Understanding CTS token types in AM/OpenAM

The purpose of this book is to provide detailed information on the OAuth2 and session tokens that are written to the CTS in AM/OpenAM.


How do I know what LDAP attributes are used by CTS tokens in AM (All versions) and OpenAM 13.x?

The purpose of this article is to provide information on the LDAP attributes used by OAuth2 and session tokens in the CTS in AM/OpenAM. With this information, you can perform LDAP searches to retrieve token details from the CTS.

Overview

This is the first article in a two part series, which is designed to help you understand CTS token types (OAuth2 and session) in AM/OpenAM.

See How do I know what token types are stored in the CTS in AM (All versions) and OpenAM 13.x? for the second part.

LDAP searches

You can use the information in these articles to query the CTS using ldapsearch, where this article provides the LDAP attributes and the other article provides the data format. For example, if you want to list user OAuth2 refresh tokens, you would filter on coreTokenString03=<user> and coreTokenString10=refresh_token. For example:

$ ./ldapsearch --hostname ds1.example.com --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org" "(&(coreTokenString03=demo)(coreTokenString10=refresh_token))"

LDAP attributes used by tokens

The CTS uses a generic LDAP schema for all token types. At present, the schema has undergone three revisions:

  • AM 5 - Additional multi-value attributes and indices.
  • OpenAM 13 - Update coreTokenDate01 index to 'ordering' to improve client-based session blacklist performance.
  • OpenAM 11 - major change from the OpenAM 10.1.0-Xpress schema.

The following sections describe which tokens use which LDAP attributes and for what purpose:

OAuth2 Grant-Set Tokens (AM 6.5 and later)

The following table details which LDAP attributes are used by OAuth2 Grant-Set tokens in AM 6.5 and later, where:

  • Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
  • Items shown in italic describe the type of data that is contained in the given LDAP attribute.
  OAuth2 Grant-Set token
coreTokenUserId  
coreTokenType OAUTH2_GRANT_SET
coreTokenString01  
coreTokenString02  
coreTokenString03 user
coreTokenString04  
coreTokenString05  
coreTokenString06  
coreTokenString07  
coreTokenString08 realm
coreTokenString09 client ID
coreTokenString10  
coreTokenString11  
coreTokenString12  
coreTokenString13  
coreTokenString14  
coreTokenString15  
coreTokenString16  
coreTokenMultiString03 JSON representation of the OAuth2 Grant (access codes, refresh tokens and access tokens)

Stateless OAuth2 Tokens (AM 5.5 and later)

The following table details which LDAP attributes are used by stateless OAuth2 tokens in AM 5.5 and later, where:

  • Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
  • Items shown in italic describe the type of data that is contained in the given LDAP attribute.
  Stateless Access Code token Stateless OAuth2 Grant token
coreTokenUserId   user
coreTokenType OAUTH OAUTH2_STATELESS_GRANT 
coreTokenString01 scopes  
coreTokenString02    
coreTokenString03 user  
coreTokenString04 redirect_uri client ID
coreTokenString05    
coreTokenString06 equal to true when code used scope
coreTokenString07 Bearer  
coreTokenString08 realm  
coreTokenString09 client ID  
coreTokenString10 access_code  
coreTokenString11 nonce realm
coreTokenString12    
coreTokenString13    
coreTokenString14    
coreTokenString15 grant ID  
coreTokenString16    

OAuth2 Tokens (AM 5, 5.1.x and OpenAM 13.x)

The following table details which LDAP attributes are used by OAuth2 tokens in pre-AM 5.5, where:

  • Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
  • Items shown in italic describe the type of data that is contained in the given LDAP attribute.
LDAP Attribute Access Code token Stateless OAuth2 Access token Stateless OAuth2 Refresh token
coreTokenUserId   user user
coreTokenType OAUTH OAUTH_STATELESS OAUTH_STATELESS
coreTokenString01 scopes scopes scopes
coreTokenString02      
coreTokenString03 user user user
coreTokenString04 redirect_uri redirect_uri redirect_uri
coreTokenString05      
coreTokenString06      
coreTokenString07 Bearer    
coreTokenString08 realm realm realm
coreTokenString09 client ID client ID client ID
coreTokenString10 access_code access_token refresh_token
coreTokenString11 nonce Bearer Bearer
coreTokenString12      
coreTokenString13 session token    
coreTokenString14 access code    
coreTokenString15 grant type    
coreTokenString16      

Other OAuth2 Tokens

The following table details which LDAP attributes are used by other OAuth2 tokens in AM/OpenAM, where:

  • Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
  • Items shown in italic describe the type of data that is contained in the given LDAP attribute.
LDAP Attribute Stateful OAuth2 Access token Stateful OAuth2 Refresh token OpenID Connect OPS token OAuth2 Device Code token
coreTokenUserId        
coreTokenType OAUTH OAUTH OAUTH OAUTH
coreTokenString01 scopes scopes    
coreTokenString02        
coreTokenString03 user user    
coreTokenString04 redirect_uri redirect_uri   redirect_uri
coreTokenString05        
coreTokenString06        
coreTokenString07 Bearer Bearer    
coreTokenString08 realm realm   realm
coreTokenString09 client ID client ID   client ID
coreTokenString10 access_token refresh_token   device_code
coreTokenString11        
coreTokenString12        
coreTokenString13        
coreTokenString14       device_code
coreTokenString15 grant type grant type    
coreTokenString16        

Session Tokens

The following table details which LDAP attributes are used by session tokens, where:

  • Items shown in bold are static values that all tokens of that type have in common (these are used to identify the token type).
  • Items shown in italic describe the type of data that is contained in the given LDAP attribute.
LDAP Attribute CTS-based Session token (AM 5 and later) CTS-based Session token (OpenAM 13.x) Client-based Session Blacklist token
coreTokenUserId AM internal user DN OpenAM internal user DN user
coreTokenType SESSION SESSION SESSION_BLACKLIST
coreTokenString01   latest access time server id
coreTokenString02   session token  
coreTokenString03   session handle  
coreTokenString04      
coreTokenString05 session token    
coreTokenString06 session handle    
coreTokenString07      
coreTokenString08      
coreTokenString09      
coreTokenString10      
coreTokenString11 realm    
coreTokenString12      
coreTokenString13      
coreTokenString14      
coreTokenString15      
coreTokenString16      
coreTokenMultiString01 listeners    

See Also

Core Token Service (CTS) and sessions in AM/OpenAM

Installation Guide › Implementing the Core Token Service

Installation Guide › Core Token Service (CTS) Object Identifiers

Related Training

N/A

Related Issue Tracker IDs

N/A


How do I know what token types are stored in the CTS in AM (All versions) and OpenAM 13.x?

The purpose of this article is to provide information on the OAuth2 and session token types stored in the CTS in AM/OpenAM with example token formats included. With this information, you can perform LDAP searches to retrieve token details from the CTS.

Overview

This is the second article in a two part series, which is designed to help you understand CTS token types (OAuth2 and session) in AM/OpenAM.

See How do I know what LDAP attributes are used by CTS tokens in AM (All versions) and OpenAM 13.x? for the first part.

