Authorisation session
1. Introduction
The authorisation session API permits integrators and frontend developers to bind a login UI and one or more user authentication factors to the Connect2id server. It also permits precise control of consent, which can be explicit, implicit or combination of both.
Key features:
-
Web-based integration of a login / consent UI, neatly is decoupled from the Connect2id server. The UI can be implemented in any language and framework, and can be hosted separately from the server, utilising an HA proxy and CDN as needed.
-
Simple plugin of arbitrary authentication methods, such as LDAP, hardware tokens, X.512 certificates and biometrics. The user credentials are not disclosed to the Connect2id server, which is good for security.
-
If required, also enables plugin of rules and policies for the OAuth 2.0 scope values and OpenID claims of the issued tokens. Consent can be explicit, implicit, or combination of both.
-
Zero service downtime is required for updates and changes of the login / consent UI, authentication methods and authorisation logic.
The frontend’s interaction with the authorisation session API can be compared to the MVC pattern. The frontend passes each received OpenID authentication request to the Connect2id server for processing, and then if prompted by the server, interacts with the end-user to:
-
(Re)authenticate the end-user, if their browser / device doesn’t have a session with the Connect2id server, or the authentication strength (ACR) needs to be stepped up. In order to do authenticate the end-user, the frontend collects the user’s credentials and submits them to the appropriate service or database directly, then submits the resolved user ID to the Connect2id server.
-
Get the end-user’s consent for the requested OAuth 2.0 scope values and OpenID Connect claims, if the Connect2id server has no previous consent for them. The frontend can obtain the consent directly from the end-user, e.g. by presenting a form (explicit consent), or call upon some policy for that.
Finally, when the user’s identity and consent are established, the Connect2id generates the appropriate OpenID response, for the frontend to relay back to the requesting client.
The following table summarises the interactions between the frontend (login page) and the Connect2id during an authorisation session, and how they are triggered:
Interaction | Authentication | Consent |
---|---|---|
Purpose: | Establish the user identity | Obtain / set consent |
Server → UI: | Authentication prompt | Consent prompt |
UI → Server: | Subject (end-user) identity | Consented scope + claims |
Skipped if: | User has an existing session with the server (established by browser cookie) | Previous consent for the requested scope and claims (unless configured otherwise) |
Success: | Proceed to consent | Return final OpenID response to client |
The authorisation session API also enables programmatic setting of the access token encoding, lifetime and many other options.
You can also Check out the login page integration guide. If you need help, get in touch with Connect2id support.
Access to the authorisation session API is protected by means of a long-lived
token. The token must be passed with
each HTTP request in the Authorization
header:
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Additional details are found in the authorisation endpoint configuration reference.
2. Web API overview
Resources | |
---|---|
Representations | Errors |
|
3. Resources
3.1 /authz-sessions/rest/v3/
3.1.1 POST
Starts a new authorisation session with the Connect2id server.
The frontend (login page) at the OAuth 2.0 authorisation endpoint should start a new authorisation session upon receiving a new OpenID authentication request from the client application.
The POST request produces one of the following four types of JSON object:
-
Authentication prompt – Prompts the frontend to authenticate the end-user. Indicated by a JSON object with
"type":"auth"
. -
Consent prompt – Prompts the frontend to obtain the end-user’s consent for the specified scope and claims. Indicated by a JSON object with
"type":"consent"
. -
Final response – Prompts the frontend to redirect the user agent (browser) back to the client application with the specified OpenID authentication response. Indicated by a JSON object with
"type":"response"
. -
Non-redirectable error – Notifies the frontend that the submitted OpenID Connect request is faulty. The user agent (browser) cannot or must not be redirected back to the client application. Indicated by a JSON object with
"type":"error"
.
Header parameters:
-
Authorization Must specify the configured bearer access token for this web API.
-
Content-Type Must be set to
application/json
.
Body:
- A JSON object representation of an authorisation start request.
Success:
-
Code:
200
-
Content-Type:
application/json
-
Body: {object} A JSON object representation of an authentication prompt, a consent prompt, a final response or a non-redirectable error. The JSON objects can be differentiated by their
type
value. For a prompt, in order to complete the interaction, the frontend must use the returned authorisation session ID (sid
).
Errors:
Example POST request to start an authorisation session with the Connect2id server, specifying the query string of the received OpenID authentication request; the subject (end-user) session identifier (SID) is omitted, indicating a browser session cookie has not been found:
POST /authz-sessions/rest/v3/ HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/json
{
"query" : "response_type=code&scope=openid%2020email&client_id=s6BhdR&state=af0ifjsldkj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb"
}
Example start request, which also indicates that a session cookie has been
found (sub_sid
):
POST /authz-sessions/rest/v3/ HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/json
{
"query" : "response_type=code&scope=openid%2020email&client_id=s6BhdR&state=af0ifjsldkj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb",
"sub_sid" : "EoOOavjQcBLx4ktIvp4Ho3p66NAd7AwB7lbBhhLLioc"
}
Example response prompting the frontend to authenticate the
present end-user. The frontend may do this by obtaining the user’s credentials
and validating them with an MS-AD/LDAP directory, for instance. In the next
request to the Connect2id server (submitting the resolved user ID) the frontend
must use specified authorisation session identifier (sid
).
