Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Reference of OAuth 2.0 and OpenID Connect 1.0 provider implementation in SSO Server

...

The well known OpenID Connect provider metadata endpoint

Metadata values

See Provider metadata reference - SSO

References

...

This endpoint's response is identical to OpenID Connect provider metadata 

Metadata values

See Provider metadata reference - SSO

References

...

Location defined by authorization_endpoint metadata value.

Request parameters

See Authorization code grant - SSO

References

...

Location defined by token_endpoint metadata value.

Request parameters

NameDescription
grant_type

"authorization_code" - Authorization code grant - SSO

"password" - Resource owner password credentials grant - SSO

"client_credentials" - Client Credentials Grant reference - SSO

"refresh_token" - Refresh token grant - SSO

"urn:ietf:params:oauth:grant-type:saml2-bearer" - SAML 2.0 assertion grant - SSO

"http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp" SMS and SMTP One-Time Password grant - SSO

"http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp" SMS and SMTP One-Time Password grant - SSO

Client registration parameter "grant_types" controls allowed grant types for application. If registration parameter is not defined then "authorization_code", "password" and "refresh_token" are allowed

...

Token response is a Json formatted document

NameDescription
token_type

"Bearer"

SSO Server supports only Bearer tokens

access_tokenThe access token issued by the authorization server
id_token

OpenID Connect ID Token value associated with the authenticated session

See ID Token

refresh_token

Optional refresh token, wh ich can be used to obtain new access tokens

The provider issues a refresh token if application is associated with a refresh token policy

See  Management API application integrations - SSO

scopeThe scope of the access token
expires_in

The lifetime in seconds of the access token

Application parameter " ticketValidityTime " controls access token lifetime

References

Anchor
id_token
id_token
ID Token - id_token

Claims

NameDescription
subSubject identifier
issIssuer identifier
aud

Audience

Contains "client_id" of client sending token request

expExpiration time
iatTime at which the token was issued
auth_timeTime when end-user was authenticated
amrAuthentication method reference
azpAuthorized party
session_indexUbisecure extension

Signed and encrypted ID Token

Client registration parameters "id_token_signed_response_alg", "id_token_encrypted_response_alg" and "id_token_encrypted_response_enc" control ID Token signing and encryption

See Signed and encrypted response - SSO

UserInfo - /uas/oauth2/userinfo

...

Location defined by userinfo_endpoint metadata value

Request parameters

NameDescription
Authorization http header with Bearer scheme The string value of the token. The "access_token" value returned from the token endpoint

Response

UserInfo response is a Json formatted document.

UserInfo response contains exactly same claims as ID Token

Signed and encrypted response

Client registration parameters "userinfo_signed_response_alg", "userinfo_encrypted_response_alg" and "userinfo_encrypted_response_enc" control userinfo response signing and encryption. 

See Signed and encrypted response - SSO

References

...

Location defined by introspection_endpoint metadata value

Request parameters

NameDescription
token

The string value of the token

Either "access_token" or "refresh_token" value returned from the token endpoint

Client authentication

Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.

See Client credentials authentication - SSO

Response

Introspection response is a Json formatted document.

NameDescription
active

"true"

If token was detected and is valid

token_type

"access_token"

Valid access token was detected 

"refresh_token"

Valid refresh token was detected

Access token

Introspection response for access token contains all parameters from ID Token, and in addition following parameters

NameDescription
active

"true"

Token is valid

token_type

"access_token"

Token is access token

scopeSpace-separated list of scope values associated with this token
client_idClient identifier for the client that requested this token

Signed and encrypted response

Client registration parameters "userinfo_signed_response_alg", "userinfo_encrypted_response_alg" and "userinfo_encrypted_response_enc" control userinfo response signing and encryption. 

See Signed and encrypted response - SSO

References

...

Location defined by revocation_endpoint metadata value.

Request parameters

NameDescription
token

The string value of the token.

Either "access_token" or "refresh_token" value returned from the token endpoint

Client

...

authentication

Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.

See Client credentials authentication - SSO

Response

If revoked token is no longer valid, then returns empty response body with status 200. 

...

Client registration management endpoint. 

See Client configuration reference - SSO

Process

  1. Prepare Client Configuration Request. Select features client wishes to use
  2. Submit configuration request to SSO Server
  3. Get client configuration metadata in response

Request parameters

NameDescription
policy

"keep_client_credentials"

Keep any existing client_id and client_secret, do not generate new

"no_client_secret"

Do not generate client_secret

Suitable for clients who wish to use asymmetric keys for authentication and encryption


References