LDAP searches

You can use the information in these articles to query the CTS using ldapsearch, where the other article provides the LDAP attributes and this article provides the data format. For example, if you want to list user OAuth2 refresh tokens, you would filter on coreTokenString03=<user> and coreTokenString10=refresh_token. For example:

$ ./ldapsearch --hostname ds1.example.com --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org" "(&(coreTokenString03=demo)(coreTokenString10=refresh_token))"

CTS token types

AM 5.5 introduced a number of improvements to the OAuth2 tokens stored in the CTS. The changes made were specifically designed to reduce the number of writes to the CTS, therefore improving the performance of the entire system. 

This article looks at the following CTS token types in detail (the token details apply to all AM and OpenAM 13.x releases unless otherwise stated):

OAuth2 Grant-Set token (AM 6.5 and later)

The OAuth2 Grant-Set token in AM 6.5 and later:

  • Stores the state of multiple authorizations for a given OAuth2 client and resource owner pair. Previously, this state was stored across multiple OAUTH and OAUTH2_STATELESS_GRANT entries.
  • Grant-Set acts as a container for all authorizations:
    • Stateless access code tokens and grant tokens.
    • Stateful access code tokens, access tokens and refresh tokens.
  • Reduces the amount of data stored in the CTS by removing duplication and reduces the number of operations to the CTS.

Stateless Grant-Set token example

dn: coreTokenId=kOrkxaDZ6fYcUrcE0c3PEMFIGNk,ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org
objectClass: frCoreToken
objectClass: top
coreTokenExpirationDate: 20190522143603.155Z
coreTokenId: kOrkxaDZ6fYcUrcE0c3PEMFIGNk
coreTokenMultiString03: {"g":"kOrkxaDZ6fYcUrcE0c3PEMFIGNk.xuPxwKKadXjWvMfKg9WFzvqIOC4","gx":1529062484276,"_s":["openid","profile"],"a":"kOrkxaDZ6fYcUrcE0c3PEMFIGNk.vm6gyeD5t8mF8nTYQ1XQBYTskMo","ax":1528454203638,"aati":"809b87b3-4fad-4ca1-9312-a7f0c669fd6c-34347","ai":true,"au":"https://www.example.com","asi":"UmR8fqI7iG1lmmbQdMBUVXvr2u8.*AAJTSQACMDIAAlNLABxFNXVzNDJlcnZyY1VnV0JQU2ZWbitkbEtiUms9AAR0eXBlAANDVFMAAlMxAAIwMQ..*","ast":"1234","_am":"DataStore","_acr":"0","gt":[]}
coreTokenString03: demo
coreTokenString08: /myRealm
coreTokenString09: OIDCclient1
coreTokenType: OAUTH2_GRANT_SET

Stateful Grant-Set token example

dn: coreTokenId=fx-GTfShtRhmJ89qMNVkxLx339U,ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org
objectClass: frCoreToken
objectClass: top
coreTokenExpirationDate: 20181211094355.401Z
coreTokenId: fx-GTfShtRhmJ89qMNVkxLx339U
coreTokenMultiString03: {"g":"fx-GTfShtRhmJ89qMNVkxLx339U.BwOWUGadbho7rKgCYj5Uq1XuRPc","gx":0,"_s":["openid","profile"],"a":"fx-GTfShtRhmJ89qMNVkxLx339U.0g7urZwlwyK_5gUOlC49t4PVUPo","ax":1540546982500,"aati":"fb479915-c2aa-42b3-ad76-b7eb3de950c5-338537161","ai":true,"au":"http://example.com","asi":"xE5imkWhvI66-6gg1lkGjQgmGdU.*AAJTSQACMDIAAlNLABxJNmxnTElxTXFQdEU0b040RUtzN2JUakV6dEk9AAR0eXBlAANDVFMAAlMxAAIwMQ..*","ast":"1234","_am":"DataStore","_acr":"0","r":"fx-GTfShtRhmJ89qMNVkxLx339U.vXS04FRzuWulPMomSoVDnZvj-6s","rx":1541151662549,"rgt":"authorization_code","rtt":"Bearer","rtn":"refresh_token","rati":"fb479915-c2aa-42b3-ad76-b7eb3de950c5-338537554","ro":"jS474J1xvNZwD-uLeJJeTDWjAzI","_at":1540546862,"_al":0,"gt":[{"t":"fx-GTfShtRhmJ89qMNVkxLx339U.SGEDFJ5BkuuKXKHVeV24_IzoHRg","tx":1540550462814,"tgt":"authorization_code","ts":["openid","profile"],"ttn":"access_token","tati":"fb479915-c2aa-42b3-ad76-b7eb3de950c5-338537841","tck":null}]}
coreTokenString03: demo
coreTokenString08: /myRealm
coreTokenString09: OIDCclient1
coreTokenType: OAUTH2_GRANT_SET

Stateless Access Code token (AM 5.5 and later)

The Stateless Access Code token in AM 5.5 and later:

  • Is used in the OAuth2/OIDC Authorization Code flow and the OIDC Hybrid flow.
  • Provides state for the code that is used by the client to retrieve an access token.
  • Does not contain the session token of the session that generated the request in an indexable attribute, which is different to the equivalent token in previous versions of AM/OpenAM.
  • Uses the value of the access code to form the unique identity of the subsequent grant token.
  • Sets the CoreTokenString06 to true when the code is used and consent is granted, which is different to the equivalent token in previous versions of AM/OpenAM.

Stateless access code example

dn: coreTokenId=4e915f7a-08ec-4c65-915f-2256d6c3a503,ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"redirectURI":["http://example.com"],"clientID":["OIDCclient1"],"ssoTokenId":["mJLebOGs9Y4rAE_JY0uSaS_SVwM.*AAJTSQACMDEAAlNLABwvbWJRSVJ4aGdVcUhHTmNUTkRZVjAxcVl4eFE9AAJTMQAA*"],"auditTrackingId":["a7180708-c39b-4f92-90ea-b2b8bb79ec75-83912"],"tokenName":["access_code"],"authModules":["DataStore"],"code_challenge_method":[],"userName":["demo"],"nonce":["abcdef"],"authGrantId":["f58f19f9-7f3f-43db-be90-466643414143"],"acr":[],"expireTime":["1523281431770"],"scope":["openid","profile"],"claims":[null],"realm":["/myRealm"],"id":["4e915f7a-08ec-4c65-915f-2256d6c3a503"],"state":[],"tokenType":["Bearer"],"code_challenge":[],"issued":["true"]}
coreTokenString11: abcdef
coreTokenString01: openid,profile
coreTokenString10: access_code
coreTokenString04: http://example.com
coreTokenString15: f58f19f9-7f3f-43db-be90-466643414143
coreTokenString03: demo
coreTokenExpirationDate: 20180409134351.770Z
coreTokenString08: /myRealm
coreTokenString09: OIDCclient1
coreTokenId: 4e915f7a-08ec-4c65-915f-2256d6c3a503
coreTokenString06: true
coreTokenString07: Bearer
coreTokenType: OAUTH

Stateless OAuth2 Grant token (AM 5.5 and later)

The Stateless OAuth2 Grant token in AM 5.5 and later:

  • Replaces stateless Access and Refresh tokens in previous versions of AM/OpenAM with a single token indicating that a grant took place.
  • Prevents additional data being written to the CTS if a new access token is issued based on an existing refresh token with an existing grant ID.
  • Uses the grant ID value from the preceding Access code if this token is generated in the OAuth2 Code flow.
  • The grant ID in the stateless OAuth2 JWT matches the DN of the token in the CTS.

