Does Azure Active Directory have an OAuth/OpenID Connect token introspection endpoint?

azure oauth openid-connect azure-active-directory

No. You can check all the endpoints supported via the OpenID Provider Configuration for Azure Active Directory.

If you and idea or feedback about Azure AD, you can try to submit them from UserVoice:Azure Active Directory.

In particular you can vote on Introspection endpoint for Azure Active Directory Suggestion


No introspection endpoint

Azure AD does not have an introspection endpoint.

Depending on what you're trying to achieve, however, it may still be possible without that endpoint.

Validating access token

Make a call to the userinfo_endpoint with the token to see if it still valid. e.g.

GET /oidc/userinfo HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer <access token>

If the call returns 200, the access token is valid. If it returns 401, it is not valid.

Getting info about/from the access token

There are 2 types of access tokens: self-contained or placeholder (see RFC6749 Section 1.4 for more info). Azure AD's access tokens are JWTs and are self-contained.

You can obtain expiry info, AD app name, tenant info, user info and much more by decoding the access token.

The JWT payload of Azure AD's access tokens look like this:

{
  "aud": "00000000-0000-0000-0000-000000000000",
  "iss": "https://sts.windows.net/<tenant_id>/",
  "iat": 1637179385,
  "nbf": 1637179385,
  "exp": 1637183923,
  "acct": 0,
  "acr": "1",
  "aio": "<base64_string>",
  "amr": [
    "pwd",
    "mfa"
  ],
  "app_displayname": "<app_registration_display_name>",
  "appid": "<app_id>",
  "appidacr": "1",
  "family_name": "<user_family_name>",
  "given_name": "<user_given_name>",
  "idtyp": "user",
  "ipaddr": "<user_ip>",
  "name": "<user_name>",
  "oid": "<uuid>",
  "onprem_sid": "<on-premises_sid_of_user>",
  "platf": "8",
  "puid": "<hex_id>",
  "rh": "<?>",
  "scp": "email openid profile",
  "signin_state": [
    "kmsi"
  ],
  "sub": "<user_subscriber_identifier>",
  "tenant_region_scope": "NA",
  "tid": "<tenant_id>",
  "unique_name": "<user_email_or_unique_identifier>",
  "upn": "<user_email>",
  "uti": "<?>",
  "ver": "1.0",
  "wids": [
    "<uuid>"
  ],
  "xms_st": {
    "sub": "<?>"
  },
  "xms_tcdt": <?>
}

Related

How to remove docker containers that are not running?
Correaltion matrix using knitr package
recognizing multi-line sections with lark grammar
Get documents between two dates
If conditions nested in for loop not executing
TypeError: '_SentinelObject' object is not callable
Find out if an attachment is embedded or attached
Comparing 2 "datetime" Columns in Pandas
How can I remove the vertical line divider on the bottom nav bar?
Unable to run .NET 6 docker 'runtimeconfig.json was not found'
How can I access command prompt history with Python
How to escape special characters in password? [duplicate]