How to validate OAuth Access Token


#1

Hi guys, I am using the following API and generating an sessionToken,
POST http://dev-1234.oktapreview.com/api/v1/authn

{
“username”: "somename@gmail.com",
“password”: “somepassword”,
“options”: {
“multiOptionalFactorEnroll”: false,
“warnBeforePasswordExpired”: false
}
}

Response -

{
    "expiresAt": "2017-08-08T05:11:38.000Z",
    "status": "SUCCESS",
    "sessionToken": "20111B2_dkVTy--9K_2C1-Til1v9WTHcHBSh_FU9N6mx",
    "_embedded": {
        "user": {
            "id": "00ubd4HxZS0h7",
            "passwordChanged": "2017-07-26T05:00:09.000Z",
            "profile": {
                "login": "somename@gmail.com",
                "firstName": "s",
                "lastName": "sds",
                "locale": "en",
                "timeZone": "America/Los_Angeles"
            }
        }
    }
}

How can I validate this sessionToken?
I used Introspect API, it alawys gives “active” as false.
https://developer.okta.com/docs/api/resources/oauth2.html?_ga=2.41456417.2011385017.1502103010-882478713.1501582800#introspection-request


#2

The sessionToken is a one-time token used to bootstrap a session with Okta in a browser, it’s not used as an access token. You can pass the sessionToken with OAuth Authorization Request or via a SSO request.