Stateless grant token example 

dn: coreTokenId=f58f19f9-7f3f-43db-be90-466643414143,ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org
objectClass: top
objectClass: frCoreToken
coreTokenObject: {}
coreTokenString11: /myRealm
coreTokenString04: OIDCclient1
coreTokenExpirationDate: 20180416144152.757Z
coreTokenUserId: demo
coreTokenId: f58f19f9-7f3f-43db-be90-466643414143
coreTokenString06: openid,profile
coreTokenType: OAUTH2_STATELESS_GRANT

An access token issued from this CTS grant token may look like this:

{
  "sub": "demo",
  "auth_level": 0,
  "auditTrackingId": "610b705d-51a9-43e1-b59a-47b372b9d3ae",
  "iss": "http://am3.example.com:38080/am0551/oauth2/myRealm",
  "tokenName": "access_token",
  "token_type": "Bearer",
  "authGrantId": "f58f19f9-7f3f-43db-be90-466643414143",
  "nonce": "abcdef",
  "aud": "OIDCclient1",
  "nbf": 1523281312,
  "grant_type": "authorization_code",
  "scope": [
    "openid",
    "profile"
  ],
  "auth_time": 1523281311000,
  "realm": "/myRealm",
  "exp": 1523284912,
  "iat": 1523281312,
  "expires_in": 3600,
  "jti": "c35e5c2a-081b-417f-82c5-2708781816d6"
}

Access Code token (AM 5, 5.1.x and OpenAM 13.x)

The Access Code token in pre-AM 5.5:

  • Is used in the OAuth2/OIDC Authorization Code flow and the OIDC Hybrid flow.
  • Provides state for the code that is used by the client to retrieve an access token.
  • Is short lived - the lifetime is defined by Authorization Code Lifetime in the OAuth2 provider.
  • Has the same format in both stateless and stateful OAuth2 modes.
  • Contains a copy of the user SSO token - it is large when used in combination with a realm in client-based sessions mode.

CTS-based session realm token example

dn: coreTokenId=cafdd8cc-b155-464a-a020-15013532578c,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenString11: abcdef
coreTokenObject: {"redirectURI":["http://example.com"],"clientID":["OIDCclient1"],"ssoTokenId":["AQIC5wM2LY4S...kyNgACUzEAAjAx*"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-280"],"tokenName":["access_code"],"authModules":["DataStore"],"code_challenge_method":[],"userName":["demo"],"nonce":["abcdef"],"authGrantId":["6f10ad62-1be7-4ebe-aeea-81b7c9eb3735"],"acr":[],"expireTime":["1502142089100"],"scope":["openid","profile"],"claims":[null],"realm":["/statefulRealm"],"id":["cafdd8cc-b155-464a-a02015013532578c"],"tokenType":["Bearer"],"code_challenge":[],"issued":["true"]}
coreTokenString01: openid,profile
coreTokenString10: access_code
coreTokenString15: 6f10ad62-1be7-4ebe-aeea-81b7c9eb3735
coreTokenString04: http://example.com
coreTokenString13: AQIC5wM2LY4S...kyNgACUzEAAjAx*
coreTokenString03: demo
coreTokenString08: /statefulRealm
coreTokenExpirationDate: 20170807214129.100Z
coreTokenString09: OIDCclient1
coreTokenId: cafdd8cc-b155-464a-a020-15013532578c
coreTokenString06: true
coreTokenString07: Bearer
coreTokenType: OAUTH

