Basics

Host

The hosts which provide Authlete APIs are as follows.

Server Type	URL
Shared Server	https://api.authlete.com
Dedicated Server	Decided after consultation.

Request

The basic settings that are required for requests to Authlete APIs are as follows.

Basic Authentication

All Authlete Web APIs require Basic Authentication. APIs to manage services (/service/*) require the pair of API key & API secret of a service owner. Other APIs require that of a service. If Authorization header is missing, a response with HTTP status of "401 Unauthorized" is returned.

TLS

All Authlete Web APIs require TLS (Transport Layer Security). If TLS is not used, a response with HTTP status of "400 Bad Request" is returned.

Response

Some reseponses from Authlete have the following parameters.

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.

These parameters will be useful especially when you try to identify the cause of error. See Result Codes for more details.

Also, the table below shows major error responses.

Response	Description
400 Bad Request	All APIs may return a response with HTTP status of 400 Bad Request due to one of the reasons listed below. TLS is not used. The content of Authorization header is malformed.
401 Unauthorized	All APIs may return a response with HTTP status of "401 Unauthorized" due to the following reason. Authorization header is missing.
403 Forbidden	All APIs may return a response with HTTP status of "403 Forbidden" due to one of the reasons listed below. The pair of API key & API secret specified in Authorization header is invalid. The service owner or the service is locked.

Data Types

This section describes the details of data types.

Access Token

The table below lists top-level properties of the JSON object which represents an access token.

Name	Type	Description
`accessTokenHash`	string	The hash of the access token.
`accessTokenExpiresAt`	i64	The timestamp at which the access token will expire.
`refreshTokenHash`	string	The hash of the refresh token.
`refreshTokenExpiresAt`	i64	The timestamp at which the refresh token will expire.
`createdAt`	i64	The timestamp at which the access token was first created.
`lastRefreshedAt`	i64	The timestamp at which the access token was last refreshed using the refresh token.
`clientId`	i64	The ID of the client associated with the access token.
`subject`	string	The subject (= unique user ID) associated with the access token.
`grantType`	string	The grant type of the access token when the access token was created.
`scopes`	string array	The scopes associated with the access token.
`properties`	Property array	The properties associated with the access token.

Application Type

The listed below are Authlete's constant values that correspond to the values of application_type property described in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

WEB
NATIVE

OpenID Connect Dynamic Client Registration 1.0 imposes additional requirements on redirect URIs base on the application type. The following description about application_type is an excerpt from the specification.

OPTIONAL. Kind of the application. The default, if omitted, is web. The defined values are native or web. Web Clients using the OAuth Implicit Grant Type MUST only register URLs using the https scheme as redirect_uris; they MUST NOT use localhost as the hostname. Native Clients MUST only register redirect_uris using custom URI schemes or URLs using the http: scheme with localhost as the hostname. Authorization Servers MAY place additional constraints on Native Clients. Authorization Servers MAY reject Redirection URI values using the http scheme, other than the localhost case for Native Clients. The Authorization Server MUST verify that all the registered redirect_uris conform to these constraints. This prevents sharing a Client ID across different types of Clients.

The description above says "The default, if omitted, is web." However, Authlete allows the applicationType property of Client to be null. It is because Authlete does not think it is appropriate to force all OAuth 2.0 clients to comply with the new requirements.

Claim Type

The listed below are Authlete's constant values that correspond to the claim types described in OpenID Connect Core 1.0, 5.6. Claim Types. The supportedClaimTypes property of Service is a string array containing values listed below.

NORMAL
AGGREGATED
DISTRIBUTED

Note that, however, currently Authlete does not provide any API to help implementations for AGGREGATED and DISTRIBUTED.

Client Authentication Method

The table below lists Authlete's constant values that correspond to the client authentication methods at the token endpoint described in OpenID Connect Core 1.0, 9. Client Authentication.

Value	Description
`NONE`	This value corresponds to "none" described in OpenID Connect Core 1.0, 9. Client Authentication.
`CLIENT_SECRET_BASIC`	This value corresponds to "client_secret_basic" described in OpenID Connect Core 1.0, 9. Client Authentication. This is the Basic Authentication based method described in RFC 6749, 2.3. Client Authentication, which authorization servers must support.
`CLIENT_SECRET_POST`	This value corresponds to "client_secret_post" described in OpenID Connect Core 1.0, 9. Client Authentication. This is the method using the request body, which is described in RFC 6749, 2.3. Client Authentication.
`CLIENT_SECRET_JWT`	This value corresponds to "client_secret_jwt" described in OpenID Connect Core 1.0, 9. Client Authentication.
`PRIVATE_KEY_JWT`	This value corresponds to "private_key_jwt" described in OpenID Connect Core 1.0, 9. Client Authentication.
`TLS_CLIENT_AUTH`	Clients authenticate with the Authorization Server using X.509 certificates as defined in "Mutual TLS Profiles for OAuth Clients".
`SELF_SIGNED_TLS_CLIENT_AUTH`	Clients authenticate with the Authorization Server using self-signed certificates as defined in "Mutual TLS Profiles for OAuth Clients".

The supportedTokenAuthMethods property of Service is a string array containing values listed above.

CLIENT_SECRET_JWT, PRIVATE_KEY_JWT, TLS_CLIENT_AUTH and SELF_SIGNED_TLS_CLIENT_AUTH are available since Authlete 2.0.

Client Extension

There are some attributes that belong to a client application but should not be changed by the developer of the client application. Basically, this class holds such attributes.

For example, an authorization server may narrow the range of scopes (permissions) that a particular client application can request. In this case, it is meaningless if the developer of the client application can freely decide the set of requestable scopes. It is not the developer of the client application but the administrator of the authorization server that should be allowed to define the set of scopes that the client application can request. This data structure has properties listed in the following table.

Name Type Description

Name	Type	Description
`requestableScopes`	string array	The set of scopes that the client application is allowed to request. This paramter will be one of the following. `null` an empty set a set with at least one element When the value of this parameter is `null`, it means that the set of scopes that the client application is allowed to request is the set of the scopes that the service supports. When the value of this parameter is an empty set, it means that the client application is not allowed to request any scopes. When the value of this parameter is a set with at least one element, it means that the set is the set of scopes that the client application is allowed to request.
`requestableScopesEnabled`	boolean	The flag to indicate whether "Requestable Scopes per Client" is enabled or not. If `true`, you can define the set of scopes which this client application can request. If `false`, this client application can request any scope which is supported by the authorization server.

requestableScopes

string array

The set of scopes that the client application is allowed to request. This paramter will be one of the following.

null
an empty set
a set with at least one element

When the value of this parameter is null, it means that the set of scopes that the client application is allowed to request is the set of the scopes that the service supports.

When the value of this parameter is an empty set, it means that the client application is not allowed to request any scopes.

When the value of this parameter is a set with at least one element, it means that the set is the set of scopes that the client application is allowed to request.

requestableScopesEnabled

boolean

The flag to indicate whether "Requestable Scopes per Client" is enabled or not. If true, you can define the set of scopes which this client application can request. If false, this client application can request any scope which is supported by the authorization server.

Client Type

The listed below are Authlete's constant values that correspond to the client types described in RFC 6749, 2.1. Client Types. The clientType property of Client has either of the values listed below.