HTTP/1.1 200 OK
Content-Type: application/json
{
"type" : "auth",
"sid" : "g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE",
"display" : "popup",
"select_account" : false
}
Example final response, which means the Connect2id server has a valid session for the end-user as well as a valid consent record to login into the requesting client application; there’s no need for the frontend to interact with the end-user, and the encoded OpenID authentication response can be returned to the client application straight away:
HTTP/1.1 OK
Content-Type: application/json
{
"type" : "response",
"mode" : "query",
"parameters" : { "uri" : "https://example.client.com/cb?code=5rZ_KxqZ&state=Nygv4CLQ" }
}
3.2 /authz-sessions/rest/v3/{sid}
3.1.1 PUT
Updates an authorisation session with the required details, which can be the subject identity details, or the consent details. The Connect2id server will utilise these details to continue / finish processing of the OpenID Connect request.
The PUT request can produce two possible types of JSON object:
-
Consent prompt – Prompts the frontend to obtain the end-user’s consent for the specified scope and claims. Indicated by a JSON object with
"type":"consent"
. -
Final response – Prompts the frontend to redirect the user agent (browser) back to the client application with the specified OpenID authentication response. Indicated by a JSON object with
"type":"response"
.
Path parameters:
- sid {string} The authorisation session identifier (SID).
Header parameters:
-
Authorization Must specify the configured bearer access token for this web API.
-
Content-Type Must be set to
application/json
.
Body:
-
A JSON object representation of one of the following:
-
The details for the subject identity and session (redirects to session store API), in response to a previous POST request returning an authentication prompt;
-
The details of the consent, in response to a previous POST or PUT request returning a consent prompt.
-
Success:
-
Code:
200
-
Content-Type:
application/json
-
Body: {object} A JSON object representation of a consent prompt, a final response or a non-redirectable error. The JSON objects can be differentiated by their
type
value.
Errors:
Example submission of the end-user’s identity (user ID), after the frontend has (re)authenticated her:
PUT /session-store/rest/v3/g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
{
"sub" : "alice"
}
Example submission of the end-user’s consent to login into the client client
application with an ID token (indicated by openid
scope) and permit access to
her email data (indicated by email
scope, which expands to the email
and
email_verified
claims):
PUT /session-store/rest/v3/g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
{
"scope" : [ "openid", "email" ],
"claims" : [ "email", "email_verified" ]
}
Example response prompting the frontend to obtain the end-user’s consent to log into “Example App” and authorise access to her email data.
HTTP/1.1 200 OK
Content-Type: application/json
{
"type" : "consent",
"sid" : "g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE",
"display" : "popup",
"sub_session" : { "sid" : "9yLXidrzk91r3BCpJeF1Vrf_aza4oNe-EdNkaXBa1iw",
"sub" : "alice",
"auth_time" : 12345678,
"creation_time" : 12345678,
"acr" : "http://loa.c2id.com/high",
"amr" : [ "mfa", "pwd", "otp" ],
"max_life" : 20160,
"auth_life" : 1440,
"max_idle" : 15 },
"client" : { "client_id" : "8cc2043",
"client_type" : "confidential",
"application_type" : "web",
"name" : "Example App",
"uri" : "http://app.example.com"},
"scope" : { "new" : [ "openid", "email" ],
"consented" : [ ] },
"claims" : { "new" : { "essential" : [ "email", "email_verified" ],
"voluntary" : [ ] },
"consented" : { "essential" : [ ],
"voluntary" : [ ] } }
}
Example final response, meaning the Connect2id server has collected all necessary details to complete the OpenID Connect request:
HTTP/1.1 ok
Content-Type: application/json
{
"type" : "response",
"mode" : "query",
"parameters" : { "uri" : "https://example.client.com/cb?code=5rZ_KxqZ&state=Nygv4CLQ" }
}
3.1.2 DELETE
Denies the OpenID authentication request. This can made in response to the end-user pressing a button to deny login to the client application.
Produces a response with an encoded access_denied error which the frontend should relay back to the client application.
Path parameters:
- sid {string} The authorisation session identifier (SID).
Header parameters:
- Authorization Must specify the configured bearer access token for this web API.
Success:
-
Code:
200
-
Content-Type:
application/json
-
Body: {object} A JSON object representation of a final response.
