OAuth 2.0 provider implementation reference
- Former user (Deleted)
- Tomi Pelttari
Reference of OAuth 2.0 and OpenID Connect 1.0 provider implementation in SSO Server
Metadata - /uas/.well-known/openid-configuration
The well known OpenID Connect provider metadata endpoint
Metadata values
See Provider metadata reference
References
Metadata - /uas/.well-known/oauth-authorization-server
The well known OAuth 2.0 provider metadata endpoint.
This endpoint's response is identical to OpenID Connect provider metadata
Metadata values
See Provider metadata reference
References
Public keys - /uas/oauth2/metadata.jwks
JSON Web Key Set document.
Location defined by jwks_uri metadata value.
References
Authorization - /uas/oauth2/authorization
Authorization endpoint.
Location defined by authorization_endpoint metadata value.
Request parameters
References
- http://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
- https://tools.ietf.org/html/rfc6749#section-4.1
- https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-15
- https://tools.ietf.org/html/rfc8252
Token - /uas/oauth2/token
Token endpoint.
Location defined by token_endpoint metadata value.
Request parameters
| Name | Description |
|---|---|
| grant_type | "authorization_code" - Authorization code grant "password" - Resource owner password credentials grant "urn:ietf:params:oauth:grant-type:saml2-bearer" - SAML 2.0 assertion grant "refresh_token" - Refresh token grant "http://globalsign.com/iam/sso/oauth2/grant-type/sms-mt-otp" - SMS and SMTP One-Time Password grant "http://globalsign.com/iam/sso/oauth2/grant-type/smtp-otp" - SMS and SMTP One-Time Password grant |
Client registration parameter "grant_types" controls allowed grant types for application. If registration parameter is not defined then "authorization_code", "password" and "refresh_token" are allowed
See grant type specific pages for details
Client credentials
Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.
Response
Token response is a Json formatted document
| Name | Description |
|---|---|
| token_type | "Bearer" SSO Server supports only Bearer tokens |
| access_token | The access token issued by the authorization server |
| id_token | OpenID Connect ID Token value associated with the authenticated session See ID Token |
| refresh_token | Optional refresh token, wh ich can be used to obtain new access tokens The provider issues a refresh token if application is associated with a refresh token policy |
| scope | The scope of the access token |
| expires_in | The lifetime in seconds of the access token Application parameter " ticketValidityTime " controls access token lifetime |
References
- https://tools.ietf.org/html/rfc6749#section-4.1.3
- http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
- https://tools.ietf.org/html/rfc7523
ID Token - id_token
Claims
| Name | Description |
|---|---|
| sub | Subject identifier |
| iss | Issuer identifier |
| aud | Audience Contains "client_id" of client sending token request |
| exp | Expiration time |
| iat | Time at which the token was issued |
| auth_time | Time when end-user was authenticated |
| amr | Authentication method reference |
| azp | Authorized party |
| session_index | Ubisecure extension |
Signed and encrypted ID Token
Client registration parameters "id_token_signed_response_alg", "id_token_encrypted_response_alg" and "id_token_encrypted_response_enc" control ID Token signing and encryption
See Signed and encrypted response
UserInfo - /uas/oauth2/userinfo
OpenID Connect UserInfo endpoint.
Location defined by userinfo_endpoint metadata value
Request parameters
| Name | Description |
|---|---|
| Authorization http header with Bearer scheme | The string value of the token. The "access_token" value returned from the token endpoint |
Response
UserInfo response is a Json formatted document.
UserInfo response contains exactly same claims as ID Token
Signed and encrypted response
Client registration parameters "userinfo_signed_response_alg", "userinfo_encrypted_response_alg" and "userinfo_encrypted_response_enc" control userinfo response signing and encryption.
See Signed and encrypted response
References
- http://openid.net/specs/openid-connect-core-1_0.html#UserInfo
- https://tools.ietf.org/html/rfc6750#section-2.1
Introspection - /uas/oauth2/introspection
OAuth 2.0 token introspection endpoint.
Location defined by introspection_endpoint metadata value
Request parameters
| Name | Description |
|---|---|
| token | The string value of the token Either "access_token" or "refresh_token" value returned from the token endpoint |
Client credentials
Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.
Response
Introspection response is a Json formatted document.
| Name | Description |
|---|---|
| active | "true" If token was detected and is valid |
| token_type | "access_token" Valid access token was detected "refresh_token" Valid refresh token was detected |
Access token
Introspection response for access token contains all parameters from ID Token, and in addition following parameters
| Name | Description |
|---|---|
| active | "true" Token is valid |
| token_type | "access_token" Token is access token |
| scope | Space-separated list of scope values associated with this token |
| client_id | Client identifier for the client that requested this token |
Signed and encrypted response
Client registration parameters "userinfo_signed_response_alg", "userinfo_encrypted_response_alg" and "userinfo_encrypted_response_enc" control userinfo response signing and encryption.
See Signed and encrypted response
References
Revocation - /uas/oauth2/revocation
OAuth 2.0 token revocation endpoint.
Location defined by revocation_endpoint metadata value.
Request parameters
| Name | Description |
|---|---|
| token | The string value of the token. Either "access_token" or "refresh_token" value returned from the token endpoint |
Client credentials
Client registration parameters "token_endpoint_auth_method" and "token_endpoint_auth_signing_alg" control client authentication method.
Response
If revoked token is no longer valid, then returns empty response body with status 200.
References
Registration - /sso-api/application/{id}/$attribute/metadata
Client registration management endpoint.
See Client configuration reference
Process
- Prepare Client Configuration Request. Select features client wishes to use
- Submit configuration request to SSO Server
- Get client configuration metadata in response
Request parameters
| Name | Description |
|---|---|
| policy | "keep_client_credentials" Keep any existing client_id and client_secret, do not generate new "no_client_secret" Do not generate client_secret Suitable for clients who wish to use asymmetric keys for authentication and encryption |
Client credentials
- Bearer token for SSO Management API. See Management API (draft)