CONFIDENTIAL
PUBLIC

Client

The table below lists top-level properties of the JSON object which represents a client application.

Name	Type	Description
`number`	i32	The sequential number of the client application. The value of this property is assigned by Authlete. Even if the property has a value in a `/client/create` request or a `/client/update` request, it is ignored.
`serviceNumber`	i32	The sequential number of the service of the client application. The value of this property is assigned by Authlete. Even if the property has a value in a `/client/create` request or a `/client/update` request, it is ignored.
`developer`	string	The developer of the client application. It consists of at most 100 ASCII letters. This property must not be `null`.
`clientId`	i64	The client ID. The value of this property is assigned by Authlete. Even if the property has a value in a `/client/create` request or a `/client/update` request, it is ignored.
`clientIdAlias`	string	The alias of the client ID. Note that the client ID alias is recognized only when this client's `clientIdAliasEnabled` property is `true` AND the service's `clientIdAliasEnabled` property is also `true`.
`clientIdAliasEnabled`	boolean	The flag to indicate whether the client ID alias is enabled or not. Note that Service object also has `clientIdAliasEnabled` property. If the service's `clientIdAliasEnabled` property is `false`, the client ID alias of this client is not recognized even if this client's `clientIdAliasEnabled` property is `true`.
`clientSecret`	string	The client secret. A random 512-bit value encoded by base64url (86 letters). The value of this property is assigned by Authlete. Even if the property has a value in a `/client/create` request or a `/client/update` request, it is ignored. Note that Authlete issues a client secret even to a "public" client application, but the client application should not use the client secret unless it changes its client type to "confidential". That is, a public client application should behave as if it had not been issued a client secret. To be specific, a token request from a public client of Authlete should not come along with a client secret although RFC 6749, 3.2.1. Client Authentication says as follows. Confidential clients or other clients issued client credentials MUST authenticate with the authorization server as described in Section 2.3 when making requests to the token endpoint.
`clientType`	string	The client type, either `CONFIDENTIAL` or `PUBLIC`. See RFC 6749, 2.1. Client Types for details. If `clientType` in a `/client/create` request or a `/client/update` request is `null`, `PUBLIC` is used.
`redirectUris`	URL array	Redirect URIs that the client application uses to receive a response from the authorization endpoint. Requirements for a redirect URI are as follows. Requirements by RFC 6749 (From RFC 6749, 3.1.2. Redirection Endpoint) Must be an absolute URI. Must not have a fragment component. Requirements by OpenID Connect (From "OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata, application_type") The scheme of the redirect URI used for Implicit Grant by a client application whose application type is "web" must be `https`. This is checked at runtime by Authlete. The hostname of the redirect URI used for Implicit Grant by a client application whose application type is "web" must not be `localhost`. This is checked at runtime by Authlete. The scheme of the redirect URI used by a client application whose application type is "native" must be either (1) a custom scheme or (2) `http`, which is allowed only when the hostname part is `localhost`. This is checked at runtime by Authlete. Requirements by Authlete Must consist of printable ASCII letters only. Must not exceed 200 letters. Note that Authlete allows the application type to be `null`. In other words, a client application does not have to choose "web" or "native" as its application type. If the application type is `null`, the requirements by OpenID Connect are not checked at runtime. An authorization request from a client application which has not registered any redirect URI fails unless at least all the following conditions are satisfied. The client type of the client application is "confidential". The value of `response_type` request parameter is `code`. The authorization request has the `redirect_uri` request parameter. The value of `scope` request parameter does not contain `openid`. RFC 6749 allows partial match of redirect URI under some conditions (see RFC 6749, 3.1.2.2. Registration Requirements for details), but OpenID Connect requires exact match.
`responseTypes`	string array	A string array of response types which the client application declares that it will restrict itself to using. This property corresponds to `response_types` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata. If `responseTypes` in a `/client/create` request or a `/client/update` request is `null`, an array containing just `CODE` is used.
`grantTypes`	string array	A string array of grant types which the client application declares that it will restrict itself to using. This property corresponds to `grant_types` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata. If `grantTypes` in a `/client/create` request or a `/client/update` request is `null`, an array containing just `AUTHORIZATION_CODE` is used.
`applicationType`	string	The application type. `WEB`, `NATIVE` or `null`. The value of this property affects the validation steps for a redirect URI. See the description about `redirectUris` property above. This property corresponds to `application_type` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`contacts`	string array	An array of email addresses of people responsible for the client application. Each element must consist of printable ASCII letters only and its length must not exceed 100. This property corresponds to `contacts` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`clientName`	string	The name of the client application. At most 100 unicode letters. If `clientName` in a `/client/create` request or a `/client/update` request is `null`, the client ID is used. This property corresponds to `client_name` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`clientNames`	Tagged Value array	Client names with language tags. If the client application has different names for different languages, this property can be used to register the names.
`logoUri`	URL	The URL pointing to the logo image of the client application. The URL must consist of printable ASCII letters only and its length must not exceed 200. This property corresponds to `logo_uri` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`logoUris`	Tagged Value array	Logo image URLs with language tags. If the client application has different logo images for different languages, this property can be used to register URLs of the images.
`clientUri`	URL	The URL pointing to the home page of the client application. The URL must consist of printable ASCII letters only and its length must not exceed 200. This property corresponds to `client_uri` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`clientUris`	Tagged Value array	Home page URLs with language tags. If the client application has different home pages for different languages, this property can be used to register the URLs.
`policyUri`	URL	The URL pointing to the page which describes the policy as to how end-users' profile data are used. The URL must consist of printable ASCII letters only and its length must not exceed 200. This property corresponds to `policy_uri` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`policyUris`	Tagged Value array	URLs of policy pages with language tags. If the client application has different policy pages for different languages, this property can be used to register the URLs.
`tosUri`	URL	The URL pointing to the "Terms Of Service" page. The URL must consist of printable ASCII letters only and its length must not exceed 200. This property corresponds to `tos_uri` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`tosUris`	Tagged Value array	URLs of "Terms Of Service" pages with language tags. If the client application has different "Terms Of Service" pages for different languages, this property can be used to register the URLs.
`jwksUri`	URL	The URL pointing to the JWK Set of the client application. The URL must consist of printable ASCII letters only and its length must not exceed 200. The content pointed to by the URL must be JSON which complies with the format described in "JSON Web Key (JWK), 5. JSON Web Key Set (JWK Set) Format". Of course, the JWK Set must not include private keys of the client application. If the client application requests encryption for ID tokens (from the authorization/token/userinfo endpoints) and/or signs request objects, it must make available its JWK Set containing public keys for the encryption and/or the signature at the URL of `jwksUri`. The service (Authlete) fetches the JWK Set from the URL as necessary. OpenID Connect Dynamic Client Registration 1.0 says that `jwks` must not be used when the client can use `jwks_uri`, but Authlete allows both properties to be registered at the same time. However, Authlete does not use the content of `jwks` when `jwksUri` is registered. This property corresponds to `jwks_uri` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`jwks`	string	The content of the JWK Set of the client application. The format is described in "JSON Web Key (JWK), 5. JSON Web Key Set (JWK Set) Format". Of course, the JWK Set must not include private keys of the client application. OpenID Connect Dynamic Client Registration 1.0 says that `jwks` must not be used when the client can use `jwks_uri`, but Authlete allows both properties to be registered at the same time. However, Authlete does not use the content of `jwks` when `jwksUri` is registered. This property corresponds to `jwks` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`sectorIdentifier`	URL	The sector identifier which is a URL starting with `https`. The URL must consist of printable ASCII letters only and its length must not exceed 200.This URL is used by the service to calculate pairwise subject values. See OpenID Connect Core 1.0, 8.1. Pairwise Identifier Algorithm. Note that, however, Authlete does not support pairwise yet. This property corresponds to `sector_identifier_uri` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`subjectType`	string	The subject type that the client application requests. Either `PUBLIC` or `PAIRWISE`. the default value is `PUBLIC`. Details about the subject type are described in OpenID Connect Core 1.0, 8. Subjct Identifier Types. Because Authlete's implementation for `PAIRWISE` is not finished yet, even if `subjectType` configuration parameter of the client application is `PAIRWISE`, Authlete behaves as if it were `PUBLIC`. This property corresponds to `subject_type` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`idTokenSignAlg`	string	The value of `alg` header parameter of JWS that the client application requires the service to use for signing an ID token. One of the values listed in JWS Algorithm. The default value is `RS256`. `NONE` may be specified, but in that case, the client application cannot obtain an ID token from the service. That is, an authorization request requesting an ID token fails. This property corresponds to `id_token_signed_response_alg` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`idTokenEncryptionAlg`	string	The value of `alg` header parameter of JWE that the client application requires the service to use for encrypting an ID token. One of the supported values listed in JWE Algorithm. The default value is `null`, meaning that an ID token is not encrypted. When `idTokenEncryptionEnc` is not `null`, this property must not be `null`. If the value of this property indicates an asymmetric encryption algorithm, the client application must make available its JWK Set which contains a public key for encryption at the URL referred to by its `jwksUri` configuration property. This property corresponds to `id_token_encrypted_response_alg` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`idTokenEncryptionEnc`	string	The value of `enc` header parameter of JWE that the client application requires the service to use for encrypting an ID token. One of the values listed in JWE Encryption Algorithm. The default value is (1) `A128CBC_HS256` when `idTokenEncryptionAlg` is