OAuth 2.0 provider implementation reference - SSO
Reference of OAuth 2.0 and OpenID Connect 1.0 provider implementation in SSO Server
- 1 Metadata - /uas/.well-known/openid-configuration
- 2 Metadata - /uas/.well-known/oauth-authorization-server
- 3 Public keys - /uas/oauth2/metadata.jwks
- 4 Authorization - /uas/oauth2/authorization
- 5 Token - /uas/oauth2/token
- 6 ID Token - id_token
- 7 UserInfo - /uas/oauth2/userinfo
- 8 Introspection - /uas/oauth2/introspection
- 9 Revocation - /uas/oauth2/revocation
- 10 Registration - /sso-api/application/{id}/$attribute/metadata
Metadata - /uas/.well-known/openid-configuration
The well known OpenID Connect provider metadata endpoint
Metadata values
See Provider metadata reference - SSO
References
Metadata - /uas/.well-known/oauth-authorization-server
The well known OAuth 2.0 provider metadata endpoint.
This endpoint's response is identical to OpenID Connect provider metadata
Metadata values
See Provider metadata reference - SSO
References
Public keys - /uas/oauth2/metadata.jwks
JSON Web Key Set document.
Location defined by jwks_uri metadata value.
References
Authorization - /uas/oauth2/authorization
Authorization endpoint.
Location defined by authorization_endpoint metadata value.
Request parameters
See Authorization code grant - SSO
References
Token - /uas/oauth2/token
Token endpoint.
Location defined by token_endpoint metadata value.
Request parameters
Name | Description |
|---|---|
grant_type | "authorization_code" - Authorization code grant - SSO "password" - Resource owner password credentials grant - SSO "urn:ietf:params:oauth:grant-type:saml2-bearer" - SAML 2.0 assertion grant - SSO "refresh_token" - Refresh token grant - SSO "http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp" - SMS and SMTP One-Time Password grant - SSO "http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp" - SMS and SMTP One-Time Password grant - SSO |
Client registration parameter "grant_types" controls allowed grant types for application. If registration parameter is not defined then "authorization_code", "password" and "refresh_token" are allowed
See grant type specific pages for details
Client credentials
Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.
Response
Token response is a Json formatted document
Name | Description |
|---|---|
token_type | "Bearer" SSO Server supports only Bearer tokens |
access_token | The access token issued by the authorization server |
id_token | OpenID Connect ID Token value associated with the authenticated session See ID Token |
refresh_token | Optional refresh token, wh ich can be used to obtain new access tokens The provider issues a refresh token if application is associated with a refresh token policy |
scope | The scope of the access token |
expires_in | The lifetime in seconds of the access token Application parameter " ticketValidityTime " controls access token lifetime |
References
ID Token - id_token
Claims
Name | Description |
|---|---|
sub | Subject identifier |
iss | Issuer identifier |
aud | Audience Contains "client_id" of client sending token request |
exp | Expiration time |
iat | Time at which the token was issued |
auth_time | Time when end-user was authenticated |
amr | Authentication method reference |
azp | Authorized party |
session_index | Ubisecure extension |
Signed and encrypted ID Token
Client registration parameters "id_token_signed_response_alg", "id_token_encrypted_response_alg" and "id_token_encrypted_response_enc" control ID Token signing and encryption
See Signed and encrypted response - SSO
UserInfo - /uas/oauth2/userinfo
OpenID Connect UserInfo endpoint.
Location defined by userinfo_endpoint metadata value
Request parameters
Name | Description |
|---|---|
Authorization http header with Bearer scheme | The string value of the token. The "access_token" value returned from the token endpoint |
Response
UserInfo response is a Json formatted document.
UserInfo response contains exactly same claims as ID Token
Signed and encrypted response
Client registration parameters "userinfo_signed_response_alg", "userinfo_encrypted_response_alg" and "userinfo_encrypted_response_enc" control userinfo response signing and encryption.
See Signed and encrypted response - SSO
References
Introspection - /uas/oauth2/introspection
OAuth 2.0 token introspection endpoint.
Location defined by introspection_endpoint metadata value
Request parameters
Name | Description |
|---|---|
token | The string value of the token Either "access_token" or "refresh_token" value returned from the token endpoint |
Client credentials
Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.
Response
Introspection response is a Json formatted document.
Name | Description |
|---|---|
active | "true" If token was detected and is valid |
token_type | "access_token" Valid access token was detected "refresh_token" Valid refresh token was detected |
Access token
Introspection response for access token contains all parameters from ID Token, and in addition following parameters
Name | Description |
|---|---|
active | "true" Token is valid |
token_type | "access_token" Token is access token |
scope | Space-separated list of scope values associated with this token |
client_id | Client identifier for the client that requested this token |
Signed and encrypted response
Client registration parameters "userinfo_signed_response_alg", "userinfo_encrypted_response_alg" and "userinfo_encrypted_response_enc" control userinfo response signing and encryption.
References
Revocation - /uas/oauth2/revocation
OAuth 2.0 token revocation endpoint.
Location defined by revocation_endpoint metadata value.
Request parameters
Name | Description |
|---|---|
token | The string value of the token. Either "access_token" or "refresh_token" value returned from the token endpoint |
Client credentials
Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.
Response
If revoked token is no longer valid, then returns empty response body with status 200.
References
Registration - /sso-api/application/{id}/$attribute/metadata
Client registration management endpoint.
See Client configuration reference - SSO
Process
Prepare Client Configuration Request. Select features client wishes to use
Submit configuration request to SSO Server
Get client configuration metadata in response
Request parameters
Name | Description |
|---|---|
policy | "keep_client_credentials" Keep any existing client_id and client_secret, do not generate new "no_client_secret" Do not generate client_secret Suitable for clients who wish to use asymmetric keys for authentication and encryption |
Client credentials
Bearer token for SSO Management API. See Management API (draft) - SSO