Reference of OAuth 2.0 and OpenID Connect 1.0 provider implementation in SSO Server
...
The well known OpenID Connect provider metadata endpoint
Metadata values
See Provider metadata reference - SSO
References
...
This endpoint's response is identical to OpenID Connect provider metadata
Metadata values
See Provider metadata reference - SSO
References
...
Location defined by authorization_endpoint metadata value.
Request parameters
See Authorization code grant - SSO
References
- http://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
- https://tools.ietf.org/html/rfc6749#section-4.1
- https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-15
- https://tools.ietf.org/html/rfc8252
...
Location defined by token_endpoint metadata value.
Request parameters
| Name | Description |
|---|---|
| grant_type | "authorization_code" - Authorization code grant - SSO "password" - Resource owner password credentials grant - SSO "client_credentials" - Client Credentials Grant reference - SSO "refresh_token" - Refresh token grant - SSO "urn:ietf:params:oauth:grant-type:saml2-bearer" - SAML 2.0 assertion grant - SSO "http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp" - SMS and SMTP One-Time Password grant - SSO "http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp" - SMS and SMTP One-Time Password grant - SSO |
Client registration parameter "grant_types" controls allowed grant types for application. If registration parameter is not defined then "authorization_code", "password" and "refresh_token" are allowed
...
Token response is a Json formatted document
| Name | Description |
|---|---|
| token_type | "Bearer" SSO Server supports only Bearer tokens |
| access_token | The access token issued by the authorization server |
| id_token | OpenID Connect ID Token value associated with the authenticated session See ID Token |
| refresh_token | Optional refresh token, wh ich can be used to obtain new access tokens The provider issues a refresh token if application is associated with a refresh token policy |
| scope | The scope of the access token |
| expires_in | The lifetime in seconds of the access token Application parameter " ticketValidityTime " controls access token lifetime |
References
- https://tools.ietf.org/html/rfc6749#section-4.1.3
- http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
- https://tools.ietf.org/html/rfc7523
| Anchor | ||||
|---|---|---|---|---|
|
Claims
| Name | Description |
|---|---|
| sub | Subject identifier |
| iss | Issuer identifier |
| aud | Audience Contains "client_id" of client sending token request |
| exp | Expiration time |
| iat | Time at which the token was issued |
| auth_time | Time when end-user was authenticated |
| amr | Authentication method reference |
| azp | Authorized party |
| session_index | Ubisecure extension |
Signed and encrypted ID Token
Client registration parameters "id_token_signed_response_alg", "id_token_encrypted_response_alg" and "id_token_encrypted_response_enc" control ID Token signing and encryption
See Signed and encrypted response - SSO
UserInfo - /uas/oauth2/userinfo
...
Location defined by userinfo_endpoint metadata value
Request parameters
| Name | Description |
|---|---|
| Authorization http header with Bearer scheme | The string value of the token. The "access_token" value returned from the token endpoint |
Response
UserInfo response is a Json formatted document.
UserInfo response contains exactly same claims as ID Token.
Signed and encrypted response
Client registration parameters "userinfo_signed_response_alg", "userinfo_encrypted_response_alg" and "userinfo_encrypted_response_enc" control userinfo response signing and encryption.
See Signed and encrypted response - SSO
References
- http://openid.net/specs/openid-connect-core-1_0.html#UserInfo
- https://tools.ietf.org/html/rfc6750#section-2.1
...
Location defined by introspection_endpoint metadata value
Request parameters
| Name | Description |
|---|---|
| token | The string value of the token Either "access_token" or "refresh_token" value returned from the token endpoint |
Client authentication
Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.
...
Introspection response is a Json formatted document.
| Name | Description |
|---|---|
| active | "true" If token was detected and is valid |
| token_type | "access_token" Valid access token was detected "refresh_token" Valid refresh token was detected |
Access token
Introspection response for access token contains all parameters from ID Token, and in addition following parameters
| Name | Description |
|---|---|
| active | "true" Token is valid |
| token_type | "access_token" Token is access token |
| scope | Space-separated list of scope values associated with this token |
| client_id | Client identifier for the client that requested this token |
Signed and encrypted response
Client registration parameters "userinfo_signed_response_alg", "userinfo_encrypted_response_alg" and "userinfo_encrypted_response_enc" control userinfo response signing and encryption.
See Signed and encrypted response - SSO
References
...
Location defined by revocation_endpoint metadata value.
Request parameters
| Name | Description |
|---|---|
| token | The string value of the token. Either "access_token" or "refresh_token" value returned from the token endpoint |
Client authentication
Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.
...
Client registration management endpoint.
See Client configuration reference - SSO
Process
- Prepare Client Configuration Request. Select features client wishes to use
- Submit configuration request to SSO Server
- Get client configuration metadata in response
Request parameters
| Name | Description |
|---|---|
| policy | "keep_client_credentials" Keep any existing client_id and client_secret, do not generate new "no_client_secret" Do not generate client_secret Suitable for clients who wish to use asymmetric keys for authentication and encryption |