Client-based session realm token example

dn: coreTokenId=60742780-8ad6-4091-a277-8d24bd69938d,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenString11: abcdef
coreTokenObject: {"redirectURI":["http://example.com"],"clientID":["OIDCclient2"],"ssoTokenId":["AQIC5wM2LY4SfcyvKEBc-PhbFqsHH5ULidH1FMscUOKScfg.*AAJTSQACMDIAAlNLABQtMTkyNTUxMDA4NzgzNDA2ODIzNwACUzEAAjAx*eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAic2VyaWFsaXplZF9zZXNzaW9uIjogIntcInNlY3JldFwiOlwiZDk3Y2FhYTktZmU3ZS00MTBlLWEzNzgtM2Q3ZDAyZWMwNzlmXCIsXCJleHBpcnlUaW1lXCI6MTUwMjE0OTE2OTQwNyxcImxhc3RBY3Rpdml0eVRpbWVcIjoxNTAyMTQxOTY5NDA3LFwic3RhdGVcIjpcInZhbGlkXCIsXCJwcm9wZXJ0aWVzXCI6e1wiQ2hhclNldFwiOlwiVVRGLThcIixcIlVzZXJJZFwiOlwiZGVtb1wiLFwiRnVsbExvZ2luVVJMXCI6XCIvYW0xMzUwL1VJL0xvZ2luP3JlYWxtPSUyRnN0YXRlbGVzc1JlYWxtXCIsXCJzdWNjZXNzVVJMXCI6XCIvYW0xMzUwL2NvbnNvbGVcIixcImNvb2tpZVN1cHBvcnRcIjpcInRydWVcIixcIkF1dGhMZXZlbFwiOlwiMFwiLFwiU2Vzc2lvbkhhbmRsZVwiOlwic2hhbmRsZTpBUUlDNXdNMkxZNFNmY3ctY0hYaWZDR1VIdU1Gb3VxMDlkTnIxQVZMc3hGVUVQay4qQUFKVFNRQUNNRElBQWxOTEFCUXROekUwTnpjNE56VXlOalkyTkRjeU1EZ3lOQUFDVXpFQUFqQXgqXCIsXCJVc2VyVG9rZW5cIjpcImRlbW9cIixcImxvZ2luVVJMXCI6XCIvYW0xMzUwL1VJL0xvZ2luXCIsXCJQcmluY2lwYWxzXCI6XCJkZW1vXCIsXCJTZXJ2aWNlXCI6XCJsZGFwU2VydmljZVwiLFwic3VuLmFtLlVuaXZlcnNhbElkZW50aWZpZXJcIjpcImlkPWRlbW8sb3U9dXNlcixvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCIsXCJhbWxiY29va2llXCI6XCIwMVwiLFwiT3JnYW5pemF0aW9uXCI6XCJvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCIsXCJMb2NhbGVcIjpcImVuX1VTXCIsXCJIb3N0TmFtZVwiOlwiMTI3LjAuMC4xXCIsXCJBdXRoVHlwZVwiOlwiRGF0YVN0b3JlXCIsXCJIb3N0XCI6XCIxMjcuMC4wLjFcIixcIlVzZXJQcm9maWxlXCI6XCJSZXF1aXJlZFwiLFwiQU1DdHhJZFwiOlwiZTNlZWRmMGRmMTY1Y2M5ZjAxXCIsXCJjbGllbnRUeXBlXCI6XCJnZW5lcmljSFRNTFwiLFwiYXV0aEluc3RhbnRcIjpcIjIwMTctMDgtMDdUMjE6Mzk6MjlaXCIsXCJQcmluY2lwYWxcIjpcImlkPWRlbW8sb3U9dXNlcixvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCJ9LFwibWF4VGltZVwiOjEyMCxcInNlc3Npb25UeXBlXCI6XCJ1c2VyXCIsXCJtYXhJZGxlXCI6MzAsXCJtYXhDYWNoaW5nXCI6MyxcIm5ldmVyRXhwaXJpbmdcIjpmYWxzZSxcInNlc3Npb25JRFwiOm51bGwsXCJjbGllbnRJRFwiOlwiaWQ9ZGVtbyxvdT11c2VyLG89c3RhdGVsZXNzcmVhbG0sb3U9c2VydmljZXMsbz1vcGVuYW1cIixcImNsaWVudERvbWFpblwiOlwibz1zdGF0ZWxlc3NyZWFsbSxvdT1zZXJ2aWNlcyxvPW9wZW5hbVwifSIgfQ.2O4EYXM7sPN0YwW78aF2TzjLSEm-NQizNkzOpVCP2mw"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-330"],"tokenName":["access_code"],"authModules":["DataStore"],"code_challenge_method":[],"userName":["demo"],"nonce":["abcdef"],"authGrantId":["1e70b499-2860-4b06-9bd8-3b202197a3a7"],"acr":[],"expireTime":["1502142089432"],"scope":["openid","profile"],"claims":[null],"realm":["/statelessRealm"],"id":["60742780-8ad6-4091-a277-8d24bd69938d"],"tokenType":["Bearer"],"code_challenge":[],"issued":["true"]}
coreTokenString01: openid,profile
coreTokenString10: access_code
coreTokenString15: 1e70b499-2860-4b06-9bd8-3b202197a3a7
coreTokenString04: http://example.com
coreTokenString13: AQIC5wM2LY4SfcyvKEBc-PhbFqsHH5ULidH1FMscUOKScfg.*AAJTSQACMDIAAlNLABQtMTkyNTUxMDA4NzgzNDA2ODIzNwACUzEAAjAx*eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAic2VyaWFsaXplZF9zZXNzaW9uIjogIntcInNlY3JldFwiOlwiZDk3Y2FhYTktZmU3ZS00MTBlLWEzNzgtM2Q3ZDAyZWMwNzlmXCIsXCJleHBpcnlUaW1lXCI6MTUwMjE0OTE2OTQwNyxcImxhc3RBY3Rpdml0eVRpbWVcIjoxNTAyMTQxOTY5NDA3LFwic3RhdGVcIjpcInZhbGlkXCIsXCJwcm9wZXJ0aWVzXCI6e1wiQ2hhclNldFwiOlwiVVRGLThcIixcIlVzZXJJZFwiOlwiZGVtb1wiLFwiRnVsbExvZ2luVVJMXCI6XCIvYW0xMzUwL1VJL0xvZ2luP3JlYWxtPSUyRnN0YXRlbGVzc1JlYWxtXCIsXCJzdWNjZXNzVVJMXCI6XCIvYW0xMzUwL2NvbnNvbGVcIixcImNvb2tpZVN1cHBvcnRcIjpcInRydWVcIixcIkF1dGhMZXZlbFwiOlwiMFwiLFwiU2Vzc2lvbkhhbmRsZVwiOlwic2hhbmRsZTpBUUlDNXdNMkxZNFNmY3ctY0hYaWZDR1VIdU1Gb3VxMDlkTnIxQVZMc3hGVUVQay4qQUFKVFNRQUNNRElBQWxOTEFCUXROekUwTnpjNE56VXlOalkyTkRjeU1EZ3lOQUFDVXpFQUFqQXgqXCIsXCJVc2VyVG9rZW5cIjpcImRlbW9cIixcImxvZ2luVVJMXCI6XCIvYW0xMzUwL1VJL0xvZ2luXCIsXCJQcmluY2lwYWxzXCI6XCJkZW1vXCIsXCJTZXJ2aWNlXCI6XCJsZGFwU2VydmljZVwiLFwic3VuLmFtLlVuaXZlcnNhbElkZW50aWZpZXJcIjpcImlkPWRlbW8sb3U9dXNlcixvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCIsXCJhbWxiY29va2llXCI6XCIwMVwiLFwiT3JnYW5pemF0aW9uXCI6XCJvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCIsXCJMb2NhbGVcIjpcImVuX1VTXCIsXCJIb3N0TmFtZVwiOlwiMTI3LjAuMC4xXCIsXCJBdXRoVHlwZVwiOlwiRGF0YVN0b3JlXCIsXCJIb3N0XCI6XCIxMjcuMC4wLjFcIixcIlVzZXJQcm9maWxlXCI6XCJSZXF1aXJlZFwiLFwiQU1DdHhJZFwiOlwiZTNlZWRmMGRmMTY1Y2M5ZjAxXCIsXCJjbGllbnRUeXBlXCI6XCJnZW5lcmljSFRNTFwiLFwiYXV0aEluc3RhbnRcIjpcIjIwMTctMDgtMDdUMjE6Mzk6MjlaXCIsXCJQcmluY2lwYWxcIjpcImlkPWRlbW8sb3U9dXNlcixvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCJ9LFwibWF4VGltZVwiOjEyMCxcInNlc3Npb25UeXBlXCI6XCJ1c2VyXCIsXCJtYXhJZGxlXCI6MzAsXCJtYXhDYWNoaW5nXCI6MyxcIm5ldmVyRXhwaXJpbmdcIjpmYWxzZSxcInNlc3Npb25JRFwiOm51bGwsXCJjbGllbnRJRFwiOlwiaWQ9ZGVtbyxvdT11c2VyLG89c3RhdGVsZXNzcmVhbG0sb3U9c2VydmljZXMsbz1vcGVuYW1cIixcImNsaWVudERvbWFpblwiOlwibz1zdGF0ZWxlc3NyZWFsbSxvdT1zZXJ2aWNlcyxvPW9wZW5hbVwifSIgfQ.2O4EYXM7sPN0YwW78aF2TzjLSEm-NQizNkzOpVCP2mw
coreTokenString03: demo
coreTokenString08: /statelessRealm
coreTokenExpirationDate: 20170807214129.432Z
coreTokenString09: OIDCclient2
coreTokenId: 60742780-8ad6-4091-a277-8d24bd69938d
coreTokenString06: true
coreTokenString07: Bearer
coreTokenType: OAUTH 

Stateless OAuth2 Access token (AM 5, 5.1.x and OpenAM 13.x)

The Stateless OAuth2 Access token in pre-AM 5.5 is:

  • Issued when the OAuth2 provider is in stateless mode (no relationship to client-based sessions).
  • Used in all OAuth2 and OIDC flows.
  • Usually short lived.
  • A JWT containing the information provided by the relevant scopes. Clients can introspect the token without having to visit an additional endpoint; the stored token contains a reference found in the issued JWT.

