Reference of OAuth 2.0 and OpenID Connect 1.0 provider implementation in SSO Server
...
Name | Description |
---|---|
grant_type | "authorization_code" - Authorization code grant - SSO "password" - Resource owner password credentials grant - SSO "urn:ietf:params:oauth:grant-type:saml2-bearer" - SAML 2.0 assertion grant - SSO "refresh_token" - Refresh token grant - SSO "http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp" - SMS and SMTP One-Time Password grant - SSO "http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp" - SMS and SMTP One-Time Password grant - SSO |
...
Token response is a Json formatted document
Name | Description |
---|---|
token_type | "Bearer" SSO Server supports only Bearer tokens |
access_token | The access token issued by the authorization server |
id_token | OpenID Connect ID Token value associated with the authenticated session See ID Token |
refresh_token | Optional refresh token, wh ich can be used to obtain new access tokens The provider issues a refresh token if application is associated with a refresh token policy |
scope | The scope of the access token |
expires_in | The lifetime in seconds of the access token Application parameter " ticketValidityTime " controls access token lifetime |
References
- https://tools.ietf.org/html/rfc6749#section-4.1.3
- http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
- https://tools.ietf.org/html/rfc7523
Anchor | ||||
---|---|---|---|---|
|
Claims
Name | Description |
---|---|
sub | Subject identifier |
iss | Issuer identifier |
aud | Audience Contains "client_id" of client sending token request |
exp | Expiration time |
iat | Time at which the token was issued |
auth_time | Time when end-user was authenticated |
amr | Authentication method reference |
azp | Authorized party |
session_index | Ubisecure extension |
Signed and encrypted ID Token
...
Request parameters
Name | Description |
---|---|
Authorization http header with Bearer scheme | The string value of the token. The "access_token" value returned from the token endpoint |
...
Request parameters
Name | Description |
---|---|
token | The string value of the token Either "access_token" or "refresh_token" value returned from the token endpoint |
Client
...
authentication
Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.
Response
Introspection response is a Json formatted document.
Name | Description |
---|---|
active | "true" If token was detected and is valid |
token_type | "access_token" Valid access token was detected "refresh_token" Valid refresh token was detected |
Access token
Introspection response for access token contains all parameters from ID Token, and in addition following parameters
Name | Description |
---|---|
active | "true" Token is valid |
token_type | "access_token" Token is access token |
scope | Space-separated list of scope values associated with this token |
client_id | Client identifier for the client that requested this token |
Signed and encrypted response
...
Request parameters
Name | Description |
---|---|
token | The string value of the token. Either "access_token" or "refresh_token" value returned from the token endpoint |
Client credentials
Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.
...
Request parameters
Name | Description |
---|---|
policy | "keep_client_credentials" Keep any existing client_id and client_secret, do not generate new "no_client_secret" Do not generate client_secret Suitable for clients who wish to use asymmetric keys for authentication and encryption |