updated server API and client introspection docs

2014-05-28 18:19:08 -04:00 · 2014-05-28 18:19:08 -04:00 · 38af57ccf2
parent 1738879243
commit 38af57ccf2
2 changed files with 413 additions and 127 deletions
--- a/Api.md
+++ b/Api.md
@ -6,6 +6,8 @@ The API may be accessed through an active web session within the application (ie
 Manages all registered clients on the system, both statically and dynamically registered. Note that in this API's data model, the **id** field is distinct from the **clientId** field used in OAuth. This is a deliberate distinction to allow the **clientId** to be edited through the API.
 Non-administrator end users can use Dynamic Client Registration and Protected Resource Registration to register clients and resources, respectively. These provide a more limited set of options compared to the full administrative API documented here.
 Endpoint: **`/api/clients`**
 ### GET /api/clients
@ -14,8 +16,9 @@ Endpoint: **`/api/clients`**
 Get a list of all clients on the system, returns results in `application/json`.
-```
+```json
 [
    {
        "id": 1,
        "clientId": "client",
@ -57,6 +60,7 @@ Get a list of all clients on the system, returns results in `application/json`.
        "idTokenSignedResponseAlg": null,
        "idTokenEncryptedResponseAlg": null,
        "idTokenEncryptedResponseEnc": null,
        "tokenEndpointAuthSigningAlg": null,
        "defaultMaxAge": null,
        "requireAuthTime": null,
        "defaultACRvalues": [ ],
@ -73,13 +77,71 @@ Get a list of all clients on the system, returns results in `application/json`.
        "allowIntrospection": true,
        "idTokenValiditySeconds": 600,
        "createdAt": null
    },
    {
        "id": 2,
        "clientId": "a8af753c-f324-4e40-a177-87dfc06249b7",
        "clientSecret": "EGvdSfyecgUeB44WWERaQXqHOECjbDmpkOupUUItxELqb6h1qtpMmPscIUsRo8_vC1JN8WQlG3-5Lp9q7J8XUg",
        "redirectUris": [
            "http://localhost:8080/simple-web-app/openid_connect_login"
        ],
        "clientName": "Simple Web App",
        "clientUri": null,
        "logoUri": null,
        "contacts": [ ],
        "tosUri": null,
        "tokenEndpointAuthMethod": "SECRET_JWT",
        "scope": [
            "openid",
            "phone",
            "email",
            "address",
            "profile"
        ],
        "grantTypes": [
            "authorization_code"
        ],
        "responseTypes": [
            "code"
        ],
        "policyUri": null,
        "jwksUri": null,
        "applicationType": null,
        "sectorIdentifierUri": null,
        "subjectType": null,
        "requestObjectSigningAlg": null,
        "userInfoSignedResponseAlg": null,
        "userInfoEncryptedResponseAlg": null,
        "userInfoEncryptedResponseEnc": null,
        "idTokenSignedResponseAlg": null,
        "idTokenEncryptedResponseAlg": null,
        "idTokenEncryptedResponseEnc": null,
        "tokenEndpointAuthSigningAlg": "HS256",
        "defaultMaxAge": null,
        "requireAuthTime": null,
        "defaultACRvalues": [ ],
        "initiateLoginUri": null,
        "postLogoutRedirectUri": null,
        "requestUris": [ ],
        "authorities": [ ],
        "accessTokenValiditySeconds": 3600,
        "refreshTokenValiditySeconds": null,
        "resourceIds": [ ],
        "clientDescription": "",
        "reuseRefreshToken": true,
        "dynamicallyRegistered": true,
        "allowIntrospection": false,
        "idTokenValiditySeconds": 600,
        "createdAt": "2014-05-28T16:42:26-0400"
    }
 ]
 ```
 *Note:* This method will return different information depending on whether or not the authorized user is an administrator. A non-administrator will get a limited set of information back:
-```
+```json
 [
    {
        "id": 1,
        "clientId": "client",
@ -94,6 +156,20 @@ Get a list of all clients on the system, returns results in `application/json`.
