Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: pictures corrected

...

  1. Create a POST request to the /uas/oauth2/token endpoint of the Ubisecure SSO Server. The Content-Type must be application/x-www-form-urlencoded.
    The user phone number is sent in the username parameter.

    Code Block
    themeRDark
    titlePOST body required for first token request
    grant_type=http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp&scope=openid&username=358404134252&x_globalsign_iam_otp_body=your%20otp%20code%20is%20{0}&client_id=c495bb59-f0ae-430a-9830-ca8228aa58fe&client_secret=CVgXCVQaLeRcd0AQ604sUuAL0NCBDX7

    An example using the HttpRequester browser extension is shown here:
    Image Removed

    Image Added
  2. The response contains a x_globalsign_iam_reference_id value that must be stored and used again later when verifying the code:

    Code Block
    languagejs
    themeRDark
    titleResponse to authorization request
    {
        "x_globalsign_iam_challenge": {
            "reference": ".eyJzdWIiOiIzNTg0MDQxMzQyNTIiLCJpYXQiOjE0OTk0MjY3NjY3MjUsImN0bXMiOjE0Njc0MjY1MTM3ODgyMDQsIm1hYyI6IkFaUzU2ckhPQjV6d2RfVWJWenhjOUgtX2VQejJiSFJNT0dXY0hTV1hWdzhFUTRST1locWdiQVNkZ3huSGVhLWk3QnhNZmc9PSJ9.S1f4VSae-QO0jfFcekPHUGTvqBgYc2yFsHbj3UVhFpk"
        }
    }


...

  1. Create a POST request containing the x_globalsign_iam_reference_id together with the code collected from the user.

    Code Block
    themeRDark
    titlePOST body required for second token request
    grant_type=http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp&scope=openid&client_id=c495bb59-f0ae-430a-9830-ca8228aa58fe&client_secret=CVgXCVQaLeRcd0AQ604sUuAL0NCBDX77&x_globalsign_iam_reference_id=.eyJzdWIiOiIzNTg0MDQxMzQyNTIiLCJpYXQiOjE0OTk0MjY3NjY3MjUsImN0bXMiOjE0Njc0MjY1MTM3ODgyMDQsIm1hYyI6IkFaUzU2ckhPQjV6d2RfVWJWenhjOUgtX2VQejJiSFJNT0dXY0hTV1hWdzhFUTRST1locWdiQVNkZ3huSGVhLWk3QnhNZmc9PSJ9.S1f4VSae-QO0jfFcekPHUGTvqBgYc2yFsHbj3UVhFpk&x_globalsign_iam_otp_code=32768341

    An example using the HttpRequester browser extension is shown here:
    Image Removed

    Image Added
  2. The response will contain an access_token and id_token

    Code Block
    languagejs
    themeRDark
    titleResponse
    {
        "access_token": "eyJjbGllbnRfaWQiOiJjNDk1YmI1OS1mMGFlLTQzMGEtOTgzMC1jYTgyMjhhYTU4ZmUiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwic2Vzc2lvbl9pbmRleCI6Il9hY2I4NDBiNjg1M2ExZGJkYWE2OTgxYjE4MDhjNzAzOGE1Y2JmYmE2Iiwic2NvcGUiOlsib3BlbmlkIl0sImNsaWVudF9pZCI6ImM0OTViYjU5LWYwYWUtNDMwYS05ODMwLWNhODIyOGFhNThmZSIsImV4cCI6MTQ5OTQzMDk2NjgyNn0.YI0D28H_igk5uxUpc2mprtpHlEOMMiEbXyYvWIfuCUw",
        "scope": "openid",
        "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIzNTg0MDQxMzQyNTIiLCJpc3MiOiJodHRwczovL21uby51YmlkZW1vLmNvbS91YXMiLCJhdWQiOlsiYzQ5NWJiNTktZjBhZS00MzBhLTk4MzAtY2E4MjI4YWE1OGZlIl0sImV4cCI6MTQ5OTQzMDk2NiwiaWF0IjoxNDk5NDI3MzY2LCJhdXRoX3RpbWUiOjE0OTk0MjczNjYsImFtciI6WyJodHRwczovL21uby51YmlkZW1vLmNvbS91YXMvc2FtbDIvbmFtZXMvYWMvdWJpa2V5LnNtcy41Il0sImF6cCI6ImM0OTViYjU5LWYwYWUtNDMwYS05ODMwLWNhODIyOGFhNThmZSIsInNlc3Npb25faW5kZXgiOiJfYWNiODQwYjY4NTNhMWRiZGFhNjk4MWIxODA4YzcwMzhhNWNiZmJhNiIsInViaWtleS5zbXMuNS5ncmFudF90eXBlIjpbImh0dHA6Ly9nbG9iYWxzaWduLmNvbS9pYW0vc3NvL29hdXRoMi9ncmFudC10eXBlL3Ntcy1tdC1vdHAiXX0.QaZ14BhrDsh1UYyHX-_ODjEYUaT2pn5h0r5EOWt22h5gezeObct7JpQ-jmiQv8jzNmITesDSXX0z6JGn7mtcP_nkzpi179DQkoMrRwEHRHLY9l5hs-qKYa0JEK_c5fqoavC-tKKNtKiNMbW3cFMp8CVhyIancp6fg_V5UfjFj17QW1uw4a9aBuHgXQ9X4dFT6Om6_GGDBglNWKu287TvdeSk8KiK0rJAoJrQEgxKjQ3ad9Kh10sbofgcBa6-BXnkPe0me0FXnVW6NoHtTCIey2sHqTCLLYB3OdG3kjpqvxPSDinL-7PbHtHoORc0A3lVP9hDUajf_8zdDfRHxxBIlQ",
        "token_type": "Bearer",
        "expires_in": 3600
    }


  3. The id_token signature should be verified and elements compared closely to the request to ensure that this is the response to the request. The id_token shown above contains more information:

    1. sub - subject - MISISDN phone number that the code was sent to)

    2. iss - issuer - The IDP that issued this token

    3. aud - audience - who this id_token is intended for (the client_id of the agent)

    4. exp - expiry time - when this token expires

    5. iat - issued at - when it was issued

    6. auth_time - authentication time - when the user was authenticated

    7. amr - the authentication method used - Authentication Context Declaration Reference value from the methods settings screen (SAML equivalent of AuthnContextDeclRef)

    8. azp - Authorizing party - in this case the same as the recipient

    9. session_index - identifies the session on the IDP
    10. ubikey.sms.5.grant_type - value returned from the authentication policy if no Authentication Policy is set.

      Code Block
      languagejs
      themeRDark
      titleid_token contents (excluding header and signature)
      {
        "sub": "358404134252",
        "iss": "https://mno.ubidemo.com/uas",
        "aud": [
          "c495bb59-f0ae-430a-9830-ca8228aa58fe"
        ],
        "exp": 1499430966,
        "iat": 1499427366,
        "auth_time": 1499427366,
        "amr": [
          "https://mno.ubidemo.com/uas/saml2/names/ac/ubikey.sms.5"
        ],
        "azp": "c495bb59-f0ae-430a-9830-ca8228aa58fe",
        "session_index": "_acb840b6853a1dbdaa6981b1808c7038a5cbfba6",
        "ubikey.sms.5.grant_type": [
          "http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp"
        ]
      }


...