Errors:
Example request to deny login or authorisation:
DELETE /authz-sessions/rest/v3/Vcg62csZGqGufdeth1eK1HlFqWKkVRmP3YBT5cTl7s0 HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Example response, with an encoded access_denied
error appended
to the redirection URI:
HTTP/1.1 ok
Content-Type: application/json
{
"type" : "response",
"mode" : "query",
"parameters" : { "uri" : "https://example.client.com/cb?error=access_denied&state=Nygv4CLQ" }
}
3.1.3 GET
Returns the original request parameters used to start the specified authorisation session.
Path parameters:
- sid {string} The authorisation session identifier (SID).
Header parameters:
- Authorization Must specify the configured bearer access token for this web API.
Success:
-
Code:
200
-
Content-Type:
application/json
-
Body: {object} A JSON object representation of the authorisation session.
Errors:
Example request:
GET /authz-sessions/rest/v3/g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Example response, listing key parameters of the OpenID authentication request
that was used to create the authorisation session; the sub_sid
member refers
to the subject session of the end-user:
HTTP/1.1 200 OK
Content-Type: application/json
{
"auth_req" : { "response_type" : "code id_token",
"client_id" : "8cc2043",
"redirect_uri" : "https://client.example.org/cb",
"scope" : [ "openid", "email" ],
"state" : "af0ifjsldkj",
"nonce" : "8dfqxd90pa_",
"display" : "popup",
"ui_locales" : [ "es", "en" ] },
"sub_sid" : "g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE"
}
4. Representations
4.1 Authorisation session start request
Specifies the OpenID authentication request received at the OAuth 2.0 authorisation endpoint (the login page) and the identifier of the subject (end-user) session (if any) with the Connect2id server.
JSON object members:
-
query {string} The raw (not decoded) URI query string of the OpenID authentication request received at the OAuth 2.0 authorisation endpoint.
-
[ sub_sid ] {string} The subject (end-user) session identifier (SID), typically saved in a browser cookie, omitted or
null
if none. The SID is used to resolve the session of the present end-user and whether (re)authentication is required.
Example JSON object for an authorisation session start request, detailing the OpenID Connect query string and the subject session identifier (SID) obtained from a browser cookie:
{
"query" : "response_type=code&scope=openid%2020email&client_id=s6BhdR&state=af0ifjsldkj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb",
"sub_sid" : "9yLXidrzk91r3BCpJeF1Vrf_aza4oNe-EdNkaXBa1iw"
}
If no session cookie is found the subject session ID is omitted:
{
"query" : "response_type=code&scope=openid%2020email&client_id=s6BhdR&state=af0ifjsldkj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb"
}
4.2 Authentication prompt
Prompts the frontend to (re)authenticate the present end-user. May specify
required authentication methods (amr
), strength (acr
) and other parameters.
JSON object members:
-
type {string} Set to
auth
. Used to differentiate this object from a consent prompt, a final response and non-redirectable error. -
sid {string} The authorisation session identifier, used to refer to the authorisation session in subsequent requests. Not to be confused with the subject (end-user) session identifier.
-
display {“page”|“popup”|“touch”|“wap”} The end-user display type.
-
[ ui_locales ] {string array} The end-user’s preferred UI locales, by order of preference, omitted if not specified.
-
[ required_sub ] {string} If set specifies the required subject (end-user) to authenticate, implied by an ID token hint submitted by the client.
-
[ impersonated_sub] {string} If set indicates that this is an authentication prompt for an impersonated subject (end-user), as implied by an ID token hint submitted by the client.
-
[ login_hint ] {string} Optional hint to the frontend about the login identifier the end-user might use to log in (if necessary). This hint can be used by a client application if it first asks the end-user for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered Identity Provider. The use of this parameter is left to the Identity Provider’s discretion.
-
[ acr ] {object} The requested Authentication Context Class Reference (ACR), omitted if not specified: * [ essential ] {string array} The essential ACRs, ordered by preference, omitted if not specified. * [ voluntary ] {string array} The voluntary ACRs, ordered by preference, omitted if not specified.
-
select_account {true|false} If
true
the end-user should be prompted to select a user account. This enables an end-user who has multiple accounts with the Identity Provider to select amongst the multiple accounts that they might have current sessions for. -
[ sub_session ] {object} A JSON object representation of the current subject (end-user) session, omitted if none.
-
[ client ] {object} A JSON object representation of the registered details for the requesting client. Typically this information is not required at this stage and will be omitted unless the server is configured otherwise.
-
client_id {string} The identifier of the client application.
-
client_type {“confidential”|“public”} Indicates the OAuth client type. Public clients may be granted limited scopes and should be denied incremental authorisation.
-
application_type {“web”|“native”} The client application type.
-
[ name ] {string} Optional name of the client application to be presented to the end-user. May use language tags (BCP47).
-
[ uri ] {string} Optional URI of the home page of the client application to be presented to the end-user in a followable fashion. May use language tags (BCP47).