Stateless access token example

dn: coreTokenId=7fdce636-eede-4f0a-90d3-34e0ea24374c,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenString12: Bearer
coreTokenString01: openid,profile
coreTokenString10: refresh_token
coreTokenString15: 1e70b499-2860-4b06-9bd8-3b202197a3a7
coreTokenString03: demo
coreTokenString08: /statelessRealm
coreTokenExpirationDate: 20170814213929.460Z
coreTokenUserId: demo
coreTokenString09: OIDCclient2
coreTokenId: 7fdce636-eede-4f0a-90d3-34e0ea24374c
coreTokenType: OAUTH_STATELESS

Stateless OAuth2 Refresh token (AM 5, 5.1.x and OpenAM 13.x)

The Stateless OAuth2 Refresh token in pre-AM 5.5 is:

  • Issued when the OAuth2 provider is in stateless mode (no relationship to client-based sessions).
  • Used in the OAuth2 Code flow and the OIDC Code / Hybrid flow.
  • Usually long lived.
  • Exchanged for access tokens by clients.
  • A JWT containing the information provided by the relevant scopes. Clients can introspect the token without having to visit an additional endpoint; the stored token contains a reference found in the issued JWT.

Stateless refresh token example 

dn: coreTokenId=7fdce636-eede-4f0a-90d3-34e0ea24374c,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenString12: Bearer
coreTokenString01: openid,profile
coreTokenString10: refresh_token
coreTokenString15: 1e70b499-2860-4b06-9bd8-3b202197a3a7
coreTokenString03: demo
coreTokenString08: /statelessRealm
coreTokenExpirationDate: 20170814213929.460Z
coreTokenUserId: demo
coreTokenString09: OIDCclient2
coreTokenId: 7fdce636-eede-4f0a-90d3-34e0ea24374c
coreTokenType: OAUTH_STATELESS 

Stateful OAuth2 Access token

The Stateful OAuth2 Access token in AM/OpenAM is:

  • Issued when the OAuth2 provider is not in stateless mode (no relationship to client-based sessions).
  • Used in all OAuth2 and OIDC flows.
  • Typically short lived.

Stateful access token example

dn: coreTokenId=daaa2a39-ffe9-40a0-b0df-71dc6e278628,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenString11: abcdef
coreTokenObject: {"redirectURI":["http://example.com"],"parent":["cafdd8cc-b155-464a-a020-15013532578c"],"clientID":["OIDCclient1"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-290"],"tokenName":["access_token"],"userName":["demo"],"authGrantId":["6f10ad62-1be7-4ebe-aeea-81b7c9eb3735"],"nonce":["abcdef"],"expireTime":["1502145569132"],"grant_type":["authorization_code"],"scope":["openid","profile"],"realm":["/statefulRealm"],"id":["daaa2a39-ffe9-40a0-b0df-71dc6e278628"],"tokenType":["Bearer"],"refreshToken":["21f89047-4bcf-4d62-853b-d4fa22d632e5"]}
coreTokenString12: authorization_code
coreTokenString01: openid,profile
coreTokenString10: access_token
coreTokenString15: 6f10ad62-1be7-4ebe-aeea-81b7c9eb3735
coreTokenString04: http://example.com
coreTokenString05: 21f89047-4bcf-4d62-853b-d4fa22d632e5
coreTokenString02: cafdd8cc-b155-464a-a020-15013532578c
coreTokenString03: demo
coreTokenString08: /statefulRealm
coreTokenExpirationDate: 20170807223929.132Z
coreTokenString09: OIDCclient1
coreTokenId: daaa2a39-ffe9-40a0-b0df-71dc6e278628
coreTokenString07: Bearer
coreTokenType: OAUTH

Stateful OAuth2 Refresh token

The Stateful OAuth2 Refresh token in AM/OpenAM is:

  • Issued when the OAuth2 provider is not in stateless mode (no relationship to client-based sessions).
  • Used in the OAuth2 Code Grant flow, the Resource Owner Password flow and the OIDC Code / Hybrid flow.
  • Usually long lived.
  • Exchanged for access tokens by clients.

Stateful refresh token example

dn: coreTokenId=21f89047-4bcf-4d62-853b-d4fa22d632e5,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"redirectURI":["http://example.com"],"clientID":["OIDCclient1"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-289"],"tokenName":["refresh_token"],"authModules":["DataStore"],"userName":["demo"],"authGrantId":["6f10ad62-1be7-4ebe-aeea-81b7c9eb3735"],"acr":[],"expireTime":["1502746769129"],"grant_type":["authorization_code"],"scope":["openid","profile"],"realm":["/statefulRealm"],"id":["21f89047-4bcf-4d62-853b-d4fa22d632e5"],"tokenType":["Bearer"]}
coreTokenString12: authorization_code
coreTokenString01: openid,profile
coreTokenString10: refresh_token
coreTokenString15: 6f10ad62-1be7-4ebe-aeea-81b7c9eb3735
coreTokenString04: http://example.com
coreTokenString03: demo
coreTokenString08: /statefulRealm
coreTokenExpirationDate: 20170814213929.129Z
coreTokenString09: OIDCclient1
coreTokenId: 21f89047-4bcf-4d62-853b-d4fa22d632e5
coreTokenString07: Bearer
coreTokenType: OAUTH

OpenID Connect OPS token

The OpenID Connect OPS token in AM/OpenAM:

  • Provides a link between the OIDC ID token and the user session that generated it.
  • Is required for the endSession and checkSession endpoints to function.
  • Can be disabled in the OAuth2 provider. It is good practice to disable this token if you are not using the endSession and checkSession endpoints; doing so can dramatically reduce the load on the CTS.
  • Is issued in the Code or Implicit flow if the openid scope is requested and it is enabled in the OAuth2 provider.
  • Contains a copy of the user SSO token (same as the access code token) - again, it is large when used in combination with a realm in client-based sessions mode.

CTS-based session realm OPS token example

dn: coreTokenId=c23b5787-ace5-43c4-aeb3-369bbf4e07be,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"id":["c23b5787-ace5-43c4-aeb3-369bbf4e07be"],"ops":["AQIC5wM2LY4S...kyNgACUzEAAjAx*"],"expireTime":["1502145569141"]}
coreTokenExpirationDate: 20170807223929.141Z
coreTokenId: c23b5787-ace5-43c4-aeb3-369bbf4e07be
coreTokenType: OAUTH

