13    
coreTokenString14    
coreTokenString15    
coreTokenString16    
coreTokenMultiString01 listeners   

See Also

Core Token Service (CTS) and sessions in AM

Core Token Service Guide (CTS)

Maintenance Guide › SNMP CTS Object Identifiers

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.