SSOi OAuth: Token Introspect Service

These services are necessary for Lighthouse services to verify the Access Token obtained on successul login through SSOi OAuth. This verification is required to authorize API requests from client applications to various Lighthouse APIs.

Overview and Terminology

SSOi is operated by the VA Identity and Access Management (IAM) team - the same team that operates MPI. SSOi and MPI are independent systems (one might be up or down separately from the other) but they do interact with one another.

This integration relates to the OAuth signin pattern provided by SSOi.

Introspect Service

This service provides partners implementing an OAuth client or resource server the ability to access the Introspect endpoint to validate the access token and obtain a full set of user traits.

Integration Endpoints

For Introspect and UserInfo, the following endpoint pattern is used: https:// <env> <contextroot> /sps/oauth/oauth20/ <endpoint name>

We are configured to use ContextRoot=oauthi

The fully qualified endpoint URLs for the Introspect service are as follows:

  • Introspect

    • iDEV:

    • SQA:

    • PREPROD:

    • PROD:

Required Configuration

VA signed certificates are required for access to the Introspect endpoint.

  • The current certificates are named lighthouse-ssoi-oauth-{env}-cert.pem.

  • The private key is stored in AWS Parameter Store under /dvp/<env>/ssoi-oauth-key

  • The Public Key for the certificate is added to the SSOi truststore.

You should be able to test that the certificate is functioning by running some curl commands from a fwdproxy instance.

curl -v --cert /etc/pki/tls/certs/lighthouse-ssoi-oauth-dev-cert.pem --key /etc/pki/tls/private/lighthouse-ssoi-oauth-dev.key

# NOTE: without the cert and key flags you should get an html page with an error indicating the client ssl failure
#       with the approved cert and key you should get a 400 bad request (we aren't providing valid request we are just checking ssl client certs and connectivity)


Known External Dependencies




Outage Status and Maintenance Windows

Service Level Agreement


Escalation Procedure

IAM has a 24x7 on call rotation for production SSOi issues.

Per communications from IAM team:

If notices a Prod issues and needs IAM support the best escalation path is to create a SNOW ticket and ask for it to be assigned to ‘AcS Tier 3’.


IAM Team:





Damien DeAntonio


Perry Vessels

IAM Contact

Linda Lotier (Engility)

IAM Engineering Resource

Prashant Mukadam (By Light)

Project Manager

LeeAnne Branum

Lighthouse team:




Product Manager

Shawnee Petrosky

Lighthouse Sr Engineer

Beau Grantham

Lighthouse Engineer

Derek Brown