The /frrest/oauth2/token endpoint (org.forgerock.openam.oauth2.rest.TokenResource) allows users to query for their own OAuth2 access tokens and refresh tokens - see http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/dev-guide/index.html#rest-api-oauth2-token-admin-endpoint . The code and documentation examples suggest that amadmin (or equivalent) should be able to query for any tokens, but this does not work. For example:
(At this point in time there was 1 OAuth2 access_token and 1 OIDC id_token in the token store for user "test").
The problem is due to the check to see if the current user is the admin user. If they are then a query filter is added for "username=*". This gets translated into the literal LDAP query filter "username=\2A" (where \2A is the LDAP escape for a *) and so only matches tokens with that exact username.