            "profile"
        ],
        "clientDescription": null
    },
    {
        "id": 2,
        "clientId": "a8af753c-f324-4e40-a177-87dfc06249b7",
        "clientName": "Simple Web App",
        "logoUri": null,
        "scope": [
            "openid",
            "phone",
            "email",
            "address",
            "profile"
        ],
        "clientDescription": ""
    }
 ]
 ```
@ -102,37 +178,34 @@ Get a list of all clients on the system, returns results in `application/json`.
 *Requires __ROLE_ADMIN__ access.*
-Create a new client on the system. Message body is an `application/json` object with all client parameters:
+Create a new client on the system. Request body is an `application/json` object with all client parameters:
-```
+```json
 {
-        "clientId": "client",
+        "clientId": "a8af753c-f324-4e40-a177-87dfc06249b7",
-        "clientSecret": "secret",
+        "clientSecret": "EGvdSfyecgUeB44WWERaQXqHOECjbDmpkOupUUItxELqb6h1qtpMmPscIUsRo8_vC1JN8WQlG3-5Lp9q7J8XUg",
        "redirectUris": [
-            "http://localhost/",
+            "http://localhost:8080/simple-web-app/openid_connect_login"
            "http://localhost:8080/"
        ],
-        "clientName": "Test Client",
+        "clientName": "Simple Web App",
        "clientUri": null,
        "logoUri": null,
        "contacts": [ ],
        "tosUri": null,
-        "tokenEndpointAuthMethod": null,
+        "tokenEndpointAuthMethod": "SECRET_JWT",
        "scope": [
            "phone",
            "openid",
-            "offline_access",
+            "phone",
            "address",
            "email",
            "address",
            "profile"
        ],
        "grantTypes": [
-            "implicit",
+            "authorization_code"
-            "authorization_code",
+        ],
-            "urn:ietf:params:oauth:grant_type:redelegate",
+        "responseTypes": [
-            "refresh_token"
+            "code"
        ],
        "responseTypes": [ ],
        "policyUri": null,
        "jwksUri": null,
        "applicationType": null,
@ -145,6 +218,7 @@ Create a new client on the system. Message body is an `application/json` object
        "idTokenSignedResponseAlg": null,
        "idTokenEncryptedResponseAlg": null,
        "idTokenEncryptedResponseEnc": null,
        "tokenEndpointAuthSigningAlg": "HS256",
        "defaultMaxAge": null,
        "requireAuthTime": null,
        "defaultACRvalues": [ ],
@ -155,12 +229,11 @@ Create a new client on the system. Message body is an `application/json` object
        "accessTokenValiditySeconds": 3600,
        "refreshTokenValiditySeconds": null,
        "resourceIds": [ ],
-        "clientDescription": null,
+        "clientDescription": "",
        "reuseRefreshToken": true,
        "dynamicallyRegistered": false,
-        "allowIntrospection": true,
+        "allowIntrospection": false,
        "idTokenValiditySeconds": 600,
        "createdAt": null
 }
 ```
@ -178,9 +251,7 @@ The server will return an updated copy of the object in `application/json` forma
 Get information about a specific client identified by {id} in the url, in `application/json` format. 
