Reference of OAuth 2.0 and OpenID Connect 1.0 provider implementation in SSO Server

Metadata - /uas/.well-known/openid-configuration

The well known OpenID Connect provider metadata endpoint

Metadata values

See Provider metadata reference - SSO

References

http://openid.net/specs/openid-connect-discovery-1_0.html

Metadata - /uas/.well-known/oauth-authorization-server

The well known OAuth 2.0 provider metadata endpoint.

This endpoint's response is identical to OpenID Connect provider metadata

Metadata values

See Provider metadata reference - SSO

References

https://tools.ietf.org/html/draft-ietf-oauth-discovery-08

Public keys - /uas/oauth2/metadata.jwks

JSON Web Key Set document.

Location defined by jwks_uri metadata value.

References

https://tools.ietf.org/html/rfc7517

Authorization - /uas/oauth2/authorization

Authorization endpoint.

Location defined by authorization_endpoint metadata value.

Request parameters

See Authorization code grant - SSO

References

Token - /uas/oauth2/token

Token endpoint.

Location defined by token_endpoint metadata value.

Request parameters

Name	Description
grant_type	"authorization_code" - Authorization code grant - SSO "password" - Resource owner password credentials grant - SSO "urn:ietf:params:oauth:grant-type:saml2-bearer" - SAML 2.0 assertion grant - SSO "refresh_token" - Refresh token grant - SSO "http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp" - SMS and SMTP One-Time Password grant - SSO "http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp" - SMS and SMTP One-Time Password grant - SSO

Name

Description

grant_type

"authorization_code" - Authorization code grant - SSO

"password" - Resource owner password credentials grant - SSO

"urn:ietf:params:oauth:grant-type:saml2-bearer" - SAML 2.0 assertion grant - SSO

"refresh_token" - Refresh token grant - SSO

"http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp" - SMS and SMTP One-Time Password grant - SSO

"http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp" - SMS and SMTP One-Time Password grant - SSO

Client registration parameter "grant_types" controls allowed grant types for application. If registration parameter is not defined then "authorization_code", "password" and "refresh_token" are allowed

See grant type specific pages for details

Client credentials

Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.

See Client credentials - SSO

Response

Token response is a Json formatted document

Name	Description
token_type	"Bearer" SSO Server supports only Bearer tokens
access_token	The access token issued by the authorization server
id_token	OpenID Connect ID Token value associated with the authenticated session See ID Token
refresh_token	Optional refresh token, wh ich can be used to obtain new access tokens The provider issues a refresh token if application is associated with a refresh token policy See Management API application integrations - SSO
scope	The scope of the access token
expires_in	The lifetime in seconds of the access token Application parameter " ticketValidityTime " controls access token lifetime

References

ID Token - id_token

Claims

Name	Description
sub	Subject identifier
iss	Issuer identifier
aud	Audience Contains "client_id" of client sending token request
exp	Expiration time
iat	Time at which the token was issued
auth_time	Time when end-user was authenticated
amr	Authentication method reference
azp	Authorized party
session_index	Ubisecure extension

Signed and encrypted ID Token

Client registration parameters "id_token_signed_response_alg", "id_token_encrypted_response_alg" and "id_token_encrypted_response_enc" control ID Token signing and encryption

See Signed and encrypted response - SSO

UserInfo - /uas/oauth2/userinfo

OpenID Connect UserInfo endpoint.

Location defined by userinfo_endpoint metadata value

Request parameters

Name	Description
Authorization http header with Bearer scheme	The string value of the token. The "access_token" value returned from the token endpoint

Response

UserInfo response is a Json formatted document.

UserInfo response contains exactly same claims as ID Token

Signed and encrypted response

Client registration parameters "userinfo_signed_response_alg", "userinfo_encrypted_response_alg" and "userinfo_encrypted_response_enc" control userinfo response signing and encryption.

See Signed and encrypted response - SSO

References

Introspection - /uas/oauth2/introspection

OAuth 2.0 token introspection endpoint.

Location defined by introspection_endpoint metadata value

Request parameters

Name	Description
token	The string value of the token Either "access_token" or "refresh_token" value returned from the token endpoint

Name

Description

token

The string value of the token

Either "access_token" or "refresh_token" value returned from the token endpoint

Client credentials

Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.

See Client credentials - SSO

Response

Introspection response is a Json formatted document.

Name	Description
active	"true" If token was detected and is valid
token_type	"access_token" Valid access token was detected "refresh_token" Valid refresh token was detected

Name

Description

active

"true"

If token was detected and is valid

token_type

"access_token"

Valid access token was detected

"refresh_token"

Valid refresh token was detected

Access token

Introspection response for access token contains all parameters from ID Token, and in addition following parameters

Name	Description
active	"true" Token is valid
token_type	"access_token" Token is access token
scope	Space-separated list of scope values associated with this token
client_id	Client identifier for the client that requested this token

Signed and encrypted response

Client registration parameters "userinfo_signed_response_alg", "userinfo_encrypted_response_alg" and "userinfo_encrypted_response_enc" control userinfo response signing and encryption.

See Signed and encrypted response - SSO

References

https://tools.ietf.org/html/rfc7662

Revocation - /uas/oauth2/revocation

OAuth 2.0 token revocation endpoint.

Location defined by revocation_endpoint metadata value.

Request parameters

Name	Description
token	The string value of the token. Either "access_token" or "refresh_token" value returned from the token endpoint

Name

Description

token

The string value of the token.

Either "access_token" or "refresh_token" value returned from the token endpoint

Client credentials

Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.

See Client credentials - SSO

Response

If revoked token is no longer valid, then returns empty response body with status 200.

References

https://tools.ietf.org/html/rfc7009

Registration - /sso-api/application/{id}/$attribute/metadata

Client registration management endpoint.

See Client configuration reference - SSO

Process

Prepare Client Configuration Request. Select features client wishes to use
Submit configuration request to SSO Server
Get client configuration metadata in response

Request parameters

Name	Description
policy	"keep_client_credentials" Keep any existing client_id and client_secret, do not generate new "no_client_secret" Do not generate client_secret Suitable for clients who wish to use asymmetric keys for authentication and encryption

Name

Description

policy

"keep_client_credentials"

Keep any existing client_id and client_secret, do not generate new

"no_client_secret"

Do not generate client_secret

Suitable for clients who wish to use asymmetric keys for authentication and encryption

References

https://tools.ietf.org/html/rfc7592

Browser not supported