Client-based session realm OPS token example

dn: coreTokenId=938fbe6a-cab6-48fc-ba42-3dbe82af61f3,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"id":["938fbe6a-cab6-48fc-ba42-3dbe82af61f3"],"ops":["AQIC5wM2LY4SfcyvKEBc-PhbFqsHH5ULidH1FMscUOKScfg.*AAJTSQACMDIAAlNLABQtMTkyNTUxMDA4NzgzNDA2ODIzNwACUzEAAjAx*eyAidHlwIjogIkpXVCIsICJhbGciOiAiSFMyNTYiIH0.eyAic2VyaWFsaXplZF9zZXNzaW9uIjogIntcInNlY3JldFwiOlwiZDk3Y2FhYTktZmU3ZS00MTBlLWEzNzgtM2Q3ZDAyZWMwNzlmXCIsXCJleHBpcnlUaW1lXCI6MTUwMjE0OTE2OTQwNyxcImxhc3RBY3Rpdml0eVRpbWVcIjoxNTAyMTQxOTY5NDA3LFwic3RhdGVcIjpcInZhbGlkXCIsXCJwcm9wZXJ0aWVzXCI6e1wiQ2hhclNldFwiOlwiVVRGLThcIixcIlVzZXJJZFwiOlwiZGVtb1wiLFwiRnVsbExvZ2luVVJMXCI6XCIvYW0xMzUwL1VJL0xvZ2luP3JlYWxtPSUyRnN0YXRlbGVzc1JlYWxtXCIsXCJzdWNjZXNzVVJMXCI6XCIvYW0xMzUwL2NvbnNvbGVcIixcImNvb2tpZVN1cHBvcnRcIjpcInRydWVcIixcIkF1dGhMZXZlbFwiOlwiMFwiLFwiU2Vzc2lvbkhhbmRsZVwiOlwic2hhbmRsZTpBUUlDNXdNMkxZNFNmY3ctY0hYaWZDR1VIdU1Gb3VxMDlkTnIxQVZMc3hGVUVQay4qQUFKVFNRQUNNRElBQWxOTEFCUXROekUwTnpjNE56VXlOalkyTkRjeU1EZ3lOQUFDVXpFQUFqQXgqXCIsXCJVc2VyVG9rZW5cIjpcImRlbW9cIixcImxvZ2luVVJMXCI6XCIvYW0xMzUwL1VJL0xvZ2luXCIsXCJQcmluY2lwYWxzXCI6XCJkZW1vXCIsXCJTZXJ2aWNlXCI6XCJsZGFwU2VydmljZVwiLFwic3VuLmFtLlVuaXZlcnNhbElkZW50aWZpZXJcIjpcImlkPWRlbW8sb3U9dXNlcixvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCIsXCJhbWxiY29va2llXCI6XCIwMVwiLFwiT3JnYW5pemF0aW9uXCI6XCJvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCIsXCJMb2NhbGVcIjpcImVuX1VTXCIsXCJIb3N0TmFtZVwiOlwiMTI3LjAuMC4xXCIsXCJBdXRoVHlwZVwiOlwiRGF0YVN0b3JlXCIsXCJIb3N0XCI6XCIxMjcuMC4wLjFcIixcIlVzZXJQcm9maWxlXCI6XCJSZXF1aXJlZFwiLFwiQU1DdHhJZFwiOlwiZTNlZWRmMGRmMTY1Y2M5ZjAxXCIsXCJjbGllbnRUeXBlXCI6XCJnZW5lcmljSFRNTFwiLFwiYXV0aEluc3RhbnRcIjpcIjIwMTctMDgtMDdUMjE6Mzk6MjlaXCIsXCJQcmluY2lwYWxcIjpcImlkPWRlbW8sb3U9dXNlcixvPXN0YXRlbGVzc3JlYWxtLG91PXNlcnZpY2VzLG89b3BlbmFtXCJ9LFwibWF4VGltZVwiOjEyMCxcInNlc3Npb25UeXBlXCI6XCJ1c2VyXCIsXCJtYXhJZGxlXCI6MzAsXCJtYXhDYWNoaW5nXCI6MyxcIm5ldmVyRXhwaXJpbmdcIjpmYWxzZSxcInNlc3Npb25JRFwiOm51bGwsXCJjbGllbnRJRFwiOlwiaWQ9ZGVtbyxvdT11c2VyLG89c3RhdGVsZXNzcmVhbG0sb3U9c2VydmljZXMsbz1vcGVuYW1cIixcImNsaWVudERvbWFpblwiOlwibz1zdGF0ZWxlc3NyZWFsbSxvdT1zZXJ2aWNlcyxvPW9wZW5hbVwifSIgfQ.2O4EYXM7sPN0YwW78aF2TzjLSEm-NQizNkzOpVCP2mw"],"expireTime":["1502145569471"]}
coreTokenExpirationDate: 20170807223929.471Z
coreTokenId: 938fbe6a-cab6-48fc-ba42-3dbe82af61f3
coreTokenType: OAUTH 

OAuth2 Device Code token

The OAuth2 Device Code token in AM/OpenAM is:

  • Used to persist the code in the Device Code flow.
  • Typically short lived.
  • In the same format in OAuth2 stateless and stateful modes.

Device code token example

dn: coreTokenId=501905e0-b350-47d5-92cc-161a4291116f,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"clientID":["OIDCclient1"],"expireTime":["1502142269359"],"user_code":["PDRxhXht"],"auditTrackingId":["ff85ab51-f0b6-48e2-85af-bc26feca5a98-311"],"scope":["profile"],"tokenName":["device_code"],"response_type":["token"],"realm":["/statefulRealm"],"id":["501905e0-b350-47d5-92cc-161a4291116f"],"userName":["demo"],"AUTHORIZED":["true"]}
coreTokenString01: profile
coreTokenString10: device_code
coreTokenString14: PDRxhXht
coreTokenString03: demo
coreTokenString08: /statefulRealm
coreTokenExpirationDate: 20170807214429.359Z
coreTokenString09: OIDCclient1
coreTokenId: 501905e0-b350-47d5-92cc-161a4291116f
coreTokenType: OAUTH 

CTS-based Session token (AM 5 and later)

The CTS-based Session token in AM 5 and later:

  • Is created in the CTS when a user authenticates to a realm that is in CTS-based session mode.
  • Allows a user to remain authenticated even when the AM instance they authenticated with has been shutdown.
  • Is not compatible with the equivalent token in OpenAM 13.5.x and earlier.

CTS-based Session token example

dn: coreTokenId=-8288022266790569769,ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org
objectClass: top
objectClass: frCoreToken
coreTokenString11: /
coreTokenObject: {"clientDomain":"dc=openam,dc=forgerock,dc=org","clientID":"id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org","cookieMode":true,"cookieStr":null,"creationTimeInMillis":1502229535517,"isSessionUpgrade":false,"listeners":{"9d16b2e1-50c2-43f8-86ce-97a67be1661a":true,"4bd2e5b4-22c8-4172-a2a6-b9f028e86dc8":true},"maxCachingTimeInMinutes":3,"maxIdleTimeInMinutes":30,"maxSessionTimeInMinutes":120,"restrictedTokensBySessionID":{},"sessionEventURLs":{},"sessionID":{"comingFromAuth":false,"cookieMode":null,"encryptedString":"AQIC5wM2LY4S...kyNgACUzEAAjAx*","sessionDomain":"dc=openam,dc=forgerock,dc=org","sessionServer":"am3.example.com","sessionServerID":"01","sessionServerPort":"38080","sessionServerProtocol":"http","sessionServerURI":"/am5"},"sessionProperties":{"Locale":"en","authInstant":"2017-08-08T21:58:55Z","Organization":"dc=openam,dc=forgerock,dc=org","UserProfile":"Required","Principals":"amadmin","successURL":"/am5/console","CharSet":"UTF8","Service":"ldapService","Host":"127.0.0.1","cookieSupport":"true","FullLoginURL":"/am5/UI/Login?realm=%2F","AuthLevel":"0","clientType":"genericHTML","AMCtxId":"77a740625b90bc6301","loginURL":"/am5/UI/Login","UserId":"amadmin","AuthType":"DataStore","sun.am.UniversalIdentifier":"id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org","amlbcookie":"01","HostName":"127.0.0.1","Principal":"id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org","UserToken":"amadmin"},"sessionState":"VALID","sessionType":"USER","timedOutTimeInSeconds":0}
coreTokenInteger07: 30
coreTokenString12: 1502229535517
coreTokenInteger06: 120
coreTokenString04: 1502229797863
coreTokenString05: AQIC5wM2LY4S...kyNgACUzEAAjAx*
coreTokenMultiString01: 9d16b2e1-50c2-43f8-86ce-97a67be1661a
coreTokenMultiString01: 4bd2e5b4-22c8-4172-a2a6-b9f028e86dc8
coreTokenExpirationDate: 20170809003317.863+0200
coreTokenUserId: id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org
coreTokenId: -8288022266790569769
coreTokenString06: shandle:AQIC5wM2LY4S...kyNgACUzEAAjAx*
coreTokenType: SESSION