-For example, the call to `/api/clients/1` would return:
+```json
 ```
 {
        "id": 1,
        "clientId": "client",
@ -222,6 +293,7 @@ For example, the call to `/api/clients/1` would return:
        "idTokenSignedResponseAlg": null,
        "idTokenEncryptedResponseAlg": null,
        "idTokenEncryptedResponseEnc": null,
        "tokenEndpointAuthSigningAlg": null,
        "defaultMaxAge": null,
        "requireAuthTime": null,
        "defaultACRvalues": [ ],
@ -238,25 +310,28 @@ For example, the call to `/api/clients/1` would return:
        "allowIntrospection": true,
        "idTokenValiditySeconds": 600,
        "createdAt": null
-}
+    }
 ```
 *Note:* This method will return different information depending on whether or not the authorized user is an administrator. A non-administrator will get a limited set of information back:
-```
+```json
 {
-        "id": 1,
+
-        "clientId": "client",
+    "id": 1,
-        "clientName": "Test Client",
+    "clientId": "client",
-        "logoUri": null,
+    "clientName": "Test Client",
-        "scope": [
+    "logoUri": null,
-            "phone",
+    "scope": [
-            "openid",
+        "phone",
-            "offline_access",
+        "openid",
-            "address",
+        "offline_access",
-            "email",
+        "address",
-            "profile"
+        "email",
-        ],
+        "profile"
-        "clientDescription": null
+    ],
    "clientDescription": null
 }
 ```
@ -266,36 +341,33 @@ For example, the call to `/api/clients/1` would return:
 Update the information for the client identified by {id} in the URL. The request body must be `application/json` describing the entire client object:
-```
+```json
 {
-        "id": 1,
+        "id": 2,
-        "clientId": "client",
+        "clientId": "a8af753c-f324-4e40-a177-87dfc06249b7",
-        "clientSecret": "secret",
+        "clientSecret": "EGvdSfyecgUeB44WWERaQXqHOECjbDmpkOupUUItxELqb6h1qtpMmPscIUsRo8_vC1JN8WQlG3-5Lp9q7J8XUg",
        "redirectUris": [
-            "http://localhost/",
+            "http://localhost:8080/simple-web-app/openid_connect_login"
            "http://localhost:8080/"
        ],
-        "clientName": "Test Client",
+        "clientName": "Simple Web App",
        "clientUri": null,
        "logoUri": null,
        "contacts": [ ],
        "tosUri": null,
-        "tokenEndpointAuthMethod": null,
+        "tokenEndpointAuthMethod": "SECRET_JWT",
        "scope": [
            "phone",
            "openid",
-            "offline_access",
+            "phone",
            "address",
            "email",
            "address",
            "profile"
        ],
        "grantTypes": [
-            "implicit",
+            "authorization_code"
-            "authorization_code",
+        ],
-            "urn:ietf:params:oauth:grant_type:redelegate",
+        "responseTypes": [
-            "refresh_token"
+            "code"
        ],
        "responseTypes": [ ],
        "policyUri": null,
        "jwksUri": null,
        "applicationType": null,
@ -308,6 +380,7 @@ Update the information for the client identified by {id} in the URL. The request
        "idTokenSignedResponseAlg": null,
        "idTokenEncryptedResponseAlg": null,
        "idTokenEncryptedResponseEnc": null,
        "tokenEndpointAuthSigningAlg": "HS256",
        "defaultMaxAge": null,
        "requireAuthTime": null,
        "defaultACRvalues": [ ],
@ -318,12 +391,12 @@ Update the information for the client identified by {id} in the URL. The request
        "accessTokenValiditySeconds": 3600,
        "refreshTokenValiditySeconds": null,
        "resourceIds": [ ],
-        "clientDescription": null,
+        "clientDescription": "",
        "reuseRefreshToken": true,
-        "dynamicallyRegistered": false,
+        "dynamicallyRegistered": true,
-        "allowIntrospection": true,
+        "allowIntrospection": false,
        "idTokenValiditySeconds": 600,
-        "createdAt": null
+        "createdAt": "2014-05-28T16:42:26-0400"
 }
 ```
@ -355,11 +428,12 @@ Endpoint: **`/api/whitelist`**
 Get a list of all whitelists on the system, returns results in `application/json`.
