Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Reference of OAuth 2.0 and OpenID Connect 1.0 provider implementation in SSO Server

...

NameDescription
grant_type

"authorization_code" - Authorization code grant - SSO

"password" - Resource owner password credentials grant - SSO

"client_credentials" - Client Credentials Grant - SSO

"refresh_token" - Refresh token grant - SSO

"urn:ietf:params:oauth:grant-type:saml2-bearer" - SAML 2.0 assertion grant - SSO

"http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp" SMS and SMTP One-Time Password grant - SSO

"http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp" SMS and SMTP One-Time Password grant - SSO

...

Token response is a Json formatted document

NameDescription
token_type

"Bearer"

SSO Server supports only Bearer tokens

access_tokenThe access token issued by the authorization server
id_token

OpenID Connect ID Token value associated with the authenticated session

See ID Token

refresh_token

Optional refresh token, wh ich can be used to obtain new access tokens

The provider issues a refresh token if application is associated with a refresh token policy

See  Management API application integrations - SSO

scopeThe scope of the access token
expires_in

The lifetime in seconds of the access token

Application parameter " ticketValidityTime " controls access token lifetime

References

Anchor
id_token
id_token
ID Token - id_token

Claims

NameDescription
subSubject identifier
issIssuer identifier
aud

Audience

Contains "client_id" of client sending token request

expExpiration time
iatTime at which the token was issued
auth_timeTime when end-user was authenticated
amrAuthentication method reference
azpAuthorized party
session_indexUbisecure extension

Signed and encrypted ID Token

...

Request parameters

NameDescription
Authorization http header with Bearer scheme The string value of the token. The "access_token" value returned from the token endpoint

...

Request parameters

NameDescription
token

The string value of the token

Either "access_token" or "refresh_token" value returned from the token endpoint

...

Introspection response is a Json formatted document.

NameDescription
active

"true"

If token was detected and is valid

token_type

"access_token"

Valid access token was detected 

"refresh_token"

Valid refresh token was detected

Access token

Introspection response for access token contains all parameters from ID Token, and in addition following parameters

NameDescription
active

"true"

Token is valid

token_type

"access_token"

Token is access token

scopeSpace-separated list of scope values associated with this token
client_idClient identifier for the client that requested this token

Signed and encrypted response

...

Request parameters

NameDescription
token

The string value of the token.

Either "access_token" or "refresh_token" value returned from the token endpoint

Client

...

authentication

Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.

See Client credentials authentication - SSO

Response

If revoked token is no longer valid, then returns empty response body with status 200. 

...

Request parameters

NameDescription
policy

"keep_client_credentials"

Keep any existing client_id and client_secret, do not generate new

"no_client_secret"

Do not generate client_secret

Suitable for clients who wish to use asymmetric keys for authentication and encryption


References