OAuth2 endpoints

OAuth 2 is an open authorization protocol which enables applications to access and read data from another application.

cidaas supports OAuth2 with OpenID Connect standards, this will give Self-Discovery URL.

The below core endpoints:

1. User Info Endpoint: New to OpenID Connect, this endpoint allows user to make a request using access token to receive claims about the authenticated end-user. This user information could be included in the identity token; however, this can cause bloat especially if we include things like profile pictures.

2. Authorization Endpoint: An authorization URL where the resource owner grants authorization to the OAuth2 client to access the protected resource, using request parameters defined by OAuth2 and additional parameters and parameter values defined by OpenID Connect.

3. Introspection Endpoint: It is used to validate reference tokens. The introspection endpoint requires authentication using a scope credential (only scopes that are contained in the access token can introspect the token).

4. Revocation Endpoint: Revocation Endpoint allows revoking access tokens and refresh token. It implements the token revocation specification.

5. End Session Endpoint: The end session endpoint can be used to trigger single sign-out. To use the end session endpoint a client application will redirect the user’s browser to the end session URL.

6. Check Session iframe: After signing in a user with OpenID Connect the client application may need to periodically check if the user is still logged in with the OpenID provider.

7. Token Endpoint: A token request URL where the OAuth2 client exchanges an authorization grant for an access token and an optional refresh token.

8. JSON Web Key Set (JWKS) URL:** When creating clients and resources servers (APIs) in cidaas, two algorithms are supported for signing JSON Web Tokens (JWTs): RS256 and HS256. RS256 generates an asymmetric signature, which means a private key must be used to sign the JWT and a different public key must be used to verify the signature.

cidaas uses the JWK specification to represent the cryptographic keys used for signing RS256 tokens. This specification defines two high level data structures: JSON Web Key (JWK) and JSON Web Key Set (JWKS).

Here are the definitions directly from the specification:

JSON Web Key (JWK)
A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value.
JSON Web Key Set (JWKS)
A JSON object that represents a set of JWKs. The JSON object MUST have a keys member, which is an array of JWKs.

At the most basic level, the JWKS is a set of keys containing the public keys that should be used to verify any JWT issued by the authorization server. Cidaas exposes a JWKS endpoint for each tenant, which is found at https://your_cidaas_domain/.well-known/jwks.json. This endpoint will contain the JWK used to sign all cidaas issued JWTs for this tenant.

This is an example of the JWKS used by a demo tenant.

{
    "keys": [
            {
            "n": "xe_69ro6qOFosdY2gA1theO3RwJFbd0zW025aDEGbJpwknFhaCsOQDBmjA8ZNuI5WQ",
            "e": "AQAB",
            "alg": "RS256",
            "use": "sig",
            "kid": "ffa5009f-f815-4d87-a36b-e4c29e5829b5",
            "kty": "RSA"
            }
           ]
}
  • alg: is the algorithm for the key

  • kty: is the key type

  • use: is how the key was meant to be used.

    For the example above sig represents signature.

  • e: is the exponent for a standard pem

  • n: is the modulus for a standard pem

  • kid: is the unique identifier for the key

Open ID: Open ID is an authentication protocol, it allows users to authenticate sites using a third-party service, for webmasters to provide their own ad hoc login systems, and allowing users to log into multiple unrelated websites without having to have a separate identity and password to login.

For more information on default and custom scopes refer Scope Management.



results matching ""

    No results matching ""