-```
+```json
 [
    {
        "id": 1,
-        "creatorUserId": "jricher",
+        "creatorUserId": "admin",
        "clientId": "client",
        "allowedScopes": [
            "email",
@ -367,6 +441,7 @@ Get a list of all whitelists on the system, returns results in `application/json
            "profile"
        ]
    }
 ]
 ```
@ -376,9 +451,9 @@ Get a list of all whitelists on the system, returns results in `application/json
 Create a new whitelist on the system. Message body is an `application/json` object with all information:
-```
+```json
 {
-        "creatorUserId": "jricher",
+        "creatorUserId": "admin",
        "clientId": "client",
        "allowedScopes": [
            "email",
@ -398,10 +473,10 @@ Get information about a specific whitelist identified by {id} in the url, in `ap
 For example, the call to `/api/whitelist/1` would return:
-```
+```json
 {
        "id": 1,
-        "creatorUserId": "jricher",
+        "creatorUserId": "admin",
        "clientId": "client",
        "allowedScopes": [
            "email",
@ -417,10 +492,10 @@ For example, the call to `/api/whitelist/1` would return:
 Update the information for the whitelist identified by {id} in the URL. The request body must be `application/json` describing the entire whitelist object:
-```
+```json
 {
        "id": 1,
-        "creatorUserId": "jricher",
+        "creatorUserId": "admin",
        "clientId": "client",
        "allowedScopes": [
            "email",
@ -453,8 +528,9 @@ Endpoint: **`/api/blacklist`**
 Get a list of all blacklists on the system, returns results in `application/json`.
-```
+```json
 [
    {
        "id": 1,
        "uri": "http://baddomain.com/"
@ -463,6 +539,7 @@ Get a list of all blacklists on the system, returns results in `application/json
        "id": 2,
        "uri": "http://evil.biz/"
    }
 ]
 ```
@ -472,7 +549,7 @@ Get a list of all blacklists on the system, returns results in `application/json
 Create a new blacklist on the system. Message body is an `application/json` object with all information:
-```
+```json
 {
        "uri": "http://baddomain.com/"
 }
@ -488,7 +565,7 @@ Get information about a specific blacklist identified by {id} in the url, in `ap
 For example, the call to `/api/blacklist/1` would return:
-```
+```json
 {
        "uri": "http://baddomain.com/"
 }
@ -500,7 +577,7 @@ For example, the call to `/api/blacklist/1` would return:
 Update the information for the blacklist identified by {id} in the URL. The request body must be `application/json` describing the entire blacklist object:
-```
+```json
 {
        "uri": "http://baddomain.com/"
 }
@ -528,15 +605,19 @@ Endpoint: **`/api/scopes`**
 Get a list of all system scopes on the system, returns results in `application/json`.
-```
+```json
 [
    {
        "id": 1,
        "value": "openid",
        "description": "log in using your identity",
        "icon": "user",
        "allowDynReg": true,
-        "defaultScope": true
+        "defaultScope": true,
        "structured": false,
        "structuredParamDescription": null,
        "structuredValue": null
    },
    {
        "id": 2,
@ -544,7 +625,10 @@ Get a list of all system scopes on the system, returns results in `application/j
        "description": "basic profile information",
        "icon": "list-alt",
        "allowDynReg": true,
-        "defaultScope": true
+        "defaultScope": true,
        "structured": false,
        "structuredParamDescription": null,
        "structuredValue": null
    },
    {
        "id": 3,
@ -552,7 +636,10 @@ Get a list of all system scopes on the system, returns results in `application/j
        "description": "email address",
        "icon": "envelope",
        "allowDynReg": true,
-        "defaultScope": true
+        "defaultScope": true,
        "structured": false,
        "structuredParamDescription": null,
        "structuredValue": null
    },
    {
        "id": 4,
@ -560,7 +647,10 @@ Get a list of all system scopes on the system, returns results in `application/j
        "description": "physical address",
        "icon": "home",
        "allowDynReg": true,
-        "defaultScope": true
+        "defaultScope": true,
        "structured": false,