CTS-based Session token (OpenAM 13.x )

The CTS-based Session token in OpenAM 13.x:

  • Is created in the CTS when a user authenticates to a realm that is in CTS-based session mode and the OpenAM deployment has session failover enabled.
  • Allows a user to remain authenticated even when the OpenAM instance they authenticated with has been shutdown.
  • Is not compatible with the equivalent token in AM 5 and later.

CTS-based Session token example

dn: coreTokenId=-6412296181144271926,ou=famrecords,ou=openam-session,ou=tokens,o=openam
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"clientDomain":"o=statefulrealm,ou=services,o=openam","clientID":"id=demo,ou=user,o=statefulrealm,ou=services,o=openam","cookieMode":null,"cookieStr":null,"creationTime":1502141969,"isISStored":true,"maxCachingTime":3,"maxIdleTime":30,"maxSessionTime":120,"reschedulePossible":false,"restrictedTokensBySid":{},"sessionEventURLs":{"http://am1.example.com:18080/am1350/notificationservice":[{"comingFromAuth":false,"cookieMode":null,"encryptedString":"AQIC5wM2LY4S...kyNgACUzEAAjAx*","sessionDomain":"","sessionServer":"am.example.com","sessionServerID":"02","sessionServerPort":"8000","sessionServerProtocol":"http","sessionServerURI":"/am1350"}]},"sessionID":{"comingFromAuth":false,"cookieMode":null,"encryptedString":"AQIC5wM2LY4S...kyNgACUzEAAjAx*","sessionDomain":"o=statefulrealm,ou=services,o=openam","sessionServer":"am.example.com","sessionServerID":"02","sessionServerPort":"8000","sessionServerProtocol":"http","sessionServerURI":"/am1350"},"sessionProperties":{"CharSet":"UTF-8","UserId":"demo","FullLoginURL":"/am1350/UI/Login?realm=%2FstatefulRealm","successURL":"/am1350/console","cookieSupport":"true","AuthLevel":"0","UserToken":"demo","loginURL":"/am1350/UI/Login","Principals":"demo","Service":"ldapService","sun.am.UniversalIdentifier":"id=demo,ou=user,o=statefulrealm,ou=services,o=openam","amlbcookie":"01","Organization":"o=statefulrealm,ou=services,o=openam","Locale":"en_US","HostName":"127.0.0.1","AuthType":"DataStore","Host":"127.0.0.1","UserProfile":"Required","AMCtxId":"f0444f0bf43ab5d701","clientType":"genericHTML","authInstant":"2017-08-07T21:39:29Z","Principal":"id=demo,ou=user,o=statefulrealm,ou=services,o=openam"},"sessionState":1,"sessionType":0,"timedOutAt":0,"willExpireFlag":true}
coreTokenString01: 1502141969
coreTokenString02: AQIC5wM2LY4S...kyNgACUzEAAjAx*
coreTokenString03: shandle:AQIC5wM2LY4S...kyNgACUzEAAjAx*
coreTokenExpirationDate: 20170808001429.080+0200
coreTokenUserId: id=demo,ou=user,o=statefulrealm,ou=services,o=openam
coreTokenId: -6412296181144271926
coreTokenType: SESSION 

Client-based Session Blacklist token

The Client-based Session Blacklist token in AM/OpenAM is:

  • Used to keep a record of client-based sessions that have been ended by logging out.
  • Created only when client-based sessions blacklist is enabled in global session properties.

Client-based session blacklist token example

dn: coreTokenId=7fac1a04-f358-4ed5-958b-48aac6dd5a34,ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org
objectClass: top
objectClass: frCoreToken
coreTokenString01: 01
coreTokenDate01: 20170824151809.429Z
coreTokenExpirationDate: 20170824171908Z
coreTokenId: 7fac1a04-f358-4ed5-958b-48aac6dd5a34
coreTokenType: SESSION_BLACKLIST

See Also

Core Token Service (CTS) and sessions in AM/OpenAM

Installation Guide › Implementing the Core Token Service

Installation Guide › Core Token Service (CTS) Object Identifiers

Related Training

N/A

Related Issue Tracker IDs

N/A


How do I delete all or some of the tokens in the CTS store in AM (All versions)?

The purpose of this article is to provide information on how an administrator can clean up tokens in the Core Token Service (CTS) store. This article covers deleting all tokens in the CTS and deleting just a subset (for example, only Refresh tokens). This information should not be used in lieu of a properly configured/tuned CTS.

Overview

By default, AM manages expired tokens using its reaper service, although you can use DS to manage token expiration instead if you prefer. You should configure the CTS reaper and then tune your CTS store appropriately to ensure tokens are being removed in an efficient manner. See the following links for further information:

However, even with the reaper running well and pruning expired tokens as expected, there may be occasions when you need to manually delete all tokens in the CTS or delete just a subset. For example, if you have been load testing, you may want to delete all the test tokens that were created before running further tests. Alternatively, you may need to clean up tokens that have built up as a result of an improperly configured/tuned CTS that is not adequate for your environment or specific deployment needs; if this is the case, you should ensure you tune the CTS properly to prevent a build up in future.

Note

Tuning the CTS is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.

This article guides you through each scenario, with different processes depending on the size of your dataset:

Caution

Deleting tokens will end all sessions associated with them.

Example values

These example processes use the following values:

  • A BaseDN of "dc=openam,dc=forgerock,dc=org"
  • The parent DN for tokens is “ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org"
  • A backendID of cts-store for the CTS server database.
  • The LDAP port is 50389
  • The DS admin port is 4444
  • The hostname is: host1.example.com

You should adjust these values as needed for your environment and ensure you include  the --useSsl and --trustAll options if you are using LDAPS.

Deleting and re-creating token parent DN (all tokens, less than 500k entries)

The quickest, easiest and most efficient way to delete all tokens from a small dataset is to delete the parent DN (which holds all the tokens) and re-create it. For large datasets, you should use the LDIF export / import approach described in the following section.

Note

These example steps disable the LDAP/LDAPS connection handler that AM is configured to communicate on to stop updates reaching the CTS instance. You must use an alternative LDAP connector for subsequent LDAP operations. If this is not possible, consider temporarily changing the port or blocking communications at the network level instead.