not `null`, or (2) `null` when `idTokenEncryptionAlg` is `null`. This property corresponds to `id_token_encrypted_response_enc` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`userInfoSignAlg`	string	The value of `alg` header parameter of JWS that the client application requires the service to use for signing the JWT returned from the user info endpoint. One of the values listed in JWS Algorithm. The default value is `null`, meaning that the data from the user info endpoint is not signed. If both `userInfoSignAlg` and `userInfoEncryptionAlg` are `null`, the format of the response from the user info endpoint is a plain JSON (not JWT). Note that `null` and `NONE` are different for this property. This property corresponds to `userinfo_signed_response_alg` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`userInfoEncryptionAlg`	string	The value of `alg` header parameter of JWE that the client application requires the service to use for encrypting the JWT returned from the user info endpoint. One of the supported values listed in JWE Algorithm. The default value is `null`, meaning that the data from the user info endpoint is not encrypted. When `userInfoEncryptionEnc` is not `null`, this property must not be `null`. If the value of this property indicates an asymmetric encryption algorithm, the client application must make available its JWK Set which contains a public key for encryption at the URL referred to by its `jwksUri` configuration property. If both `userInfoSignAlg` and `userInfoEncryptionAlg` are `null`, the format of the response from the user info endpoint is a plain JSON (not JWT). This property corresponds to `userinfo_encrypted_response_alg` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`userInfoEncryptionEnc`	string	The value of `enc` header parameter of JWE that the client application requires the service to use for encrypting the JWT returned from the user info endpoint. One of the values listed in JWE Encryption Algorithm. The default value is (1) `A128CBC_HS256` when `userInfoEncryptionAlg` is not `null`, or (2) `null` when `userInfoEncryptionAlg` is `null`. This property corresponds to `userinfo_encrypted_response_enc` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`requestSignAlg`	string	The value of `alg` header parameter of JWS that the client application uses for signing a request object. One of the values listed in JWS Algorithm. The default value is `null`, meaning that the client application may use any algorithm (among those supported by the service) to sign a request object (including `none`). If the value of this property is not `null`, request objects sent from the client application must be signed using the algorithm. Request objects signed by other algorithms are rejected. Note that `null` and `NONE` are different for this property. If the value of this property indicates an asymmetric signing algorithm, the client application must make available its JWK Set which contains a public key for the service to verify the signature of the request object at the URL referred to by its `jwksUri` configuration property. This property corresponds to `request_object_signing_alg` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`requestEncryptionAlg`	string	The value of `alg` header parameter of JWE that the client application uses for encrypting a request object. One of the supported values listed in JWE Algorithm. The default value is `null`. When `requestEncryptionEnc` is not `null`, this property must not be `null`. Regardless of whether the value of this property is `null` or not, the client application may and may not encrypt a request object. Furthermore, the client application may use other supported encryption algorithms. This property corresponds to `request_object_encryption_alg` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`requestEncryptionEnc`	string	The value of `enc` header parameter of JWE that the client application uses for encrypting a request object. One of the values listed in JWE Encryption Algorithm. The default value is (1) A128CBC_HS256 when `requestEncryptionAlg` is not `null`, or (2) `null` when `requestEncryptionAlg` is `null`. This property corresponds to `request_object_encryption_enc` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`tokenAuthMethod`	string	The client authentication method that the client application declares that it uses at the token endpoint. One of the values listed in Client Authentication Method. The default value is `CLIENT_SECRET_BASIC` (if Authlete version < 2.0) or `NONE` (if Authlete version ≥ 2.0). This property corresponds to `token_endpoint_auth_method` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`tokenAuthSignAlg`	string	The value of `alg` header parameter of JWS which is used for client authentication at the token endpoint. One of the values listed in JWS Algorithm except `NONE`. The default value is `null`, meaning that the client may sign using any algorithm which is supported by the service. If the value of this property is not `null`, the client application must use the algorithm. This property is used only for the two JWT-based client authentication, namely, `PRIVATE_KEY_JWT` and `CLIENT_SECRET_JWT` (see Cient Authentication Method). Note that, however, currently Authlete does not provide any API to help implementations for `PRIVATE_KEY_JWT` and `CLIENT_SECRET_JWT`. This property corresponds to `token_endpoint_auth_signing_alg` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`defaultMaxAge`	i32	The default maximum authentication age in seconds. This value is used when an authorization request from the client application does not have `max_age` request parameter. This property corresponds to `default_max_age` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`defaultAcrs`	string array	The default ACRs (Authentication Context Class References). This value is used when an authorization request from the client application has neither `acr_values` request parameter nor `acr` claim in `claims` request parameter. Each element must consist of printable ASCII letters only and its length must not exceed 200.
`authTimeRequired`	boolean	`true` if the client application requires the `auth_time` claim to be in an ID token. Regardless of the value of this property, Authlete embeds the `auth_time` claim when `authTime` parameter in the `/auth/authorization/issue` request is not 0 and does not do it when `authTime` is 0. This property corresponds to `require_auth_time` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`loginUri`	URL	The URL which a third party can use to initiate a login by the client application. The URL must start with `https` and consist of ASCII letters only. Its length must not exceed 200. This property corresponds to `initiate_login_uri` in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.
`requestUris`	URL array	An array of URLs each of which points to a request object. Each URL must consist of printable ASCII letters only and its length must not exceed 200. Authlete requires that URLs used as values for `request_uri` request parameter be pre-registered. This `requestUris` property is used for the pre-registration. See OpenID Connect Core 1.0, 6.2. Passing a Request Object by Reference for details.
`description`	string	The description about the client application. At most 200 letters in unicode.
`descriptions`	Tagged Value array	Descriptions about the client application with language tags. If the client application has different descriptions for different languages, this property can be used to register the descriptions.
`createdAt`	i64	The time at which this client was created. The value is represented as milliseconds since the UNIX epoch (1970-01-01).
`modifiedAt`	i64	The time at which this client was last modified. The value is represented as milliseconds since the UNIX epoch (1970-01-01).
`extension`	ClientExtension	The extended information about this client.
`tlsClientAuthSubjectDn`	string	The string representation of the expected subject distinguished name of the certificate this client will use in mutual TLS authentication. See `tls_client_auth_subject_dn` in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.
`tlsClientAuthSanDns`	string	The string representation of the expected DNS subject alternative name of the certificate this client will use in mutual TLS authentication. See `tls_client_auth_san_dns` in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.
`tlsClientAuthSanUri`	URL	The string representation of the expected URI subject alternative name of the certificate this client will use in mutual TLS authentication. See `tls_client_auth_san_uri` in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.
`tlsClientAuthSanIp`	string	The string representation of the expected IP address subject alternative name of the certificate this client will use in mutual TLS authentication. See `tls_client_auth_san_ip` in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.
`tlsClientAuthSanEmail`	string	The string representation of the expected email address subject alternative name of the certificate this client will use in mutual TLS authentication. See `tls_client_auth_san_email` in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.
`tlsClientCertificateBoundAccessTokens`	boolean	The flag which indicates whether this client use TLS client certificate bound access tokens.
`selfSignedCertificateKeyId`	string	The key ID of a JWK containing a self-signed certificate of this client.
`softwareId`	string	The unique identifier string assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered. This property corresponds to the `software_id` metadata defined in 2. Client Metadata of RFC 7591 (OAuth 2.0 Dynamic Client Registration Protocol).
`softwareVersion`	string	The version identifier string for the client software identified by the software ID. This property corresponds to the `software_version` metadata defined in 2. Client Metadata of RFC 7591 (OAuth 2.0 Dynamic Client Registration Protocol).
`authorizationSignAlg`	string	The JWS `alg` algorithm for signing authorization responses. One of the values listed in JWS Algorithm. The default value is `null`. This property corresponds to `authorization_signed_response_alg` in 5. Client Metadata of Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM).
`authorizationEncryptionAlg`	string	The JWE `alg` algorithm for encrypting authorization responses. One of the values listed in JWE Algorithm. The default value is `null`. When `authorizationEncryptionEnc` is not `null`, this property must not be `null`. This property corresponds to `authorization_encrypted_response_alg` in 5. Client Metadata of Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM).
`authorizationEncryptionEnc`	string	The JWE `enc` algorithm for encrypting authorization responses. The default value is `null`. This property corresponds to `authorization_encrypted_response_enc` in 5. Client Metadata of Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM).
`bcDeliveryMode`	string	The backchannel token delivery mode. This property corresponds to the `backchannel_token_delivery_mode` metadata. One of the values listed in Delivery Mode. The backchannel token delivery mode is defined in the specification of the CIBA (Client Initiated Backchannel Authentication).
`bcNotificationEndpoint`	string	The backchannel client notification endpoint. This property corresponds to the `backchannel_client_notification_endpoint` metadata. The backchannel token delivery mode is defined in the specification of the CIBA (Client Initiated Backchannel Authentication).
`bcRequestSignAlg`	string	The signature algorithm of the request to the backchannel authentication endpoint. One of the asymmetric algorithm values listed in JWS Algorithm. The default value is `null`. This property corresponds to the `backchannel_authentication_request_signing_alg` metadata. The backchannel token delivery mode is defined in the specification of the CIBA (Client Initiated Backchannel Authentication).
`bcUserCodeRequired`	boolean	The boolean flag which indicates whether a user code is required when this client makes a backchannel authentication request. This property corresponds to the `backchannel_user_code_parameter metadata`.
`dynamicallyRegistered`	boolean	The flag which indicates whether this client has been registered dynamically.
`registrationAccessTokenHash`	string	The hash of the registration access token for this client.

