OAuth 2.0 provider implementation reference - SSO

Reference of OAuth 2.0 and OpenID Connect 1.0 provider implementation in SSO Server

Metadata - /uas/.well-known/openid-configuration

The well known OpenID Connect provider metadata endpoint

Metadata values

See Provider metadata reference - SSO

References

Metadata - /uas/.well-known/oauth-authorization-server

The well known OAuth 2.0 provider metadata endpoint.

This endpoint's response is identical to OpenID Connect provider metadata 

Metadata values

See Provider metadata reference - SSO

References

Public keys - /uas/oauth2/metadata.jwks

JSON Web Key Set document.

Location defined by jwks_uri metadata value.

References

Authorization - /uas/oauth2/authorization

Authorization endpoint.

Location defined by authorization_endpoint metadata value.

Request parameters

See Authorization code grant - SSO

References

Token - /uas/oauth2/token

Token endpoint.

Location defined by token_endpoint metadata value.

Request parameters

NameDescription
grant_type

"authorization_code" - Authorization code grant - SSO

"password" - Resource owner password credentials grant - SSO

"urn:ietf:params:oauth:grant-type:saml2-bearer" - SAML 2.0 assertion grant - SSO

"refresh_token" - Refresh token grant - SSO

"http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp" SMS and SMTP One-Time Password grant - SSO

"http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp" SMS and SMTP One-Time Password grant - SSO

Client registration parameter "grant_types" controls allowed grant types for application. If registration parameter is not defined then "authorization_code", "password" and "refresh_token" are allowed

See grant type specific pages for details

Client credentials

Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.

See Client credentials - SSO

Response

Token response is a Json formatted document

NameDescription
token_type

"Bearer"

SSO Server supports only Bearer tokens

access_tokenThe access token issued by the authorization server
id_token

OpenID Connect ID Token value associated with the authenticated session

See ID Token

refresh_token

Optional refresh token, wh ich can be used to obtain new access tokens

The provider issues a refresh token if application is associated with a refresh token policy

See  Management API application integrations - SSO

scopeThe scope of the access token
expires_in

The lifetime in seconds of the access token

Application parameter " ticketValidityTime " controls access token lifetime

References

ID Token - id_token

Claims

NameDescription
subSubject identifier
issIssuer identifier
aud

Audience

Contains "client_id" of client sending token request

expExpiration time
iatTime at which the token was issued
auth_timeTime when end-user was authenticated
amrAuthentication method reference
azpAuthorized party
session_indexUbisecure extension

Signed and encrypted ID Token

Client registration parameters "id_token_signed_response_alg", "id_token_encrypted_response_alg" and "id_token_encrypted_response_enc" control ID Token signing and encryption

See Signed and encrypted response - SSO

UserInfo - /uas/oauth2/userinfo

OpenID Connect UserInfo endpoint.

Location defined by userinfo_endpoint metadata value

Request parameters

NameDescription
Authorization http header with Bearer scheme The string value of the token. The "access_token" value returned from the token endpoint

Response

UserInfo response is a Json formatted document.

UserInfo response contains exactly same claims as ID Token

Signed and encrypted response

Client registration parameters "userinfo_signed_response_alg", "userinfo_encrypted_response_alg" and "userinfo_encrypted_response_enc" control userinfo response signing and encryption. 

See Signed and encrypted response - SSO

References

Introspection - /uas/oauth2/introspection

OAuth 2.0 token introspection endpoint.

Location defined by introspection_endpoint metadata value

Request parameters

NameDescription
token

The string value of the token

Either "access_token" or "refresh_token" value returned from the token endpoint

Client credentials

Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.

See Client credentials - SSO

Response

Introspection response is a Json formatted document.

NameDescription
active

"true"

If token was detected and is valid

token_type

"access_token"

Valid access token was detected 

"refresh_token"

Valid refresh token was detected

Access token

Introspection response for access token contains all parameters from ID Token, and in addition following parameters

NameDescription
active

"true"

Token is valid

token_type

"access_token"

Token is access token

scopeSpace-separated list of scope values associated with this token
client_idClient identifier for the client that requested this token

Signed and encrypted response

Client registration parameters "userinfo_signed_response_alg", "userinfo_encrypted_response_alg" and "userinfo_encrypted_response_enc" control userinfo response signing and encryption. 

See Signed and encrypted response - SSO

References

Revocation - /uas/oauth2/revocation

OAuth 2.0 token revocation endpoint.

Location defined by revocation_endpoint metadata value.

Request parameters

NameDescription
token

The string value of the token.

Either "access_token" or "refresh_token" value returned from the token endpoint

Client credentials

Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.

See Client credentials - SSO

Response

If revoked token is no longer valid, then returns empty response body with status 200. 

References

Registration - /sso-api/application/{id}/$attribute/metadata

Client registration management endpoint. 

See Client configuration reference - SSO

Process

  1. Prepare Client Configuration Request. Select features client wishes to use
  2. Submit configuration request to SSO Server
  3. Get client configuration metadata in response

Request parameters

NameDescription
policy

"keep_client_credentials"

Keep any existing client_id and client_secret, do not generate new

"no_client_secret"

Do not generate client_secret

Suitable for clients who wish to use asymmetric keys for authentication and encryption


References