        "structuredParamDescription": null,
        "structuredValue": null
    },
    {
        "id": 5,
@ -568,7 +658,10 @@ Get a list of all system scopes on the system, returns results in `application/j
        "description": "telephone number",
        "icon": "bell",
        "allowDynReg": true,
-        "defaultScope": true
+        "defaultScope": true,
        "structured": false,
        "structuredParamDescription": null,
        "structuredValue": null
    },
    {
        "id": 6,
@ -576,8 +669,23 @@ Get a list of all system scopes on the system, returns results in `application/j
        "description": "offline access",
        "icon": "time",
        "allowDynReg": true,
-        "defaultScope": true
+        "defaultScope": true,
        "structured": false,
        "structuredParamDescription": null,
        "structuredValue": null
    },
    {
        "id": 7,
        "value": "structured",
        "description": "a demonstration of a structured scope",
        "icon": "th",
        "allowDynReg": false,
        "defaultScope": false,
        "structured": true,
        "structuredParamDescription": "the parameter would go here",
        "structuredValue": null
    }
 ]
 ```
@ -587,13 +695,16 @@ Get a list of all system scopes on the system, returns results in `application/j
 Create a new scope on the system. Message body is an `application/json` object with all information:
-```
+```json
 {
    "value": "openid",
    "description": "log in using your identity",
    "icon": "user",
    "allowDynReg": true,
-    "defaultScope": true
+    "defaultScope": true,
    "structured": false,
    "structuredParamDescription": null,
    "structuredValue": null
 }
 ```
@ -607,31 +718,37 @@ Get information about a specific scope identified by {id} in the url, in `applic
 For example, the call to `/api/scope/1` would return:
-```
+```json
 {
    "id": 1,
    "value": "openid",
    "description": "log in using your identity",
    "icon": "user",
    "allowDynReg": true,
-    "defaultScope": true
+    "defaultScope": true,
    "structured": false,
    "structuredParamDescription": null,
    "structuredValue": null
 }
 ```
-### PUT /api/blacklist/{id}
+### PUT /api/scopes/{id}
 *Requires __ROLE_ADMIN__ access.*
 Update the information for the scope identified by {id} in the URL. The request body must be `application/json` describing the entire scope object:
-```
+```json
 {
    "id": 1,
    "value": "openid",
    "description": "log in using your identity",
    "icon": "user",
    "allowDynReg": true,
-    "defaultScope": true
+    "defaultScope": true,
    "structured": false,
    "structuredParamDescription": null,
    "structuredValue": null
 }
 ```
@ -647,7 +764,7 @@ Returns HTTP 200 with an empty page on success.
 ## User Site Approvals
-Approved sites represent a decision by an end user (or "authorization grant") that has been stored. Future authorization requests that match the parameters of this approval will be granted automatically. This API allows for reading and deleting existing approvals. New approvals are created during the normal course of the OAuth protocol.
+Approved sites represent a decision by an end user (or "authorization grant") that has been stored. Future authorization requests that match the parameters of this approval will be granted automatically. This API allows for reading and deleting existing approvals. New approvals are created during the normal course of the OAuth protocol, and approved sites can not be updated.
 Endpoint: **`/api/approved`**
@ -657,7 +774,7 @@ Endpoint: **`/api/approved`**
 Gets a list of the approved sites for the current user in `application/json` format.
-```
+```json
 [
    {
        "id": 1,
@ -671,18 +788,21 @@ Gets a list of the approved sites for the current user in `application/json` for
            "phone",
            "openid"
        ],
-        "whitelistedSite": null
+        "whitelistedSite": null,
        approvedAccessTokens: [ 3, 4 ]
    }
 ]
 ```
 ### GET /api/approved/{id}
 *Requires __ROLE_USER__ access.*
 Gets the approved site with the {id} indicated in the url, in `application/json` format. Users may only get approved sites that belong to them.
