Does Azure Active Directory have an OAuth/OpenID Connect token introspection endpoint?
No. You can check all the endpoints supported via the OpenID Provider Configuration for Azure Active Directory.
If you and idea or feedback about Azure AD, you can try to submit them from UserVoice:Azure Active Directory.
In particular you can vote on Introspection endpoint for Azure Active Directory Suggestion
No introspection endpoint
Azure AD does not have an introspection endpoint.
Depending on what you're trying to achieve, however, it may still be possible without that endpoint.
Validating access token
Make a call to the userinfo_endpoint
with the token to see if it still valid. e.g.
GET /oidc/userinfo HTTP/1.1
Host: graph.microsoft.com
Authorization: Bearer <access token>
If the call returns 200, the access token is valid. If it returns 401, it is not valid.
Getting info about/from the access token
There are 2 types of access tokens: self-contained or placeholder (see RFC6749 Section 1.4 for more info). Azure AD's access tokens are JWTs and are self-contained.
You can obtain expiry info, AD app name, tenant info, user info and much more by decoding the access token.
The JWT payload of Azure AD's access tokens look like this:
{
"aud": "00000000-0000-0000-0000-000000000000",
"iss": "https://sts.windows.net/<tenant_id>/",
"iat": 1637179385,
"nbf": 1637179385,
"exp": 1637183923,
"acct": 0,
"acr": "1",
"aio": "<base64_string>",
"amr": [
"pwd",
"mfa"
],
"app_displayname": "<app_registration_display_name>",
"appid": "<app_id>",
"appidacr": "1",
"family_name": "<user_family_name>",
"given_name": "<user_given_name>",
"idtyp": "user",
"ipaddr": "<user_ip>",
"name": "<user_name>",
"oid": "<uuid>",
"onprem_sid": "<on-premises_sid_of_user>",
"platf": "8",
"puid": "<hex_id>",
"rh": "<?>",
"scp": "email openid profile",
"signin_state": [
"kmsi"
],
"sub": "<user_subscriber_identifier>",
"tenant_region_scope": "NA",
"tid": "<tenant_id>",
"unique_name": "<user_email_or_unique_identifier>",
"upn": "<user_email>",
"uti": "<?>",
"ver": "1.0",
"wids": [
"<uuid>"
],
"xms_st": {
"sub": "<?>"
},
"xms_tcdt": <?>
}