Versions Compared

Old Version 2

changes.mady.by.user ubisebastian

Saved on

compared with

New Version Current

changes.mady.by.user Arto Vainiolehto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.4

In a native application use case two OAuth clients are registered with SSO. The first client is the "native application" presenting user interfaces to the end-user. The second client is usually a web service or resource server providing API services to the native application. 

The native application wants to get an access token for calling the resource server API services. The resource server validates the access token it receives by calling the tokeninfo service. The tokeninfo service returns claims and attributes describing the authenticated user.

Contents

Table of Contents
excludeContents


Gliffy
nameAuthorization Code Grant

Sequence diagram of authorization code grant with native applications


Authorization Request

Instructions on page Authorization code grant and web single sign-on

Authorization Response

Instructions on page Authorization code grant and web single sign-on

Access Token Request

Instructions on page Authorization code grant and web single sign-on

Access Token Response

Instructions on page Authorization code grant and web single sign-on


Anchor
_Ref420579533
_Ref420579533
Anchor
_Toc452021335
_Toc452021335
Anchor
_Ref420579458
_Ref420579458
Resource Server Request

https://tools.ietf.org/html/rfc6750#section-2
Required parameters

  • access token Bearer authorization http header The application may alternatively choose to send the access token in a form or query parameter


Code Block
languagexml
titleSample Resource server request
GET https://resource.example.com/api/method Authorization: Bearer DSJJU6QhquTUsznTDeDq0eVm


Anchor
_Ref420579578
_Ref420579578
Anchor
Token Introspection Request
Token Introspection Request
Token Introspection Request

https://tools.ietf.org/html/rfc7662#section-2.1

Anchor
_Toc452021337
_Toc452021337
POST /uas/oauth2/introspection

Required parameters

  • token

Access/Refresh Token value received by the resource server

  • client_id & client_secret

OAuth Client Identifier and Secret of the resource server


Code Block
titleSample introspection request
POST https://sso.example.com/uas/oauth2/introspectionAuthorization: Basic MTc2MjQxNDM3NDoqKio=Content-Type: application/x-www-form-urlencoded
token=DSJJU6QhquTUsznTDeDq0eVm


Anchor
_Ref420579471
_Ref420579471
Anchor
_Toc452021338
_Toc452021338
Token Introspection Response

https://tools.ietf.org/html/rfc7662#section-2.2
Parameters

  • active

The value "true" if access token was valid

  • aud

OAuth Client Identifier of the response recipient

  • scope

Scope of the provided token. Subset of the scopes in the scope parameter given in the token request the token was generated for.

  • client_id

OAuth Client Identifier of the client issuing the authorization request

  • token_type

Type of the token submitted – access_token or refresh_token


In addition to the attributes listed above, the Introspection Response contains the same claims and attributes as the UserInfo Response.

Code Block
languagexml
titleSample introspection response
HTTP/1.1 200 OKContent-Type: application/json 
\{"sub":"***","iss":"https://sso.example.com/uas","aud":"1762414374","exp":1429700671981,"iat":1429697071971,"auth_time":1429697071527,"amr":\["https://sso.example.com/uas/saml2/names/ac/password.1"\],"active":true,"scope":"openid 1762414374","client_id":"347937059","session_index":"0a9b62ce8de4","token_type":"access_token"\}