-```
+```json
 {
-    "id": 1,
+    "id": 2,
    "userId": "jricher",
    "clientId": "client",
    "creationDate": "2013-04-26T14:57:21-0400",
@ -693,12 +813,176 @@ Gets the approved site with the {id} indicated in the url, in `application/json`
        "phone",
        "openid"
    ],
-    "whitelistedSite": null
+    "whitelistedSite": 1,
    approvedAccessTokens: [ 6 ]
 }
 ```
 ### DELETE /api/approved/{id}
 *Requires __ROLE_USER__ access.*
 Deletes the approved site with the given {id} in the URL. Users may delete only their own approved sites. Any tokens associated with the approved site remain active. _Note: This behavior will likely change in a future version of the software._
 The sever responds with an HTTP 200 code and a blank page on success.
 ## OAuth Tokens
 This API allows a user to read and delete their currently-valid access tokens and refresh tokens. ID Tokens are listed as access tokens. 
 Note that this is not a full CRUD API as the "create" action is taken care of by standard OAuth flows and the "update" action is not allowed.
 Clients and protected resources wishing to delete tokens issued to them can alternatively use the token revocation API, also supported by the server at `{$issuer}/revoke`. 
 Endpoint: **`/api/tokens`**
 ### GET /api/tokens/access
 *Requires __ROLE_USER__ access.*
 Gets the list of currently active access tokens (including ID tokens) approved by the requesting user in `application/json` format.
 ```json
 [
    {
        "value": "eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0MDEzMTE1MjksInN1YiI6IjkwMzQyLkFTREZKV0ZBIiwibm9uY2UiOiIzNTU1MTk4ZDU3YjZiIiwiYXVkIjpbImE4YWY3NTNjLWYzMjQtNGU0MC1hMTc3LTg3ZGZjMDYyNDliNyJdLCJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODA4MFwvb3BlbmlkLWNvbm5lY3Qtc2VydmVyLXdlYmFwcFwvIiwiaWF0IjoxNDAxMzEwOTI5fQ.gSflavUWvb_-ZY3D701uQ0H_65YBm9TH4llovFDEnHjeecxA_phUwDRksnyctXQuPHZQ9yXnwDaSquDh1jRE_XZOdp0igsWl_ZlBUHvESugGzBjSOujh2112j___KMTsv8oXLmBBoebqExMEHbT_9PMHBvQaiHO82S2ipd32d1I",
        "id": 5,
        "idTokenId": null,
        "refreshTokenId": null,
        "scopes": [
            "id-token"
        ],
        "clientId": "a8af753c-f324-4e40-a177-87dfc06249b7",
        "userId": "admin",
        "expiration": "2014-05-28T17:12:09-0400"
    },
    {
        "value": "eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0MDEzMTQ1MjksImF1ZCI6WyJhOGFmNzUzYy1mMzI0LTRlNDAtYTE3Ny04N2RmYzA2MjQ5YjciXSwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODBcL29wZW5pZC1jb25uZWN0LXNlcnZlci13ZWJhcHBcLyIsImp0aSI6Ijg4ZjM4OGE4LTk1NzctNGQyMC1hZTZjLWMyMDMxOGQ1OWJjNiIsImlhdCI6MTQwMTMxMDkyOX0.HYnNxRvGRdKFykVChL-hdxszcFBvygkeUmc8_iv2Jl4MU-jPJVzMnTwKJbCMWBjeBp8hrb0Dgd9XbnHUDyXxwj8MDrWQEH3QnwYJGRW9JFWjHMGfKDQDFY6Ffl3OFERVbyoB2ObiGTUgbw4Nkl1L1ihuMpMAc5nKi0rk3QXcS1M",
        "id": 6,
        "idTokenId": 5,
        "refreshTokenId": null,
        "scopes": [
            "openid",
            "phone",
            "email",
            "address",
            "profile"
        ],
        "clientId": "a8af753c-f324-4e40-a177-87dfc06249b7",
        "userId": "admin",
        "expiration": "2014-05-28T18:02:09-0400"
    }
 ]
 ```
 ### GET /api/tokens/access/{id}
 *Requires __ROLE_USER__ access.*
 Gets a single access token by its {id} in `application/json` format. The given {id} must point to a token that is tied to the authenticated user.