You can delete all tokens as follows:

  1. Navigate to the bin directory of DS.
  2. Disable the LDAP/LDAPS connector so that AM stops sending traffic to this node providing you have an alternative LDAP connector for subsequent LDAP operations. For example, to disable the LDAP connection handler:
    $ ./dsconfig set-connection-handler-prop --hostname host1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name LDAP --set enabled:false --trustAll --no-prompt 
  3. Create an LDIF of the ou=famrecords DN:
    $ ./ldapsearch --hostname host1.example.com --port 50389 --bindDn "cn=Directory manager" --bindPassword password --baseDn "ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org" --searchScope one "(objectclass=*)" > parent.ldif
  4. Delete the ou=famrecords DN:
    $ ./ldapdelete --hostname host1.example.com --port 50389 --bindDn "cn=Directory manager" --bindPassword password --deleteSubtree "ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org"
  5. Re-create the ou=famrecords DN using the LDIF file you created in step 3:
    $ ./ldapmodify --hostname host1.example.com --port 50389 --bindDn "cn=Directory manager" --bindPassword password -f parent.ldif
  6. Rebuild all indexes:
    $ ./rebuild-index --hostname host1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "dc=openam,dc=forgerock,dc=org" --rebuildAll
  7. Allow replication to bring all other CTS nodes back into sync with this empty instance (replication should sync the deletes and then adds across all replicas). If you don't want to generate a lot of replication traffic with these deletes/adds, you can speed up the process by re-initializing all other nodes from this instance. For example:
    $ ./dsreplication initialize-all --hostname host1.example.com --port 4444 --baseDN dc=openam,dc=forgerock,dc=org --adminUID admin --adminPassword password --no-prompt
  8. Re-enable the LDAP/LDAPS connector to resume AM sending traffic to this node. For example, to enable the LDAP connection handler:
    $ ./dsconfig set-connection-handler-prop --hostname host1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name LDAP --set enabled:true --trustAll --no-prompt 

LDIF exporting and importing all data excluding tokens (all tokens, more than 500k entries)

This approach removes all tokens and is best suited to a large dataset since you must shut down the CTS instance first. In essence, you create an LDIF file containing all data, but excluding any tokens. You then import this LDIF to override the contents of the database; the import process automatically rebuilds the indexes.

Note

These example steps disable the LDAP/LDAPS connection handler that AM is configured to communicate on to stop updates reaching the CTS instance. You must use an alternative LDAP connector for subsequent LDAP operations. If this is not possible, consider temporarily changing the port or blocking communications at the network level instead.

You can delete all tokens as follows:

  1. Navigate to the bin directory of DS.
  2. Disable the LDAP/LDAPS connector so that AM stops sending traffic to this node providing you have an alternative LDAP connector for subsequent LDAP operations. For example, to disable the LDAP connection handler:
    $ ./dsconfig set-connection-handler-prop --hostname host1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name LDAP --set enabled:false --trustAll --no-prompt 
  3. Shutdown the CTS server.
  4. Take an LDIF export:
    $ ./export-ldif --backendID cts-store --ldifFile /path/to/export.ldif --excludeFilter "(objectclass=frCoreToken)" --offline
  5. Check the file excludes all tokens.
  6. Import the LDIF:
    $ ./import-ldif --backendID cts-store --ldifFile /path/to/export.ldif --skipFile /tmp/skips.txt --rejectFile /tmp/rejects.txt --offline
  7. Start the CTS server.
  8. Re-initialize all other nodes from this instance to bring all other CTS nodes back into sync with this empty instance. For example:
    $ ./dsreplication initialize-all --hostname host1.example.com --port 4444 --baseDN dc=openam,dc=forgerock,dc=org --adminUID admin --adminPassword password --no-prompt
    
  9. Re-enable the LDAP/LDAPS connector to resume AM sending traffic to this node. For example, to enable the LDAP connection handler:
    $ ./dsconfig set-connection-handler-prop --hostname host1.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name LDAP --set enabled:true --trustAll --no-prompt 

Defining a subset of tokens

The following example processes delete all Refresh tokens. This is done by filtering/searching on tokens where coreTokenString10 (token type) is set to refresh_token, for example:

"(coreTokenString10=refresh_token)"

You can amend these processes to look for other token types or other LDAP attributes as needed to define a subset of tokens. See How do I know what LDAP attributes are used by CTS tokens in AM (All versions) and OpenAM 13.x? for information on the attributes and values available.

You can use these attributes together to refine your subset further. For instance, you could include the coreTokenExpirationDate attribute as well to filter tokens before or after a certain timestamp. For example, the following would only affect refresh tokens with an expiration date before 01/01/2019:

"(&(coreTokenString10=refresh_token)(coreTokenExpirationDate<=20190101000000.0Z))"

Deleting using ldapsearch and ldapdelete (subset of tokens, less than 500k entries)

The best way to delete a subset of tokens from the CTS for a small dataset is to use ldapsearch to look for all tokens where coreTokenString10 (token type) is set to refresh_token and then issue a delete operation for each one found. For large datasets, you should use the LDIF export / import approach described in the following section.

Note

This process assumes replication will remain in place while executing the following steps. If this is a concern, you can remove this node from the replication topology and re-sync/re-initialize other CTS instances after deletion.

You can delete all Refresh tokens as follows:

  1. Navigate to the bin directory of DS.
  2. Run the following search and delete command:
    $ ./ldapsearch --hostname host1.example.com --port 50389 --bindDN "cn=Directory manager" --bindPassword password --baseDn "ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org" "(coreTokenString10=refresh_token)" 1.1 |grep -v '^$' | cut -c5- | ./ldapdelete --hostname host1.example.com --port 50389 --bindDN "cn=Directory manager" --bindPassword password

LDIF exporting and importing (subset of tokens, more than 500k entries)

This approach removes a subset of tokens and is best suited to a large dataset since you must shut down the CTS instance first. In essence, you create an LDIF file containing all data and tokens, except tokens where coreTokenString10 (token type) is set to refresh_token. You then import this LDIF to override the contents of the database; the import process automatically rebuilds the indexes.

You can delete all Refresh tokens as follows:

  1. Navigate to the bin directory of DS.
  2. Shutdown the CTS server.
  3. Take an LDIF export:
    $ ./export-ldif --backendID cts-store --ldifFile /path/to/export.ldif --excludeFilter "(coreTokenString10=refresh_token)" --offline
  4. Check the file excludes all Refresh Tokens (tokens where coreTokenString10=refresh_token).
  5. Import the LDIF:
    $ ./import-ldif --backendID cts-store --ldifFile /path/to/export.ldif --skipFile /tmp/skips.txt --rejectFile /tmp/rejects.txt --offline
  6. Start the CTS server.
  7. Re-initialize all other nodes from this instance to bring all other CTS nodes back into sync with this empty instance. For example:
    $ ./dsreplication initialize-all --hostname host1.example.com --port 4444 --baseDN dc=openam,dc=forgerock,dc=org --adminUID admin --adminPassword password --no-prompt

See Also

Best practices for configuring sessions in AM (All versions) to reduce the impact on the CTS store

Understanding CTS token types in AM/OpenAM

Reference › ldapsearch — perform LDAP search operations

Reference › ldapdelete — perform LDAP delete operations

Reference › ldapmodify — perform LDAP modify, add, delete, mod DN operations

Administration Guide › Rebuilding Indexes

Administration Guide › Importing and Exporting Data

Administration Guide › Initializing Replicas

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.

This content has been optimized for printing.

Loading...