-
[ logo_uri ] {string} Optional logo of the client application to be presented to the end-user. May use language tags (BCP47).
-
[ policy_uri ] {string} Optional URI of a page describing how the end-user profile data will be used by the client application, to be presented to the end-user in a followable fashion. May use language tags (BCP47).
-
[ tos_uri ] {string} Optional URI of a page describing the client application’s terms of service, to be presented to the end-user in a followable fashion. May use language tags (BCP47).
-
[ scope ] {string array} Optional OAuth 2.0 scope values that the client application may request. These values are set at client registration; their semantics and treatment is service specific and can also be ignored.
-
[ data ] {object} Optional client data.
-
Example prompt to authenticate an end-user for the first time:
{
"type" : "auth",
"sid" : "g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE",
"display" : "popup",
"select_account" : false
}
Example authentication prompt where the client provided the
alice@wonderland.net
login hint:
{
"type" : "auth",
"sid" : "g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE",
"display" : "popup",
"login_hint" : "alice@wonderland.net",
"select_account" : false
}
Example prompt to step up the authentication strength (ACR) for the current
end-user session from http://loa.c2id.com/basic
to http://loa.c2id.com/high
:
{
"type" : "auth",
"sid" : "g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE",
"display" : "popup",
"acr" : { "essential" : [ "http://loa.c2id.com/high" ] },
"select_account" : false,
"sub_session : { "sid" : "9yLXidrzk91r3BCpJeF1Vrf_aza4oNe-EdNkaXBa1iw",
"sub" : "alice",
"auth_time" : 12345678,
"acr" : "http://loa.c2id.com/basic",
"amr" : [ "pwd" ],
"creation_time" : 1234567,
"max_life" : 20160,
"auth_life" : 1440,
"max_idle" : 15,
"data" : { "name" : "Alice Adams",
"email" : "alice@wonderland.net" } }
}
4.3 Consent prompt
Prompts the frontend to obtain the end-user’s consent for the specified OAuth 2.0 scope values and OpenID Connect claims.
JSON object members:
-
type {string} Set to
consent
. Used to differentiate this object from an authentication prompt, a final response and non-redirectable error. -
sid {string} The authorisation session identifier, used to refer to the authorisation session in subsequent requests. Not to be confused with the subject (end-user) session identifier.
-
display {“page”|“popup”|“touch”|“wap”} The end-user display type.
-
[ ui_locales ] {string array} The end-user’s preferred UI locales, by order of preference, omitted if not specified.
-
[ impersonated_sub] {string} If set indicates that this is a consent prompt for an impersonated subject (end-user), as implied by an ID token hint submitted by the client.
-
[ sub_session ] {object} A JSON object representation of the current subject (end-user) session.
-
client {object} A JSON object representation of the registered details for the requesting client:
-
client_id {string} The identifier of the client application.
-
client_type {“confidential”|“public”} Indicates the OAuth client type. Public clients may be granted limited scopes and should be denied incremental authorisation.
-
application_type {“web”|“native”} The client application type.
-
[ name ] {string} Optional name of the client application to be presented to the end-user. May use language tags (BCP47).
-
[ uri ] {string} Optional URI of the home page of the client application to be presented to the end-user in a followable fashion. May use language tags (BCP47).
-
[ logo_uri ] {string} Optional logo of the client application to be presented to the end-user. May use language tags (BCP47).
-
[ policy_uri ] {string} Optional URI of a page describing how the end-user profile data will be used by the client application, to be presented to the end-user in a followable fashion. May use language tags (BCP47).
-
[ tos_uri ] {string} Optional URI of a page describing the client application’s terms of service, to be presented to the end-user in a followable fashion. May use language tags (BCP47).
-
[ scope ] {string array} Optional OAuth 2.0 scope values that the client application may request. These values are set at client registration; their semantics and treatment is service specific and can also be ignored.
-
[ data ] {object} Optional client data.
-
-
scope {object} A JSON object representing the requested OAuth 2.0 scope values, grouped into two sets:
-
new {string array} A string array of scope values requested for the first time, empty array if none.
-
consented {string array} A string array of requested scope values for which the Connect2id server has previously recorded the end-user’s consent, empty array if none.
-
-
claims {object} A JSON object representing the requested OpenID Connect claims:
-
new {object} A JSON object representing the claims requested for the first time, grouped into two sets:
-
essential {string array} Those marked as essential, empty array if none.
-
voluntary {string array} Those marked as voluntary, empty array if none.
-
-
consented {object} A JSON object representing the requested claims for which the Connect2id server has previously recorded the end-user’s consent, grouped into two sets:
-
essential {string array} Those marked as essential, empty array if none.
-
voluntary {string array} Those marked as voluntary, empty array if none.
-
-
[ locales ] {string array} The requested claims locales, omitted if not specified.
