Authorization code grant and native applications - SSO
In a native application use case two OAuth clients are registered with SSO. The first client is the "native application" presenting user interfaces to the end-user. The second client is usually a web service or resource server providing API services to the native application.
The native application wants to get an access token for calling the resource server API services. The resource server validates the access token it receives by calling the tokeninfo service. The tokeninfo service returns claims and attributes describing the authenticated user.
Contents
Sequence diagram of authorization code grant with native applications |
Authorization Request
Instructions on page Authorization code grant and web single sign-on
Authorization Response
Instructions on page Authorization code grant and web single sign-on
Access Token Request
Instructions on page Authorization code grant and web single sign-on
Access Token Response
Instructions on page Authorization code grant and web single sign-on
Resource Server Request
https://tools.ietf.org/html/rfc6750#section-2
Required parameters
- access token Bearer authorization http header The application may alternatively choose to send the access token in a form or query parameter
GET https://resource.example.com/api/method Authorization: Bearer DSJJU6QhquTUsznTDeDq0eVm
Token Introspection Request
https://tools.ietf.org/html/rfc7662#section-2.1
POST /uas/oauth2/introspection
Required parameters
- token
Access/Refresh Token value received by the resource server
- client_id & client_secret
OAuth Client Identifier and Secret of the resource server
POST https://sso.example.com/uas/oauth2/introspectionAuthorization: Basic MTc2MjQxNDM3NDoqKio=Content-Type: application/x-www-form-urlencoded token=DSJJU6QhquTUsznTDeDq0eVm
Token Introspection Response
https://tools.ietf.org/html/rfc7662#section-2.2
Parameters
- active
The value "true" if access token was valid
- aud
OAuth Client Identifier of the response recipient
- scope
Scope of the provided token. Subset of the scopes in the scope
parameter given in the token request the token was generated for.
- client_id
OAuth Client Identifier of the client issuing the authorization request
- token_type
Type of the token submitted – access_token or refresh_token
In addition to the attributes listed above, the Introspection Response contains the same claims and attributes as the UserInfo Response.
HTTP/1.1 200 OKContent-Type: application/json \{"sub":"***","iss":"https://sso.example.com/uas","aud":"1762414374","exp":1429700671981,"iat":1429697071971,"auth_time":1429697071527,"amr":\["https://sso.example.com/uas/saml2/names/ac/password.1"\],"active":true,"scope":"openid 1762414374","client_id":"347937059","session_index":"0a9b62ce8de4","token_type":"access_token"\}