Display

The listed below are Authlete's constant values that correspond to the display values described in "OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, display". The supportedDisplays property of Service is a string array containing values listed below.

PAGE
POPUP
TOUCH
WAP

Prompt

The listed below are Authlete's constant values that correspond to the prompt values described in "OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, prompt".

NONE
LOGIN
CONSENT
SELECT_ACCOUNT

Grant Type

The table below lists Authlete's constant values that correspond to the values of grant_type request parameter for OAuth 2.0 token endpoint. Among the values listed here, however, implicit cannot be used as a value for grant_type request parameter. It exists only as a value of supportedGrantTypes property of Service and grantTypes property of Client.

Value	Description
`AUTHORIZATION_CODE`	This corresponds to "authorization_code" defined in RFC 6749, 4.1.3. Access Token Request for Authorization Code Grant.
`IMPLICIT`	This corresponds to "implicit" defined in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata for Implicit Grant.
`PASSWORD`	This corresponds to "password" defined in RFC 6749, 4.3.2. Access Token Request for Resource Owner Password Credentials Grant.
`CLIENT_CREDENTIALS`	This corresponds to "client_credentials" defined in RFC 6749, 4.4.2. Access Token Request for Client Credentials Grant.
`REFRESH_TOKEN`	This corresponds to "refresh_token" defined in RFC 6749, 6. Refreshing an Access Token.

JWE Algorithm

The listed below are Authlete's constant values that correspond to the values of "alg" header parameter of JSON Web Encryption (JWE), which are described in JSON Web Algorithms (JWA), 4.1. "alg" (Algorithm) Header Parameter Values for JWE.

RSA1_5
RSA_OAEP
RSA_OAEP_256
A128KW
A192KW
A256KW
DIR
ECDH_ES
ECDH_ES_A128KW
ECDH_ES_A192KW
ECDH_ES_A256KW
A128GCMKW
A192GCMKW
A256GCMKW
PBES2_HS256_A128KW
PBES2_HS384_A192KW
PBES2_HS512_A256KW

JWE Encryption Algorithm

The listed below are Authlete's constant values that correspond to the values of "enc" header parameter of JSON Web Encryption (JWE), which are described in JSON Web Algorithms (JWA), 5.1. "enc" (Encryption Algorithm) Header Parameter Values for JWE.

A128CBC_HS256
A192CBC_HS384
A256CBC_HS512
A128GCM
A192GCM
A256GCM

JWS Algorithm

The listed below are Authlete's constant values that correspond to the values of "alg" header parameter of JSON Web Signature (JWS), which are described in JSON Web Algorithms (JWA), 3.1. "alg" (Algorithm) Header Parameter Values for JWS.