-
Example JSON object, with the minimum amount of fields defined:
{
"type" : "consent",
"sid" : "g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE",
"display" : "popup",
"sub_session" : { "sid" : "9yLXidrzk91r3BCpJeF1Vrf_aza4oNe-EdNkaXBa1iw",
"sub" : "alice",
"auth_time" : 12345678,
"creation_time" : 1234567,
"max_life" : 20160,
"auth_life" : 1440,
"max_idle" : 15 },
"client" : { "client_id" : "8cc2043",
"client_type" : "confidential",
"application_type" : "web" },
"scope" : { "new" : [ "openid" ]
"consented" : [ ] },
"claims" : { "new" : { "essential" : [ ],
"voluntary" : [ ] },
"consented" : { "essential" : [ ],
"voluntary" : [ ] } }
}
Example consent prompt, with all fields defined:
{
"type" : "consent",
"sid" : "g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE",
"display" : "popup",
"ui_locales" : [ "es", "en" ],
"sub_session" : { "sid" : "9yLXidrzk91r3BCpJeF1Vrf_aza4oNe-EdNkaXBa1iw",
"sub" : "alice",
"auth_time" : 12345678,
"acr" : "http://loa.c2id.com/high",
"amr" : [ "mfa", "otp", "pwd" ],
"creation_time" : 1234567,
"max_life" : 20160,
"auth_life" : 1440,
"max_idle" : 15,
"data" : { "name" : "Alice Adams",
"email" : "alice@wonderland.net" } },
"client" : { "client_id" : "8cc2043",
"client_type" : "confidential",
"application_type" : "web",
"name" : "My Web Store",
"name#es" : "Mi tienda virtual",
"uri" : "http://my-web-store.com",
"uri#es" : "http://my-web-store.com/es",
"logo_uri" : "http://my-web-store.com/logo.jpg",
"logo_uri#es" : "http://my-web-store.com/es/logo.jpg",
"policy_uri" : "http://my-web-store.com/privacy-policy.html",
"policy_uri#es" : "http://my-web-store.com/es/privacy-policy.html",
"tos_uri" : "http://my-web-store.com/tos.html",
"tos_uri#es" : "http://my-web-store.com/es/tos.html",
"scope" : [ "openid", "email" ] },
"scope" : { "new" : [ "app:write" ],
"consented" : [ "openid", "profile", "email" ] },
"claims" : { "new" : { "essential" : [ ],
"voluntary" : [ ] },
"consented" : { "essential" : [ "name", "email" ],
"voluntary" : [ "website", "birthdate", "phone_number" ] },
"locales" : [ "es", "en" ] }
}
4.4 Consent
Specifies the consented OAuth 2.0 scope values and OpenID Connect claims. The Connect2id server will use the JSON object to construct an authorisation record with the required ID, access and refresh token parameters for the given subject (end-user) and client.
JSON object members:
-
scope {string array} The consented OAuth 2.0 scope values. These may be a subset of the originally requested values, or include additional ones. If consent is given it should at least contain the
openid
scope value. -
[ audience ] {string array} Optional parameter specifying an explicit audience for the issued access token. The audience should be represented as one or more client identifiers.
-
[ claims ] {string array} The names of the consented OpenID Connect claims, with optional language tags (BCP47). These may be a subset of the originally requested claims, or include additional ones.
-
[ preset_claims ] {object} Optional JSON object specifying additional preset OpenID Connect claims to include in the ID token and / or the UserInfo response:
-
[ id_token ] Preset claims to include in the ID token, omitted or empty JSON object if none.
-
[ userinfo ] Preset claims to include in the UserInfo response, omitted or empty JSON object if none.
-
-
[ long_lived = true ] {true|false} Long-lived authorisation flag. If
true
identifies a long-lived authorisation that is persisted and may optionally allow issue of a refresh token. Iffalse
the authorisation is transient (not remembered). Defaults totrue
if not specified. -
[ impersonated_sub ] {string} Specifies a subject (end-user) to impersonate by means of the issued ID, access token and refresh token. May be used to enable privileged users to login into a client or access protected resources under a different identity. The actual authorised subject (the impersonator) will be indicated in the custom
act.sub
ID and JWT access token claim. -
[ access_token ] {object} Optional access token settings, overriding the default configuration:
-
[ lifetime = 0 ] {integer} The access token lifetime in seconds. If zero or omitted defaults to the configured access token lifetime.
-
[ encoding = “SELF_CONTAINED” ] {“SELF_CONTAINED”|“IDENTIFIER”} The access token encoding. If omitted defaults to self-contained (JWT-encoded).
-
-
[ id_token ] {object} Optional ID token settings, overriding the default configuration:
- [ lifetime = 0 ] {integer} The ID token lifetime in seconds. If zero or omitted defaults to the configured ID token lifetime.
