Access Management

/json/token/macaroon

AM’s macaroon endpoint can be used to inspect and manipulate macaroons. Macaroons are designed to be manipulated locally using a macaroon library. This can be done securely by anybody in possession of the macaroon token without needing access to any keys at all.

AM’s macaroon endpoint supports two actions:

  • inspect: returns details about the macaroon.

  • restrict: adds a new caveat to the macaroon, returning a new macaroon.

You must compose the path to the introspect endpoint addressing the specific realm where the token was issued. For example, https://openam.example.com:8443/openam/json/realms/root/realms/alpha/token/macaroon/?_action=inspect.

The following example shows AM returning macaroon information:

$ [${resources.dir}/endpoints/oauth2.bash:#oauth2_Macaroon-Example]
[${resources.dir}/endpoints/oauth2.bash:#oauth2_Macaroon-Example-OUT]

OpenID Connect clients must ensure that the following information is present in the JSON:

  • The openid scope. For example, "scopes": ["profile", "openid"].

  • The id_token response type. For example, "response_types": ["code", "id_token code"].