NONE
HS256
HS384
HS512
RS256
RS384
RS512
ES256
ES384
ES512
PS256
PS384
PS512

Pair

A pair of a string key and a string value.

Name	Type	Description
`key`	string	The key part.
`value`	string	The value part.

Property

Property that consists of a string key and a string value.

This data type is used mainly to represent an extra property that is associated with an access token. Some Authlete APIs (such as /api/auth/token API) accept an array of properties via properties request parameter and associate the properties with an access token.

Name Type Description

key

string

The key part.

value

string

The value part.

hidden

string

The flag to indicate whether this property hidden from or visible to client applications.

If true, this property is hidden from client applications. Otherwise, this property is visible to client applications.

Response Type

The table below lists Authlete's valid constant values that correspond to response_type request parameter for OAuth 2.0 authorization endpoint. RFC 6749 defines two values, "code" and "token". Other values listed here are added by OAuth 2.0 Multiple Response Type Encding Practices, which is a part of Open ID Connect specification.

The supportedResponseTypes property of Service and the responseTypes property of Client are a string array containing values listed below.

Value	Description
`NONE`	This corresponds to "none" defined in OAuth 2.0 Multiple Response Type Encoding Practices, 4. None Response Type.
`CODE`	This corresponds to "code" defined in RFC 6749, 4.1.1. Authorization Request for Authorization Code Grant.
`TOKEN`	This corresponds to "token" defined in RFC 6749, 4.2.1. Authorization Request for Implicit Grant.
`ID_TOKEN`	This corresponds to "id_token" defined in OAuth 2.0 Multiple Response Type Encoding Practices, 3. ID Token Response Type.
`CODE_TOKEN`	This corresponds to "code token" defined in OAuth 2.0 Multiple Response Type Encoding Practices, 5. Definitions of Multiple-Valued Response Type Combinations.
`CODE_ID_TOKEN`	This corresponds to "code id_token" defined in OAuth 2.0 Multiple Response Type Encoding Practices, 5. Definitions of Multiple-Valued Response Type Combinations.
`ID_TOKEN_TOKEN`	This corresponds to "id_token token" defined in OAuth 2.0 Multiple Response Type Encoding Practices, 5. Definitions of Multiple-Valued Response Type Combinations.
`CODE_ID_TOKEN_TOKEN`	This corresponds to "code id_token token" defined in OAuth 2.0 Multiple Response Type Encoding Practices, 5. Definitions of Multiple-Valued Response Type Combinations.

Scope

This is a data structure for a scope which is described in RFC 6749, Access Token Scope. The data structure has properties listed in the following table.

Name	Type	Description
`name`	string	The name of the scope. Letters that can be used for a scope name are %x21, %x23-5B and %x5D-7E. Put simply, they are printable ASCII letters excluding "space (%x20)", "double quotation mark (%x22)" and "backslash (%x5C)". Its length must not exceed 200.
`defaultEntry`	boolean	`true` to mark the scope as default. Scopes marked as default are regarded as requested when an authorization request from a client application does not contain `scope` request parameter.
`description`	string	OPTIONAL. The description of the scope. It is a unicode string. Its length must not exceed 200.
`attributes`	Pair array	OPTIONAL. The attributes of the scope.

Service

The table below lists top-level properties of the JSON object which represents a service.

Name Type Description

number

i32

The sequential number of the service. The value of this property is assigned by Authlete. Even if the property has a value in a /service/create request or a /service/update request, it is ignored.

serviceOwnerNumber

i32

The sequential number of the service owner of the service. The value of this property is assigned by Authlete. Even if the property has a value in a /service/create request or a /service/update request, it is ignored.

serviceName

string

The name of the service. It consists of at most 100 unicode letters. This property must not be null.

apiKey

i64

The API key. The value of this property is assigned by Authlete. Even if the property has a value in a /service/create request or a /service/update request, it is ignored.

apiSecret

string

The API secret. A random 256-bit value encoded by base64url (43 letters). The value of this property is assigned by Authlete. Even if the property has a value in a /service/create request or a /service/update request, it is ignored.

issuer

URL

The issuer identifier of the service. A URL that starts with https:// and has no query or fragment component. For example, https://example.com. Authlete requires that the URL consist of only ASCII letters and its length not exceed 200. This property must not be null.

The value of this property is used as iss claim in an ID token and issuer property in the OpenID Provider Metadata.

authorizationEndpoint

URL

The authorization endpoint of the service. A URL that starts with https:// and has no fragment component. For example, https://example.com/auth/authorization. Authlete requires that the URL consist of only ASCII letters and its length not exceed 200. This property must not be null.

The value of this property is used as authorization_endpoint property in the OpenID Provider Metadata.

tokenEndpoint

URL

The token endpoint of the service. A URL that starts with https:// and has not fragment component. For example, https://example.com/auth/token. Authlete requires that the URL consist of only ASCII letters and its length not exceed 200. This property may be null if and only if the service supports only Implicit Grant (= supports response_type=token only).

The value of this property is used as token_endpoint property in the OpenID Provider Metadata.

revocationEndpoint

URL

The revocation endpoint of the service. A URL that starts with https://. For example, https://example.com/auth/revocation. Authlete requires that the URL consist of only ASCII letters and its length not exceed 200. This property may be null if the service does not support the revocation endpoint.

userInfoEndpoint

URL

The user info endpoint of the service. A URL that starts with https://. For example, https://example.com/auth/userinfo. Authlete requires that the URL consist of only ASCII letters and its length not exceed 200. This property may be null if the service does not support the user info endpoint.

The value of this property is used as userinfo_endpoint property in the OpenID Provider Metadata.

jwksUri

URL

The URL of the service's JSON Web Key Set document. For example, http://example.com/auth/jwks. Authlete requires that the URL consist of only ASCII letters and its length not exceed 200. This property may be null if and only if the service does not support asymmetric signatures for ID tokens and asymmetric encryption for request objects.

Client applications accesses this URL (1) to get the public key of the service to validate the signature of an ID token issued by the service and (2) to get the public key of the service to encrypt an request object of the client application. See OpenID Connect Core 1.0, 10. Signatures and Encryption for details.

The value of this property is used as jwks_uri property in the OpenID Provider Metadata.

jwks

string

The content of the service's JSON Web Key Set document. If this property is not null in a /service/create request or a /service/update, Authlete hosts the content in the database. This property must not be null and must contain pairs of public/private keys if the service wants to support asymmetric signatures for ID tokens and asymmetric encryption for request objects. See OpenID Connect Core 1.0, 10. Signatures and Encryption for details.

registrationEndpoint

URL

The registration endpoint of the service. A URL that starts with https://. For example, https://example.com/auth/registration. Authlete requires that the URL consist of only ASCII letters and its length not exceed 200.

The value of this property is used as registration_endpoint property in the OpenID Provider Metadata.

registrationManagementEndpoint

URL

The URI of the registration management endpoint. If dynamic client registration is supported, and this is set, this URI will be used as the basis of the client's management endpoint by appending /clientid/ to it as a path element. If this is unset, the value of registrationEndpoint will be used as the URI base instead.

supportedScopes

Scope array

Scopes supported by the service. Authlete strongly recommends that the service register at least the following scopes.

