Reference of OAuth 2.0 and OpenID Connect 1.0 provider implementation in SSO Server
...
| Name | Description |
|---|---|
| grant_type | "authorization_code" - Authorization code grant - SSO "password" - Resource owner password credentials grant - SSO "client_credentials" - Client Credentials Grant reference - SSO "refresh_token" - Refresh token grant - SSO "urn:ietf:params:oauth:grant-type:saml2-bearer" - SAML 2.0 assertion grant - SSO "http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp" - SMS and SMTP One-Time Password grant - SSO "http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp" - SMS and SMTP One-Time Password grant - SSO |
...
Token response is a Json formatted document
| Name | Description |
|---|---|
| token_type | "Bearer" SSO Server supports only Bearer tokens |
| access_token | The access token issued by the authorization server |
| id_token | OpenID Connect ID Token value associated with the authenticated session See ID Token |
| refresh_token | Optional refresh token, wh ich can be used to obtain new access tokens The provider issues a refresh token if application is associated with a refresh token policy |
| scope | The scope of the access token |
| expires_in | The lifetime in seconds of the access token Application parameter " ticketValidityTime " controls access token lifetime |
References
- https://tools.ietf.org/html/rfc6749#section-4.1.3
- http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
- https://tools.ietf.org/html/rfc7523
| Anchor | ||||
|---|---|---|---|---|
|
Claims
| Name | Description |
|---|---|
| sub | Subject identifier |
| iss | Issuer identifier |
| aud | Audience Contains "client_id" of client sending token request |
| exp | Expiration time |
| iat | Time at which the token was issued |
| auth_time | Time when end-user was authenticated |
| amr | Authentication method reference |
| azp | Authorized party |
| session_index | Ubisecure extension |
Signed and encrypted ID Token
...
Request parameters
| Name | Description |
|---|---|
| Authorization http header with Bearer scheme | The string value of the token. The "access_token" value returned from the token endpoint |
...
UserInfo response contains exactly same claims as ID Token.
Signed and encrypted response
...
Request parameters
| Name | Description |
|---|---|
| token | The string value of the token Either "access_token" or "refresh_token" value returned from the token endpoint |
...
Introspection response is a Json formatted document.
| Name | Description |
|---|---|
| active | "true" If token was detected and is valid |
| token_type | "access_token" Valid access token was detected "refresh_token" Valid refresh token was detected |
Access token
Introspection response for access token contains all parameters from ID Token, and in addition following parameters
| Name | Description |
|---|---|
| active | "true" Token is valid |
| token_type | "access_token" Token is access token |
| scope | Space-separated list of scope values associated with this token |
| client_id | Client identifier for the client that requested this token |
Signed and encrypted response
...
Request parameters
| Name | Description |
|---|---|
| token | The string value of the token. Either "access_token" or "refresh_token" value returned from the token endpoint |
Client authentication
Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.
...
Request parameters
| Name | Description |
|---|---|
| policy | "keep_client_credentials" Keep any existing client_id and client_secret, do not generate new "no_client_secret" Do not generate client_secret Suitable for clients who wish to use asymmetric keys for authentication and encryption |