-
[ refresh_token ] {object} Optional refresh token settings:
-
[ issue = true ] {true|false} Enables / disable refresh token issue. Applies only to long-lived (persisted) authorisations. If
true
a refresh token will be issued along with the access token. Iffalse
no access token will be issued. Defaults totrue
if omitted. -
[ lifetime = 0 ] {integer} The refresh token lifetime in seconds. If zero or omitted defaults to permanent (no expiration). If a client tries to refresh an access token and the refresh token has expired, the token endpoint of the Connect2id server will return an invalid_grant error. This can serve as a signal to the client to repeat the authentication request.
-
-
[ data ] {object} Optional additional information to be stored in the
dat
field of the authorisation record and self-contained (JWT-encoded) access tokens.
Example minimal consent:
{
"scope" : [ "openid" ]
}
Example consent for the standard openid
and email
scope values and the
OpenID Connect claims that they expand to:
{
"scope" : [ "openid", "email" ],
"claims" : [ "email", "email_verified" ]
}
Example consent overriding some of the default access, ID and refresh token settings:
{
"scope" : [ "openid", "profile", "email" ],
"claims" : [ "email", "email_verified" ],
"access_token" : { "lifetime" : 600,
"encrypt" : true },
"id_token" : { "lifetime" : 3600 },
"refresh_token : { "issue" : true }
}
Example consent supplying some of the ID token and UserInfo claims directly via
the preset_claims
parameter:
{
"scope" : [ "openid", "profile", "email", "app:admin" ],
"claims" : [ "name", "email", "email_verified" ],
"preset_claims" : { "id_token" : { "login_ip" : "185.7.248.1",
"login_geo" : { "long" : "37.3956",
"lat" : "-122.076" } },
"userinfo" : { "groups" : [ "admin", "audit" ] } }
}
4.5 Final response
The final OpenID authentication response to be relayed back to the client. Encodes the requested authorisation code, and / or token(s) on success, or an error code on failure (e.g. due to invalid or denied request).
All three standard OAuth 2.0 response modes are supported:
-
query – the response is returned as URI query parameters to the
redirect_uri
(mandatory to implement) -
fragment – the response is returned as an URI fragment to the
redirect_uri
(mandatory to implement) -
form_post – the response is returned by submitting a form POST to the
redirect_uri
(optional to implement)
Custom response modes are supported by declaring them in the server configuration. After processing a request with a custom response mode, the Connect2id server will output a generic JSON object with the response parameters, which the frontend can then encode and relay according to the mode’s contract.
JSON object members:
-
type {string} Set to
response
. Used to differentiate this object from an authentication prompt, a consent prompt and a non-redirectable error. -
mode {“query”|“fragment”|“form_post”|“…“} The response mode (implied or requested explicitly by the client application).
-
parameters {object} The response mode parameters. See query encoded, fragment encoded, form POST and custom mode parameters.
Example final response:
HTTP/1.1 ok
Content-Type: application/json
{
"type" : "response",
"mode" : "query",
"parameters" : { "uri" : "https://example.client.com/cb?code=5rZ_KxqZ&state=Nygv4CLQ" }
}
4.5.1 Query response mode parameters
The OpenID authentication response is returned as a query string to the
redirect_uri
. This response mode is mandatory to implement.
JSON object members:
-
uri {string} The
redirect_uri
with the response encoded in the query string. The frontend must redirect the user agent (browser) to this URI via an HTTP 303 with the redirection URI set in theLocation
header.
Security advice: Use a 303 redirection (instead of 302), as it is defined unambiguously to drop the body of an HTTP POST request.
Example:
{
"uri" : "https://client.example.com/cb?code=637FKlXTl&state=NV2kkDp"
}
Example 303 redirection:
HTTP/1.1 303 See Other
Location: https://client.example.com/cb?code=637FKlXTl&state=NV2kkDp
4.5.2 Fragment response mode parameters
The OpenID authentication response is returned as a fragment to the
redirect_uri
. This response mode is mandatory to implement.
JSON object members:
-
uri {string} The
redirect_uri
with the response encoded in the fragment. The frontend must redirect the user agent (browser) to this URI via an HTTP 303 with the redirection URI set in theLocation
header.
Security advice: Use a 303 redirection (instead of 302), as it is defined unambiguously to drop the body of an HTTP POST request.
