Getting the client Id from the tokenInfo endpoint

Tagged: ,

This topic has 5 replies, 3 voices, and was last updated 5 years, 9 months ago by evangelinamrm.

  • Author
  • #9323

    Is it possible to obtain the client id information as part of the /tokeninfo response?


     Bill Nelson

    I am not aware of any way to do this, but I’m also not so sure that this is a good idea to do it in the first place. Keep in mind that an OAuth2 token is a bearer token granting authorization rights to the bearer of the token. When I give a valet key to the parking attendant, I am allowing them to drive my car, but not gain access to my glove box or trunk. So all the access token does is allow someone to do something on behalf of the Resource Owner and limits their access and/or scope.

    If I am to assume that you are wanting this information to see if the access token was requested by someone you trust, then I would caution you not to try to establish trust with the requester, but with the issuer (the Authorization Server). You need to trust that “they” did the due diligence before issuing the token, itself.

    From a security standpoint, if the client_id were passed back as part of the tokeninfo endpoint, then anyone possessing that token could for all intents and purposes determine one half of the client credentials and all they would then need to do is bang on the door to obtain the client secret. Once accomplished then they could essentially impersonate the client and (depending on your grant flow) could begin requesting their own tokens.

    One other thing to note is that the access_token and authorize endpoints are defined by the OAuth2 standards, the tokeninfo endpoint is a convenience provided by ForgeRock and you have to be careful what you expose in that convenience.

    I am sure that I went way beyond what you were asking for (I tend to read intent into questions at times) but to answer your question, I am not aware of any way to get the client_id from the tokeninfo endpoint.


    Hi Bill, thank you for the detailed answer.
    The reason I’m asking is because I’m granting access to an API based on the access token, but not every client can access it so I need to do a second validation based on the client Id associated to that token. The problem I’m facing right now is that every user who’s been granted an access token can access all of the APIs.
    I understand that this might be something that the tokeninfo endpoint is not designed to do, in the case of Ping Federate I can obtain the client Id from the access token but making a request to a protected endpoint and authenticating as a resource server. Is there something similar in OpenAM that I can use?

    Thank you! And please feel free to share yor thoughts on the use case, it’s always good to discuss if one is taking the correct approach or not

     Peter Major

    See OPENAM-5213, client_id will be returned in newer versions of OpenAM.


    Thank you Peter, that’s very helpful.


    Hi @peter-major, is it possible to obtain the client_id associated to the token in previous versions that don’t include the fix added in OPENAM-5213?


Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?