Access Management 7.2.2

/json/token/macaroon

AM’s macaroon endpoint can be used to inspect and manipulate macaroons. Macaroons are designed to be manipulated locally using a macaroon library. This can be done securely by anybody in possession of the macaroon token without needing access to any keys at all.

AM’s macaroon endpoint supports two actions:

  • inspect: returns details about the macaroon.

  • restrict: adds a new caveat to the macaroon, returning a new macaroon.

You must compose the path to the introspect endpoint addressing the specific realm where the token was issued. For example, https://openam.example.com:8443/openam/json/realms/root/realms/alpha/token/macaroon/?_action=inspect.

The following example shows AM returning macaroon information:

$ curl \
--request POST \
--header "Content-Type: application/json" \
--header "cache-control: no-cache" \
--data '{
    "macaroon":"AgEAAhtCRDFJSGhhLUktU21VbE5EQ0Y4MXVQRmlzUFUAAAYgnKhrEUFDwEwSPeTHwRSwTss7a4V0W68nL5Xw-nnRhzQ"
    }' \
"https://openam.example.com:8443/openam/json/realms/root/realms/alpha/token/macaroon?_action=inspect"
{
  "identifier": "1bmn1TQTONczbom-V2lCpaH4BUk",
  "location": "",
  "caveats": [
      {
        "type": "first-party",
        "identifier": {
         "scope": "openid profile"
        }
      }
  ],
   "signature": "kmVBwqpoi4nwakksk3b8KcSZvlYYmjCPdUTrFKFnhEY"
}

OpenID Connect clients must ensure that the following information is present in the JSON:

  • The openid scope. For example, "scopes": ["profile", "openid"].

  • The id_token response type. For example, "response_types": ["code", "id_token code"].