 ```json
 {
    "value": "eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0MDEzMTQ1MjksImF1ZCI6WyJhOGFmNzUzYy1mMzI0LTRlNDAtYTE3Ny04N2RmYzA2MjQ5YjciXSwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwODBcL29wZW5pZC1jb25uZWN0LXNlcnZlci13ZWJhcHBcLyIsImp0aSI6Ijg4ZjM4OGE4LTk1NzctNGQyMC1hZTZjLWMyMDMxOGQ1OWJjNiIsImlhdCI6MTQwMTMxMDkyOX0.HYnNxRvGRdKFykVChL-hdxszcFBvygkeUmc8_iv2Jl4MU-jPJVzMnTwKJbCMWBjeBp8hrb0Dgd9XbnHUDyXxwj8MDrWQEH3QnwYJGRW9JFWjHMGfKDQDFY6Ffl3OFERVbyoB2ObiGTUgbw4Nkl1L1ihuMpMAc5nKi0rk3QXcS1M",
    "id": 6,
    "idTokenId": 5,
    "refreshTokenId": null,
    "scopes": [
        "openid",
        "phone",
        "email",
        "address",
        "profile"
    ],
    "clientId": "a8af753c-f324-4e40-a177-87dfc06249b7",
    "userId": "admin",
    "expiration": "2014-05-28T18:02:09-0400"
 }
 ```
 ### DELETE /api/tokens/access/{id}
 *Requires __ROLE_USER__ access.*
 Deletes the access token identified by {id}. The given {id} must point to a token that is tied to the authenticated user.
 Returns an HTTP 200 on success.
 ### GET /api/tokens/refresh
 *Requires __ROLE_USER__ access.*
 Gets the list of currently active refresh tokens approved by the requesting user in `application/json` format.
 ```json
 [
    {
        "value": "eyJhbGciOiJub25lIn0.eyJqdGkiOiJmYzYwNmZhZS04MmMyLTQwZWEtOTAzYi03OWI1NDdiNDg1YjUifQ.",
        "id": 1,
        "scopes": [
            "phone",
            "offline_access",
            "email",
            "address",
            "profile"
        ],
        "clientId": "client",
        "userId": "admin",
        "expiration": null
    },
    {
        "value": "eyJhbGciOiJub25lIn0.eyJqdGkiOiI5MzkwOTc0YS0zZDI0LTQ4ZWItYWFiYS1kZDdjMTc5NDZlZmMifQ.",
        "id": 2,
        "scopes": [
            "address",
            "email",
            "offline_access",
            "phone",
            "profile"
        ],
        "clientId": "client",
        "userId": "admin",
        "expiration": null
    }
 ]
 ```
 ### GET /api/tokens/refresh/{id}
 *Requires __ROLE_USER__ access.*
 Gets a single refresh token by its {id} in `application/json` format. The given {id} must point to a token that is tied to the authenticated user.
 ```json
 {
    "value": "eyJhbGciOiJub25lIn0.eyJqdGkiOiI5MzkwOTc0YS0zZDI0LTQ4ZWItYWFiYS1kZDdjMTc5NDZlZmMifQ.",
    "id": 2,
    "scopes": [
        "address",
        "email",
        "offline_access",
        "phone",
        "profile"
    ],
    "clientId": "client",
    "userId": "admin",
    "expiration": null
 }
 ```
 ### DELETE /api/tokens/refresh/{id}
 *Requires __ROLE_USER__ access.*
 Deletes the refresh token identified by {id}. The given {id} must point to a token that is tied to the authenticated user.
 Returns an HTTP 200 on success.