Name	Description
`openid`	A permission to get an ID token of an end-user. The `openid` scope appears in "OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, scope". Without this scope, Authlete does not allow `response_type` request parameter to have values other than `code` and `token`.
`profile`	A permission to get information about `name`, `family_name`, `given_name`, `middle_name`, `nickname`, `preferred_username`, `profile`, `picture`, `website`, `gender` `birthdate`, `zoneinfo`, `locale` and `updated_at` from the user info endpoint. See OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values for details.
`email`	A permission to get information about `email` and `email_verified` from the user info endpoint. See OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values for details.
`address`	A permission to get information about `address` from the user info endpoint. See OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values and 5.1.1. Address Claim for details.
`phone`	A permission to get information about `phone_number` and `phone_number_verified` from the user info endpoint. See OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values for details.
`offline_access`	A permission to get information from the user info endpoint even when the end-user is not present. See OpenID Connect Core 1.0, 11. Offline Access for details.

The value of this property is used as scopes_supported property in the OpenID Provider Metadata.

supportedResponseTypes

string array

Values of response_type request parameter that the service supports. Valid values are listed in Response Type.

The value of this property is used as response_types_supported property in the OpenID Provider Metadata.

supportedGrantTypes

string array

Values of grant_type request parameter that the service supports. Valid values are listed in Grant Type.

The value of this property is used as grant_types_supported property in the OpenID Provider Metadata.

supportedAcrs

string array

Values of Authentication Context Class References that the service supports.

The value of this property is used as acr_values_supported property in the OpenID Provider Metadata.

supportedTokenAuthMethods

string array

Client authentication methods supported by the token endpoint of the service. Valid values are listed in Client Authentication Method. Note that, however, currently Authlete does not provide any API to help implementations for CLIENT_SECRET_JWT and PRIVATE_KEY_JWT.

The value of this property is used as token_endpoint_auth_methods_supports property in the OpenID Provider Metadata.

supportedDisplays

string array

Values of display request parameter that service supports. Valid values are listed in Display.

The value of this property is used as display_values_supported property in the OpenID Provider Metadata.

supportedClaimTypes

string array

Claim types supported by the service. Valid values are listed in Claim Type. Note that, however, currently Authlete does not provide any API to help implementations for AGGREGATED and DISTRIBUTED.

The value of this property is used as claim_types_supported property in the OpenID Provider Metadata.

supportedClaims

string array

Claim names that the service supports. The standard claim names listed in OpenID Connect Core 1.0, 5.1. Standard Claim should be supported. The following is the list of standard claims.

sub
name
given_name
family_name
middle_name
nickname
preferred_username
profile
picture
website
email
email_verified
gender
birthdate
zoneinfo
locale
phone_number
phone_number_verified
address
updated_at

The value of this property is used as claims_supported property in the OpenID Provider Metadata.

The service may support its original claim names. See OpenID Connect Core 1.0, 5.1.2. Additional Claims. Note that Authlete requires that original claim names consist of only ASCII letters and its length not exceed 200.

serviceDocumentation

URL

The URL of a page where documents for developers can be found.

The value of this property is used as service_documentation property in the OpenID Provider Metadata.

supportedClaimLocales

string array

Claim locales that the service supports. Each element is a language tag defined in RFC 5646. For example, "en-US" and "ja-JP". Authlete requires that each language tag consist of only ASCII letters and its length not exceed 30. See OpenID Connect Core 1.0, 5.2. Languages and Scripts for details.

The value of this property is used as claims_locales_supported property in the OpenID Provider Metadata.

supportedUiLocales

string array

UI locales that the service supports. Each element is a language tag defined in RFC 5646. For example, "en-US" and "ja-JP". Authlete requires that each language tag consist of only ASCII letters and its length not exceed 30.

The value of this property is used as ui_locales_supported property in the OpenID Provider Metadata.

policyUri

URL

The URL of the "Policy" of the service. Authlete requires that the URL consist of only ASCII letters and its length not exceed 200.

The value of this property is used as op_policy_uri property in the OpenID Provider Metadata.

tosUri

URL

The URL of the "Terms Of Service" of the service. Authlete requires that the URL consist of only ASCII letters and its length not exceed 200.

The value of this property is used as op_tos_uri property in the OpenID Provider Metadata.

authenticationCallbackEndpoint

URL

A Web API endpoint for user authentication which is to be prepared on the service side. It must consist of only ASCII characters and its length must not exceed 200.

The endpoint must be implemented if you do not implement the UI at the authorization endpoint but use the one provided by Authlete. The user authentication at the authorization endpoint provided by Authlete is performed by making a POST request to this endpoint.

See 'Authentication Callback' for details.

authenticationCallbackApiKey

string

API key for Basic authentication at the authentication callback endpoint. It must consist of only ASCII characters and its length must not exceed 100.

If the value is not empty, Authlete generates Authorization header for Basic authentication when making a request to the authentication callback endpoint.

authenticationCallbackApiSecret

string

API secret for Basic authentication at the authentication callback endpoint. It must consist of only ASCII characters and its length must not exceed 100.

supportedSnses

string

SNSes you want to support 'social login' in the UI at the authorization endpoint provided by Authlete. You need to register a client application in each SNS that is set to this parameter and set Authlete server's /api/sns/redirection as the redirection endpoint of the client application.

snsCredentials

string

SNS credentials which Authlete uses to make requests to SNSes. The format is JSON.

createdAt

i64

The time at which this service was created. The value is represented as milliseconds since the UNIX epoch (1970-01-01).

modifiedAt

i64

The time at which this service was last modified. The value is represented as milliseconds since the UNIX epoch (1970-01-01).

developerAuthenticationCallbackEndpoint

URL

A Web API endpoint for developer authentication which is to be prepared on the server side. It must consist of only ASCII characters and its length must not exceed 200.

The endpoint must be implemented if you use Developer Console. The developer authentication at the login page of Developer Console is performed by making a POST request to this endpoint.

developerAuthenticationCallbackApiKey

string

API key for Basic authentication at the developer authentication callback endpoint. It must consist of only ASCII characters and its length must not exceed 100.

If the value is not empty, Authlete generates Authorization header for Basic authentication when making a request to the developer authentication callback endpoint.

developerAuthenticationCallbackApiSecret

string

API secret for Basic authentication at the developer authentication callback endpoint. It must consist of only ASCII characters and its length must not exceed 100.

supportedDeveloperSnses

string

SNSes you want to support 'social login' in the login page of Developer Console provided by Authlete. You need to register a client application in each SNS checked here and set Authlete server's /api/developer/sns/redirection as the redirection endpoint of the client application.

developerSnsCredentials

string

SNS credentials which Authlete uses to make requests to SNSes. The format is JSON.

clientsPerDeveloper

i32

The maximum number of client applications that a developer is allowed to create. 0 means no limit.

directAuthorizationEndpointEnabled

boolean

The flag to indicate whether the direct authorization endpoint is enabled or not.

If true, the default implementation of the authorization endpoint of this service works. The URL of the endpoint is https://api.authlete.com/api/auth/authorization/direct/service-api-key.

