Testing Introspection URL using Postman

Once the Bearer token has been generated, the immediate next optional step is to check if the introspection URL is working. This step makes sure that the connection to the IDCS application is working and if that is successful, then the introspection URL provided in the Application Interface (AI) profile would also work and the REST API calls will also be successful.

To test the Introspection URL, do the following steps.

  1. Open Postman and in the existing collection "OAuthRESTAPIKM", create another request and make it as POST request.
  2. Name the request as Introspect OR any other name and the POST request should be in the format https://IDCSHostname/oauth2/v1/introspect
  3. Under the Auth Section, make sure to select "Basic Auth" and for the username and password, enter the client ID and client secret that was generated for the IDCS confidential application with introspect enabled.
  4. Now, go to the body section in the same introspect URL request and enter the token (bearer token/access token) value that was generated when the "Generate New Token" button was clicked.
  5. Once these details are added, click SEND to execute the POST request and you should get a response with data that confirms that your Introspect URL is correct and that the introspect is working.

Below is a sample of how the payload response looks for the POST request with Introspect URL. In this payload response, you will see "sub" which is the actual User Specification (UserSpec) that we defined in the AI profile for EAI Object manager with SSO wherein the sub is the USERID or the clientID that will be used to authenticate.

Note: It is necessary to have this sub or clientID value added in the LDAP directory server for authentication to be successful.

{
    "active": true,
    "scope": "data",
    "client_id": "CLIENTID",
    "client_guid": "CLIENTSECRET",
    "token_type": "JWT",
    "sub_type": "client",
    "exp": 1685052145,
    "iat": 1685048545,
    "sub": "CLIENTID",
    "aud": [
        "https://AIHostname:AIHTTPSPort/siebel/v1.0/"
    ],
    "iss": "https://identity.oraclecloud.com/",
    "jti": "xxxxx",
    "tenant": "idcs-xxx",
    "user.tenant.name": "ixxx",
    "sub_mappingattr": "userName",
    "client_tenantname": "idcs-xxx",
    "client_name": "Siebel Postman OAuth Client",
    "region_name": "us-xx-xx-2",
    "gt": false
}
Note: In a client credentials grant flow, the client ID is sent as a subject. In this case, you must create a Siebel user or employee using the client ID as the USERID, and you must provide access to that user.