Token Introspector
The TokenIntrospector resource in Aidbox is used to validate tokens issued by external authentication systems. It enables Aidbox to integrate with various identity providers and authentication servers by supporting different token validation methods.
Overview
When users authenticate with an external system and receive a token, Aidbox can use TokenIntrospector to validate these tokens and extract identity information. This allows for secure integration between Aidbox and external authentication systems.
Supported Token Types
Aidbox TokenIntrospector supports two main types of tokens:
1. JWT Tokens — JSON Web Tokens (JWTs) are self-contained tokens that include claims and can be verified using a signature.
2. Opaque Tokens — Non-transparent tokens that require validation against an external introspection endpoint.
TokenIntrospector Schema
Token Validation Process
- Client sends a request to Aidbox with a Bearer token
- Aidbox identifies the token type
- Based on the token type:
- For JWT: Aidbox validates the signature and claims
- For opaque: Aidbox sends the token to the introspection endpoint
- If valid, Aidbox applies the relevant AccessPolicy
- If the policy allows access, the request proceeds
User Resolution
After validating a JWT token, Aidbox resolves the user context from the token claims. Aidbox looks up a User resource by ID and loads all Role resources linked to that user. The resolved User and Role data is then available in AccessPolicy for authorization decisions.
How it works
- Aidbox checks for the
box_usercustom claim in the JWT - If
box_useris not present, Aidbox falls back to the standardsub(subject) claim - The resulting value is used as the
User.idto look up the user in the database - All
Roleresources linked to that user are automatically loaded - The full
Userresource andRolearray become available asuserandrolein the AccessPolicy request object
For example, if you have a User resource with custom data:
resourceType: User
id: my-user
email: user@example.com
data:
practitioner_id: pract-123
department: cardiology
After user resolution, all of this data is available in AccessPolicy. For instance, you can restrict access based on user.data.department:
resourceType: AccessPolicy
engine: matcho
matcho:
user:
data:
department: cardiology
Without user resolution, only raw JWT claims are available in AccessPolicy under the jwt key. User resolution is what makes the full User resource and Role data from the database available under the user and role keys.
The box_user claim
By default, Aidbox uses the sub (subject) claim to look up User.id. The box_user custom claim allows you to override this — when present, box_user takes priority over sub.
This is useful when the sub claim contains an external identity provider ID (e.g., a UUID from Keycloak or Auth0) that does not match the User.id in Aidbox.
Example JWT payload:
{
"iss": "https://auth.example.com",
"sub": "keycloak-uuid-1234",
"box_user": "my-aidbox-user",
"exp": 1700000000
}
In this example, Aidbox will resolve User/my-aidbox-user and load its data and roles into the AccessPolicy context. The sub claim remains available under jwt.sub for AccessPolicy evaluation.
Caching
TokenIntrospector supports configurable caching via the cache_ttl property (in seconds):
- JWT with JWKS URI: Caches public keys fetched from the JWKS endpoint (default: 300 seconds)
- Opaque tokens: Caches introspection results for each specific token (default: 300 seconds)
- ASPXAUTH tokens: Caches introspection results for each specific cookie (default: 300 seconds)
Valid range: 1-86400 seconds (1 second to 24 hours)
Caching improves resilience when external endpoints are temporarily unavailable. See the tutorial for detailed configuration examples and security considerations.
See also
- Set up token introspection tutorial
- External Secrets — store
jwt.secret,jwt.keys.k, andintrospection_endpoint.authorizationvalues outside the database