If false, the endpoint returns 404 Not Found. In this case, you have to implement the authorization endpoint by yourself using Authlete's Web APIs such as /api/auth/authorization, /api/auth/authorization/issue and /api/auth/authorization/fail.

directTokenEndpointEnabled

boolean

The flag to indicate whether the direct token endpoint is enabled or not.

If true, the default implementation of the token endpoint of this service works. The URL of the endpoint is https://api.authlete.com/api/auth/token/direct/service-api-key.

If false, the endpoint returns 404 Not Found. In this case, you have to implement the token endpoint by yourself using Authlete's Web APIs such as /api/auth/token, /api/auth/token/issue and /api/auth/token/fail.

directRevocationEndpointEnabled

boolean

The flag to indicate whether the direct revocation endpoint is enabled or not.

If true, the default implementation of the revocation endpoint (RFC 7009) of this service works. The URL of the endpoint is https://api.authlete.com/api/auth/revocation/direct/service-api-key.

If false, the endpoint returns 404 Not Found. In this case, if you want to provide a revocation endpoint to client applications, you have to implement the endpoint by yourself using Authlete's /api/auth/revocation API.

directUserInfoEndpointEnabled

boolean

The flag to indicate whether the direct userinfo endpoint is enabled or not.

If true, the default implementation of the userinfo endpoint of this service works. The URL of the endpoint is https://api.authlete.com/api/auth/userinfo/direct/service-api-key.

If false, the endpoint returns 404 Not Found. In this case, if you want to provide a userinfo endpoint to client applications, you have to implement the endpoint by yourself using Authlete's /api/auth/userinfo API.

This feature is not implemented yet.

directJwksEndpointEnabled

boolean

The flag to indicate whether the direct jwks endpoint is enabled or not.

If true, the default implementation of the JWK Set endpoint of this service works. The URL of the endpoint is https://api.authlete.com/api/service/jwks/get/direct/service-api-key.

If false, the endpoint returns 404 Not Found. In this case, if you want to provide a JWK Set endpoint to client applications, you have to implement the endpoint by yourself using Authlete's /api/service/jwks/get API.

singleAccessTokenPerSubject

boolean

The flag to indicate whether the number of access tokens per subject (and per client) is at most one or can be more.

If true, an attempt to issue a new access token invalidates existing access tokens that are associated with the same subject and the same client.

Note that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by Refresh Token Flow invalidates the coupled access token only and this invalidation is always performed regardless of whether the value of this setting item is true or false.

pkceRequired

boolean

The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.

If true, code_challenge request parameter is always required for authorization requests using Authorization Code Flow.

See RFC 7636 (Proof Key for Code Exchange by OAuth Public Clients) for details about code_challenge request parameter.

refreshTokenKept

boolean

The flag to indicate whether a refresh token remains unchanged or gets renewed after its use.

If true, a refresh token used to get a new access token remains valid after its use. Otherwise, if false, a refresh token is invalidated after its use and a new refresh token is issued.

See RFC 6749 6. Refreshing an Access Token, as to how to get a new access token using a refresh token.

errorDescriptionOmitted

boolean

The flag to indicate whether the error_description response parameter is omitted.

According to RFC 6749, an authorization server may include the error_description response parameter in error responses.

If true, Authlete does not embed the error_description response parameter in error responses.

errorUriOmitted

boolean

The flag to indicate whether the error_uri response parameter is omitted.

According to RFC 6749, an authorization server may include the error_uri response parameter in error responses.

If true, Authlete does not embed the error_uri response parameter in error responses.

description

string

The description about the service. It consists of at most 200 unicode letters.

accessTokenType

string

The access token type. This value is used as the value of token_type property in access token responses. If this service complies with RFC 6750, the value of this property should be Bearer.

See RFC 6749 (OAuth 2.0), 7.1. Access Token Types for details.

accessTokenDuration

i32

The duration of access tokens in seconds. This value is used as the value of expires_in property in access token responses. expires_in is defined RFC 6749, 5.1. Successful Response.

refreshTokenDuration

i32

The duration of refresh tokens in seconds. The related specifications have no requirements on refresh token duration, but Authlete sets expiration for refresh tokens.

idTokenDuration

i32

The duration of ID tokens in seconds. This value is used to calculate the value of exp claim in an ID token.

metadata

Pair array

The metadata of the service. The content of the returned array depends on contexts. The predefined service metadata is listed in the following table.

Key	Description
`"clientCount"`	The number of client applications which belong to this service.

idTokenSignatureKeyId

string

The key ID to identify a JWK used for ID token signature using an asymmetric key.

A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signature from the JWK Set when it generates an ID token and signature using an asymmetric key is required. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for ID token signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.

This idTokenSignatureKeyId property exists for the purpose described above. For key rotation (OpenID Connect Core 1.0, 10.1.1. Rotation of Asymmetric Signing Keys), this mechanism is needed.

userInfoSignatureKeyId

string

The key ID to identify a JWK used for user info signature using an asymmetric key.

A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signature from the JWK Set when it is required to sign user info (which is returned from UserInfo Endpoint) using an asymmetric key. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for user info signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.

This userInfoSignatureKeyId property exists for the purpose described above. For key rotation (OpenID Connect Core 1.0, 10.1.1. Rotation of Asymmetric Signing Keys), this mechanism is needed.

supportedServiceProfiles

string array

The profiles that this service supports. One of the values listed in Service Profile.

tlsClientCertificateBoundAccessTokens

boolean

The boolean flag which indicates whether this service supports issuing TLS client certificate bound access tokens.

introspectionEndpoint

URL

The URI of the introspection endpoint.

supportedIntrospectionAuthMethods

string arrray

Client authentication methods supported at the introspection endpoint. One of the values listed in Client Authentication Method.

mutualTlsValidatePkiCertChain

boolean

The boolean flag which indicates whether this service validates certificate chains during PKI-based client mutual TLS authentication.

trustedRootCertificates

string array

The list of root certificates trusted by this service for PKI-based client mutual TLS authentication.

accessTokenSignAlg

string

The signature algorithm of access tokens. One of the values listed in JWS Algorithm except for symmetric algorithms (HS256, HS384 and HS512). When null is set, access tokens issued by this service are just random strings. On the other hand, when a non-null value is set, access tokens issued by this service are JWTs and the value set by this method is used as the signature algorithm of the JWTs.

This parameter is available since Authlete 2.1. Access tokens generated by older Authlete versions are always random strings.

accessTokenSignatureKeyId

string

The duration of access tokens in seconds; the value of expires_in in access token responses.

authorizationResponseDuration

i64

The duration of authorization response JWTs.

Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) defines new values for the response_mode request parameter. They are query.jwt, fragment.jwt, form_post.jwt and jwt. If one of them is specified as the response mode, response parameters from the authorization endpoint will be packed into a JWT. This property is used to compute the value of the exp claim of the JWT.

authorizationSignatureKeyId

string

The key ID to identify a JWK used for signing authorization responses using an asymmetric key.

Authlete Server searches the JWK Set for a JWK which satisfies conditions for authorization response signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates. This property exists to specify the key ID.

supportedBackchannelTokenDeliveryModes

string array

The supported backchannel token delivery modes. This property corresponds to the backchannel_token_delivery_modes_supported metadata.