Example:
{
"uri" : "https://client.example.com/cb#id_token=eyJraWQiOiJzMSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhbGljZSIsImF1ZCI6IjAwMDEyMyIsImFjciI6Imh0dHA6XC9cL2xvYS5jMmlkLmNvbVwvYmFzaWMiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYW1yIjpbInB3ZCJdLCJicm93c2VyIjoiTmV0c2NhcGUiLCJpc3MiOiJodHRwOlwvXC8xMjcuMC4wLjE6ODA4MFwvYzJpZCIsImV4cCI6MTQ2MzM5MzM5MCwiaWF0IjoxNDYzMzkyNzkwLCJub25jZSI6IjFHUlhIMUNpZXNrTEFqYzI5WS1HRHI5Z19MZFJocFMxRXpnbjUxU3Y3c2siLCJsb2dpbl9pcCI6IjEwLjIwLjMwLjQwIiwiZW1haWwiOiJhbGljZUB3b25kZXJsYW5kLm5ldCJ9.IPS68XhQHlQXxnCvVJBOk7myP7qa1LGdGVnPmPcrjwSKxxir-d2rTWvartpWgaRisYfef-5Ztrb0Eb8UTiDI3fCK_UFc46xPh6fvWVe5XpQQPBgOjjDCvtfibO4MYMRBlhqQgG9KmeE1n1Hvdi1RG4SQiJ5Kfp0jM25VgBIc4QU&state=br3NzNDkz7M60FDoXVjRBAJsWTnY_fLIGrIEn8hleFw"
}
Example 303 redirection:
HTTP/1.1 303 See Other
Location: https://client.example.com/cb#id_token=eyJraWQiOiJzMSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhbGljZSIsImF1ZCI6IjAwMDEyMyIsImFjciI6Imh0dHA6XC9cL2xvYS5jMmlkLmNvbVwvYmFzaWMiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYW1yIjpbInB3ZCJdLCJicm93c2VyIjoiTmV0c2NhcGUiLCJpc3MiOiJodHRwOlwvXC8xMjcuMC4wLjE6ODA4MFwvYzJpZCIsImV4cCI6MTQ2MzM5MzM5MCwiaWF0IjoxNDYzMzkyNzkwLCJub25jZSI6IjFHUlhIMUNpZXNrTEFqYzI5WS1HRHI5Z19MZFJocFMxRXpnbjUxU3Y3c2siLCJsb2dpbl9pcCI6IjEwLjIwLjMwLjQwIiwiZW1haWwiOiJhbGljZUB3b25kZXJsYW5kLm5ldCJ9.IPS68XhQHlQXxnCvVJBOk7myP7qa1LGdGVnPmPcrjwSKxxir-d2rTWvartpWgaRisYfef-5Ztrb0Eb8UTiDI3fCK_UFc46xPh6fvWVe5XpQQPBgOjjDCvtfibO4MYMRBlhqQgG9KmeE1n1Hvdi1RG4SQiJ5Kfp0jM25VgBIc4QU&state=br3NzNDkz7M60FDoXVjRBAJsWTnY_fLIGrIEn8hleFw
4.5.3 Form POST response mode parameters
The OpenID authentication response is returned via a form POST to the
redirect_uri
. This response mode is optional to implement. See the
specification
for more information.
JSON object members:
-
uri {string} The
redirect_uri
where the form must be posted, e.g. by auto-submitting the form values with JavaScript. -
form {object} A JSON object containing the form key / value pairs to be submitted to the URI above.
Example:
{
"uri" : "https://client.example.com/cb"
"form" : { "code" : "a8xxGwELo1tG5DdMXbE48Q",
"state" : "Nygv4CLQcexJFmuMCP2ld0Htd2zHIvchRiFCPtvj-mM" }
}
Example rendered HTML form with the encoded OpenID authentication response to
be auto-submitted to the client redirect_uri
:
HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Cache-Control: no-cache, no-store
Pragma: no-cache
<html>
<head><title>Submit This Form</title></head>
<body onload="javascript:document.forms[0].submit()">
<form method="post" action="https://client.example.com/cb">
<input type="hidden" name="code" value="a8xxGwELo1tG5DdMXbE48Q"/>
<input type="hidden" name="state" value="Nygv4CLQcexJFmuMCP2ld0Htd2zHIvchRiFCPtvj-mM"/>
</form>
</body>
</html>
which results in the following HTTP post to the client application:
POST /callback HTTP/1.1
Host: client.example.org
Content-Type: application/x-www-form-urlencoded
code=a8xxGwELo1tG5DdMXbE48Q&state=Nygv4CLQcexJFmuMCP2ld0Htd2zHIvchRiFCPtvj-mM
4.5.4 Custom response mode parameters
The OpenID authentication response parameters for a custom response mode (which is configured as supported by the Connect2id server).
JSON object members:
-
uri {string} The
redirect_uri
. -
[ code ] {string} The OAuth 2.0 authorisation code, included in the authorisation code or hybrid flow.
-
[ id_token ] {string} The ID token, included in the implicit or hybrid flow.
-
[ access_token ] {string} The OAuth 2.0 access token, included in the implicit or hybrid flow.
-
[ token_type ] {string} The OAuth 2.0 access token type, set to
Bearer
, included in the implicit or hybrid flow. -
[ scope ] {string} The OAuth 2.0 access token scope (if specified), included in the implicit or hybrid flow.
-
[ expires_in ] {integer} The OAuth 2.0 access token expiration, included in the implicit or hybrid flow.
