Reference of OAuth 2.0 and OpenID Connect 1.0 provider implementation in SSO Server

Metadata - /uas/.well-known/openid-configuration

The well known OpenID Connect provider metadata endpoint

Metadata values

See Provider metadata reference - SSO

References

http://openid.net/specs/openid-connect-discovery-1_0.html

Metadata - /uas/.well-known/oauth-authorization-server

The well known OAuth 2.0 provider metadata endpoint.

This endpoint's response is identical to 2440659206

Metadata values

See Provider metadata reference - SSO

References

https://tools.ietf.org/html/draft-ietf-oauth-discovery-08

Public keys - /uas/oauth2/metadata.jwks

JSON Web Key Set document.

Location defined by jwks_uri metadata value.

References

https://tools.ietf.org/html/rfc7517

Authorization - /uas/oauth2/authorization

Authorization endpoint.

Location defined by authorization_endpoint metadata value.

Request parameters

See Authorization code grant - SSO

References

Token - /uas/oauth2/token

Token endpoint.

Location defined by token_endpoint metadata value.

Request parameters

Name	Description
grant_type	"authorization_code" - Authorization code grant - SSO "password" - Resource owner password credentials grant - SSO "urn:ietf:params:oauth:grant-type:saml2-bearer" - SAML 2.0 assertion grant - SSO "refresh_token" - Refresh token grant - SSO "http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp" - SMS and SMTP One-Time Password grant - SSO "http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp" - SMS and SMTP One-Time Password grant - SSO

Name

Description

grant_type

"authorization_code" - Authorization code grant - SSO

"password" - Resource owner password credentials grant - SSO

"urn:ietf:params:oauth:grant-type:saml2-bearer" - SAML 2.0 assertion grant - SSO

"refresh_token" - Refresh token grant - SSO

"http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp" - SMS and SMTP One-Time Password grant - SSO

"http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp" - SMS and SMTP One-Time Password grant - SSO

Client registration parameter "grant_types" controls allowed grant types for application. If registration parameter is not defined then "authorization_code", "password" and "refresh_token" are allowed

See grant type specific pages for details

Client credentials

Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.

See Client credentials - SSO

Response

Token response is a Json formatted document

Name	Description
token_type	"Bearer" SSO Server supports only Bearer tokens
access_token	The access token issued by the authorization server
id_token	OpenID Connect ID Token value associated with the authenticated session See 2440659206
refresh_token	Optional refresh token, wh ich can be used to obtain new access tokens The provider issues a refresh token if application is associated with a refresh token policy See Management API application integrations - SSO
scope	The scope of the access token
expires_in	The lifetime in seconds of the access token Application parameter " ticketValidityTime " controls access token lifetime

References

ID Token - id_token

Claims

Name	Description
sub	Subject identifier
iss	Issuer identifier
aud	Audience Contains "client_id" of client sending token request
exp	Expiration time
iat	Time at which the token was issued
auth_time	Time when end-user was authenticated
amr	Authentication method reference
azp	Authorized party
session_index	Ubisecure extension

Signed and encrypted ID Token

Client registration parameters "id_token_signed_response_alg", "id_token_encrypted_response_alg" and "id_token_encrypted_response_enc" control ID Token signing and encryption

See Signed and encrypted response - SSO

UserInfo - /uas/oauth2/userinfo

OpenID Connect UserInfo endpoint.

Location defined by userinfo_endpoint metadata value

Request parameters

Name	Description
Authorization http header with Bearer scheme	The string value of the token. The "access_token" value returned from the token endpoint

Response

UserInfo response is a Json formatted document.

UserInfo response contains exactly same claims as 2440659206

Signed and encrypted response

Client registration parameters "userinfo_signed_response_alg", "userinfo_encrypted_response_alg" and "userinfo_encrypted_response_enc" control userinfo response signing and encryption.

See Signed and encrypted response - SSO

References

Introspection - /uas/oauth2/introspection

OAuth 2.0 token introspection endpoint.

Location defined by introspection_endpoint metadata value

Request parameters

Name	Description
token	The string value of the token Either "access_token" or "refresh_token" value returned from the token endpoint

Name

Description

token

The string value of the token

Either "access_token" or "refresh_token" value returned from the token endpoint

Client credentials

Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.

See Client credentials - SSO

Response

Introspection response is a Json formatted document.

Name	Description
active	"true" If token was detected and is valid
token_type	"access_token" Valid access token was detected "refresh_token" Valid refresh token was detected

Name

Description

active

"true"

If token was detected and is valid

token_type

"access_token"

Valid access token was detected

"refresh_token"

Valid refresh token was detected

Access token

Introspection response for access token contains all parameters from 2440659206, and in addition following parameters

Name	Description
active	"true" Token is valid
token_type	"access_token" Token is access token
scope	Space-separated list of scope values associated with this token
client_id	Client identifier for the client that requested this token

Signed and encrypted response

Client registration parameters "userinfo_signed_response_alg", "userinfo_encrypted_response_alg" and "userinfo_encrypted_response_enc" control userinfo response signing and encryption.

See Signed and encrypted response - SSO

References

https://tools.ietf.org/html/rfc7662

Revocation - /uas/oauth2/revocation

OAuth 2.0 token revocation endpoint.

Location defined by revocation_endpoint metadata value.

Request parameters

Name	Description
token	The string value of the token. Either "access_token" or "refresh_token" value returned from the token endpoint

Name

Description

token

The string value of the token.

Either "access_token" or "refresh_token" value returned from the token endpoint

Client credentials

Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.

See Client credentials - SSO

Response

If revoked token is no longer valid, then returns empty response body with status 200.

References

https://tools.ietf.org/html/rfc7009

Registration - /sso-api/application/{id}/$attribute/metadata

Client registration management endpoint.

See Client configuration reference - SSO

Process

Prepare Client Configuration Request. Select features client wishes to use
Submit configuration request to SSO Server
Get client configuration metadata in response

Request parameters

Name	Description
policy	"keep_client_credentials" Keep any existing client_id and client_secret, do not generate new "no_client_secret" Do not generate client_secret Suitable for clients who wish to use asymmetric keys for authentication and encryption

Name

Description

policy

"keep_client_credentials"

Keep any existing client_id and client_secret, do not generate new

"no_client_secret"

Do not generate client_secret

Suitable for clients who wish to use asymmetric keys for authentication and encryption

Client credentials

Bearer token for SSO Management API. See Management API (draft) - SSO

References

https://tools.ietf.org/html/rfc7592

Browser not supported