--- a/Token-Introspecting-Client-Config.md
+++ b/Token-Introspecting-Client-Config.md
@ -3,16 +3,18 @@ The following code sets up a filter to take a token passed in to the web applica
 If the token is valid, the service creates an `Authentication` object with the user in the `sub` object as its principle. This `Authentication` is given a set of `GrantedAuthorities` provided by the configured `introspectionAuthorityGranter` service. 
 In applicationContext.xml:
-```
+
-    <oauth:resource-server id="resourceServerFilter" token-services-ref="introspectingService" />
+```xml
-    <bean id="introspectingService" class="org.mitre.oauth2.introspectingfilter.IntrospectingTokenService">
+<oauth:resource-server id="resourceServerFilter" token-services-ref="introspectingService" />
-        <property name="introspectionConfigurationService">
+
-           ...
+<bean id="introspectingService" class="org.mitre.oauth2.introspectingfilter.IntrospectingTokenService">
-        </property>
+    <property name="introspectionConfigurationService">
-        <property name="introspectionAuthorityGranter">
+       ...
-           ...
+    </property>
-        </property>
+    <property name="introspectionAuthorityGranter">
-    </bean>
+       ...
    </property>
 </bean>
 ```
 ## Introspection Configuration Service
@ -23,31 +25,31 @@ The `Introspection Configuration Service` interface looks at the context of the
 The static provider simply returns the same configured URL and the same configured client for all requests, regardless of context.
-```
+```xml
-   <bean class="org.mitre.oauth2.introspectingfilter.StaticIntrospectionUrlProvider">
+<bean class="org.mitre.oauth2.introspectingfilter.StaticIntrospectionUrlProvider">
-      <property name="introspectionUrl" value="http://authserver/introspect" />
+   <property name="introspectionUrl" value="http://authserver/introspect" />
-      <property name="clientConfiguration">
+   <property name="clientConfiguration">
-        <bean class="org.mitre.oauth2.model.RegisteredClient">
+     <bean class="org.mitre.oauth2.model.RegisteredClient">
-          <property name="clientId" value="yourClientId"/>
+       <property name="clientId" value="yourClientId"/>
-          <property name="clientSecret" value="yourClientSecret"/>
+       <property name="clientSecret" value="yourClientSecret"/>
-        </bean>
+     </bean>
-      </property>
+   </property>
-   </bean>
+</bean>
 ```
 ### JWT-Parsing Introspection URL Provider
 The JWT-parsing provider assumes that the access token is a properly formed JWT and parses the token value into a JWT object. The provider then extracts the `iss` field and looks up the introspection URL using the configured `serverConfigurationService` and `clientConfigurationService`. These services are the same as described in [Client Configuration/server service configuration](Client-configuration#server-configuration) and [Client Configuration/client service configuration](Client-configuration#client-configuration).
-```
+```xml
-   <bean class="org.mitre.oauth2.introspectingfilter.JWTParsingIntrospectionUrlProvider">
+<bean class="org.mitre.oauth2.introspectingfilter.JWTParsingIntrospectionUrlProvider">
-      <property name="serverConfigurationService">
+   <property name="serverConfigurationService">
-         ...
+      ...
-      </property>
+   </property>
-      <property name="clientConfigurationService">
+   <property name="clientConfigurationService">
-         ...
+      ...
-      </property>
+   </property>
-   </bean>
+</bean>
 ```
 ## Authority Granter
@ -58,10 +60,10 @@ The `IntrospectionAuthorityGranter` interface looks at the response from the int
 The `SimpleIntrospectionAuthorityGranter` returns the same configured set of authorities for every request, as long as the token is deemed valid by the server. By default, it returns the single `GrantedAuthority` of `ROLE_API`. 
-```
+```xml
-   <bean class="org.mitre.oauth2.introspectingfilter.SimpleIntrospectionAuthorityGranter">
+<bean class="org.mitre.oauth2.introspectingfilter.SimpleIntrospectionAuthorityGranter">
-      <property name="authorities">
+   <property name="authorities">
-         ...
+      ...
-      </property>
+   </property>
-   </bean>
+</bean>
 ```