-
[ state ] {string} The state parameter, omitted if not specified.
The frontend must encode and relay the parameters according to the contract of the response mode.
Example custom response mode with an ID token and state parameters:
{
"uri" : "https://client.example.com/cb",
"id_token" : "eyJraWQiOiJzMSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJib2IiLCJhdWQiOiIwMDAxMjMiLCJhY3IiOiJodHRwOlwvXC9sb2EuYzJpZC5jb21cL2Jhc2ljIiwiYW1yIjpbInB3ZCJdLCJicm93c2VyIjoiTmV0c2NhcGUiLCJpc3MiOiJodHRwOlwvXC8xMjcuMC4wLjE6ODA4MFwvYzJpZCIsImV4cCI6MTQ2MzQzMTk3MiwiaWF0IjoxNDYzNDMxMzcyLCJub25jZSI6IkxxQ1Jvclg1YXMycjdqX0R5VTBIWjNFNUFWeV90Z1NUa1VBdWJJMGE5ZDgiLCJsb2dpbl9pcCI6IjEwLjIwLjMwLjQwIn0.iK20La9muiYeVnjPlpjEwVmQ-eaj8B8qjs_dInxeIIC-22xR3pl9sr_QfGyEifIX9-nMnnRF7SChUXtppfbXx6DLntZqoFbXcuysdx2IB6Vt8cikIqBF-aT6xzVux8IkFGmjoekz72p430Qa8rc2Px5hMAPiv-E6-v0smWTW1Ho",
"state" : "OGw5AWZY_tGUsdOgcRDASOK4jDDryHR08WBb86NUhhs
}
4.6 Authorisation session
The OpenID Connect authentication request parameters and subject session ID for an authorisation session.
JSON object members:
-
auth_req {object} A JSON object representing the original OpenID Connect authentication request parameters:
-
response_type {string} The OAuth 2.0 response type.
-
client_id {string} The client identifier.
-
redirect_uri {string} The redirection URI.
-
scope {string array} The requested scope values.
-
[ state ] {string} The state parameter, omitted if not specified.
-
[ nonce ] {string} The nonce, omitted if not specified.
-
[ display ] {string} The end-user display type, omitted if not specified.
-
[ ui_locales ] {string array} The end-user’s preferred UI locales, by order of preference, omitted if not specified.
-
[ claims ] {object} The OpenID Connect claims parameter, omitted if not specified.
-
[ claims_locales ] {string array} The end-user’s preferred claims locales, by order of preference, omitted if not specified.
-
[ code_challenge ] {string} Optional code challenge for PKCE.
-
[ code_challenge_method ] {string} Optional code challenge method for PKCE.
-
[ custom_parameter_name ] {string} Any additional custom parameters, as name / string value members. May be used by the login page / frontend to customise processing of the request.
-
-
[ sub_sid ] {string} The subject (end-user) session identifier, omitted if none is currently associated with the authorisation session.
Example authorisation session, as JSON object:
{
"auth_req" : { "response_type" : "code id_token",
"client_id" : "8cc2043",
"redirect_uri" : "https://client.example.org/cb",
"scope" : [ "openid", "email" ],
"state" : "af0ifjsldkj",
"nonce" : "8dfqxd90pa_",
"display" : "popup" },
"sub_sid" : "g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE"
}
4.7 Non-redirectable authorisation error
Indicates an OAuth 2.0 / OpenID Connect authorisation error. The user agent (browser) cannot or should not be redirected back to the client application.
The error code and description may be displayed to the end-user, so they may be reported to the client application developers.
JSON object members:
-
error {string} The error code.
-
[ error_description ] {string} Optional human readable error description.
Example error for an OpenID Connect request that is missing the redirect_uri
parameter:
{
"error" : "invalid_request",
"error_description" : "Missing \"redirect_uri\" parameter"
}
5. Errors
400 Bad Request
Invalid or malformed request.
Example:
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
"error" : "invalid_request",
"error_description" : "Bad request: Invalid JSON: Unexpected token foo at position 3."
}
401 Unauthorized
The request was denied due to an invalid or missing bearer access token.
Example:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer
Content-Type: application/json
{
"error" : "missing_token",
"error_description" : "Unauthorized: Missing Bearer access token"
}
404 Not Found
The requested resource doesn’t exist.
Example:
HTTP/1.1 404 Not Found
Content-Type: application/json
{
"error" : "authz_not_found",
"error_description" : "Not found: Authorization not found"
}
500 Internal Server Error
An internal server error has occurred. Check the Connect2id server logs for details.
Example:
HTTP/1.1 500 Internal Server Error
Content-Type: application/json
{
"error" : "server_error",
"error_description" : "Internal server error: Something bad happened",
"stack" : "Exception in thread...",
"note" : "See the server logs for additional details"
}