Token introspect endpoint
About
A resource server can introspect an access token to determine the active state of the token and/or to determine meta-information about this token.
To avoid information leakage, three conditions must be fulfilled for introspection to work:
- The scope(s) in the token must be configured with the client_id of the resource server that should be allowed to introspect (enforced_aud_for_introspection)
- This client_id must in addition be registered with the idporten:token.introspectionscope
- The client must perform client authentication on the introspection endpoint
Breaking change: Note that the behaviour above is a breaking change from the the old ID-porten.
The /tokenintrospect endpoint is thoroughly documented in RFC 7662 OAuth 2.0 Token Introspection 
Request
The following header parameters must be used:
| Parameter | Value | 
|---|---|
| Http method: | POST | 
| Content-type: | application/x-www-form-urlencoded | 
The client calling /tokeninfo must be pre-registered, and must authenticate itself using the registered method of client authentication (ie token_endpoint_auth_method).
The following JSON payload must be submitted:
| Claim | Value | 
|---|---|
| token | <The token that should be validated> | 
Response
The most important parameter in the reponse is the active-claim.  If its value is false, the submitted token is not longer valid, and must not be used or trusted by the sending party.
| claim | value | description | 
|---|---|---|
| active | true / false | Authorative statement from ID-porten whether the submitted token is valid or not. | 
The response will also include a number of claims related to the submitted token, and are equal to the claims available for self-contained access token.
Please note that the response from the token introspection-endpoint is NOT an access_token, even though it is a JWT.
Sample request:
POST /tokeninfo
Content-type: application/x-www-form-urlencoded
Authorization: Basic xxxxx
token=fK0dhs5vQsuAUguLL2wxbXEQSE91XbOAL3foY5VR0Uk=
Sample response:
{
    "active": true,
    "token_type": "Bearer",
    "expires_in": 556,
    "exp": 1477990301,
    "iat": 1477989701,
    "scope": "global/kontaktinformasjon.read",
    "client_id": "test_rp",
    "client_orgno": "991825827"
}
Introspection of pseudonymous tokens
If the scope in the access token was configured to trigger issuance of pseudonymous tokens, then the norwegian person identifier (pid-claim) will be included in the introspection response.