Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: keep_client_credentials policy description updated

Reference of OAuth 2.0 and OpenID Connect 1.0 provider implementation in SSO Server

...

This endpoint's response is identical to OpenID Connect provider metadata 

Metadata values

See Provider metadata reference - SSO

...

NameDescription
grant_type

"authorization_code" - Authorization code grant - SSO

"password" - Resource owner password credentials grant - SSO

"client_credentials" - Client Credentials Grant reference - SSO

"refresh_token" - Refresh token grant - SSO

"urn:ietf:params:oauth:grant-type:saml2-bearer" - SAML 2.0 assertion grant - SSO

"http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp" SMS and SMTP One-Time Password grant - SSO

"http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp" SMS and SMTP One-Time Password grant - SSO

...

Token response is a Json formatted document

NameDescription
token_type

"Bearer"

SSO Server supports only Bearer tokens

access_tokenThe access token issued by the authorization server
id_token

OpenID Connect ID Token value associated with the authenticated session

See ID Token

refresh_token

Optional refresh token, wh ich can be used to obtain new access tokens

The provider issues a refresh token if application is associated with a refresh token policy

See  Management API application integrations - SSO

scopeThe scope of the access token
expires_in

The lifetime in seconds of the access token

Application parameter " ticketValidityTime " controls access token lifetime

References

Anchor
id_token
id_token
ID Token - id_token

Claims

NameDescription
subSubject identifier
issIssuer identifier
aud

Audience

Contains "client_id" of client sending token request

expExpiration time
iatTime at which the token was issued
auth_timeTime when end-user was authenticated
amrAuthentication method reference
azpAuthorized party
session_indexUbisecure extension

Signed and encrypted ID Token

...

Request parameters

NameDescription
Authorization http header with Bearer scheme The string value of the token. The "access_token" value returned from the token endpoint

...

UserInfo response contains exactly same claims as ID Token

Signed and encrypted response

...

Request parameters

NameDescription
token

The string value of the token

Either "access_token" or "refresh_token" value returned from the token endpoint

...

Introspection response is a Json formatted document.

NameDescription
active

"true"

If token was detected and is valid

token_type

"access_token"

Valid access token was detected 

"refresh_token"

Valid refresh token was detected

Access token

Introspection response for access token contains all parameters from ID Token, and in addition following parameters

NameDescription
active

"true"

Token is valid

token_type

"access_token"

Token is access token

scopeSpace-separated list of scope values associated with this token
client_idClient identifier for the client that requested this token

Signed and encrypted response

...

Request parameters

NameDescription
token

The string value of the token.

Either "access_token" or "refresh_token" value returned from the token endpoint

Client authentication

Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.

...

Request parameters

NameDescription
policy

"keep_client_credentials"

Keep any existing Use the provided client_id and client_secret, do not generate new

"no_client_secret"

Do not generate client_secret

Suitable for clients who wish to use asymmetric keys for authentication and encryption


References