Backchannel token delivery modes are defined in the specification of CIBA (Client Initiated Backchannel Authentication).

backchannelAuthenticationEndpoint

URL

The URI of the backchannel authentication endpoint.

Backchannel token delivery modes are defined in the specification of CIBA (Client Initiated Backchannel Authentication).

backchannelUserCodeParameterSupported

boolean

The boolean flag which indicates whether the "user_code" request parameter is supported at the backchannel authentication endpoint. This property corresponds to the backchannel_user_code_parameter_supported metadata.

backchannelAuthReqIdDuration

i32

The duration of backchannel authentication request IDs issued from the backchannel authentication endpoint in seconds. This is used as the value of the expires_in property in responses from the backchannel authentication endpoint.

backchannelPollingInterval

i32

The minimum interval between polling requests to the token endpoint from client applications in seconds. This is used as the value of the interval property in responses from the backchannel authentication endpoint.

allowableClockSkew

i32

The allowable clock skew between the server and clients in seconds.

The clock skew is taken into consideration when time-related claims in a JWT (e.g. "exp", "iat", "nbf") are verified.

dynamicRegistrationSupported

boolean

The boolean flag which indicates whether the dynamic client registration is supported.

Subject Type

The listed below are Authlete's constant values that correspond to the subject identifier types described in OpenID Connect Core 1.0, 8. Subject Identifier Types.

PUBLIC
PAIRWISE

Note that currently Authlete's implementation for PAIRWISE is not finished, so PAIRWISE behaves in the same way as PUBLIC.

Tagged Value

TaggedValue is a generic-purpose data structure to describe a pair of a language tag and a string. This data structure has two members, tag and value as described in the table below.

Name	Type	Description
`tag`	string	The language tag part. It must consist of only ASCII letters. Its length must not exceed 30.
`value`	string	The value part. It is a unicode string, but some client properties put more restrictive limitations such as "ASCII only". Its length must not exceed 200.

Some properties of Client such as clientNames and logoUris are represented in this data structure. See OpenID Connect Core 1.0, 5.2. Claims Languages and Scripts for the usage of language tags in OpenID Connect.

Service Profile

The listed below are profiles that a service can support. The supportedServiceProfiles property of Service is a string array containing values listed below.

Value	Description
`FAPI`	When this profile is enabled, it indicates the service supports Financial-grade API - Part 1: Read-Only API Security Profile and Financial-grade API - Part 2: Read and Write API Security Profile. Note that you need to enable this profile and also properly configure the service to conform the service to FAPI requirements.
`OPEN_BANKING`	When this profile is enabled, it indicates the service supports "Open Banking Security Profile". Note that you need to enable this profile and `FAPI` profile and also properly configure the service to conform the service to Open Banking requirements.

Delivery Mode

The listed below are Authlete's constant values that correspond to the delivery mode values defined in the specification of CIBA (Client Initiated Backchannel Authentication). The bcDeliveryMode property of Client has a value listed below.

PING
POLL
PUSH

Service Management

/service/create API

curl -v -X POST https://api.authlete.com/api/service/create \
-H 'Content-Type:application/json' \
-u '9503564165:cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4' \
-d '{ "serviceName": "My Service", "description": "This is My Service." }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

Service service = new Service()
  .setServiceName("My Service")
  .setDescription("This is My Service.")
;

api.createService(service);

require 'authlete'

api = Authlete::Api.new(
  host: 'https://api.authlete.com',
  service_owner_api_key: 9503564165,
  service_owner_api_secret: 'cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4'
)

request = Authlete::Model::Service.new(
  service_name: 'My Service',
  description: 'This is My Service.'
)

api.service_create(service)

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

Service service     = new Service();
service.Name        = "My Service";
service.Description = "This is My Service.";

await api.CreateService(service);

{
  "number": 1034,
  "serviceOwnerNumber": 2,
  "serviceName": "My Service",
  "apiKey": 10167240235,
  "apiSecret": "LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE",
  "issuer": "https://authlete.com",
  "supportedScopes": [...],
  "supportedResponseTypes": ["NONE", "CODE", "TOKEN", "ID_TOKEN", "CODE_TOKEN", "CODE_ID_TOKEN", "ID_TOKEN_TOKEN", "CODE_ID_TOKEN_TOKEN"],
  "supportedGrantTypes": ["AUTHORIZATION_CODE", "IMPLICIT", "PASSWORD", "CLIENT_CREDENTIALS", "REFRESH_TOKEN"],
  "supportedTokenAuthMethods": ["NONE", "CLIENT_SECRET_BASIC", "CLIENT_SECRET_POST"],
  "supportedDisplays": ["PAGE", "POPUP", "TOUCH", "WAP"],
  "supportedClaimTypes": ["NORMAL"],
  "supportedClaims": [...],
  "createdAt": 1510652454389,
  "modifiedAt": 1510652454389,
  "clientsPerDeveloper": 0,
  "directAuthorizationEndpointEnabled": true,
  "directTokenEndpointEnabled": true,
  "directRevocationEndpointEnabled": true,
  "directUserInfoEndpointEnabled": true,
  "directJwksEndpointEnabled": true,
  "directIntrospectionEndpointEnabled": true,
  "singleAccessTokenPerSubject": false,
  "pkceRequired": false,
  "refreshTokenKept": false,
  "errorDescriptionOmitted": false,
  "errorUriOmitted": false,
  "clientIdAliasEnabled": false,
  "tlsClientCertificateBoundAccessTokens": false,
  "mutualTlsValidatePkiCertChain": false,
  "dynamicRegistrationSupported": false,
  "accessTokenType": "Bearer",
  "accessTokenDuration": 86400,
  "refreshTokenDuration": 864000,
  "idTokenDuration": 86400,
  "authorizationResponseDuration": 0,
  "metadata": [...],
  "backchannelUserCodeParameterSupported": false,
  "backchannelAuthReqIdDuration": 0,
  "backchannelPollingInterval": 0,
  "allowableClockSkew": 0
}

Create a new service.

Request

POST /api/service/create

Content-Type

application/json

Authorization

Basic Authentication with API key & API secret of a service owner.

Parameters

A JSON which represents a new service. The detailed format is described in Service.

Response

Content-Type

application/json

Parameters

A JSON which represents the newly created service. The detailed format is described in Service. The pair of API key & API secret of the service is embedded in the entity body of the response.

/service/get API

curl -v https://api.authlete.com/api/service/get/10167240235 \
-u '9503564165:cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

long serviceApiKey = 10167240235;

api.getService(serviceApiKey);

require 'authlete'

api = Authlete::Api.new(
  host: "https://api.authlete.com",
  service_owner_api_key: 9503564165,
  service_owner_api_secret: 'cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4'
)

service_api_key = 10167240235

api.service_get(service_api_key)

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

long serviceApiKey = 10167240235;

await api.GetService(serviceApiKey);

{
  "number": 1034,
  "serviceOwnerNumber": 2,
  "serviceName": "My Service",
  "apiKey": 10167240235,
  "apiSecret": "LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE",
  "issuer": "https://authlete.com",
  "supportedScopes": [...],
  "supportedResponseTypes": ["NONE", "CODE", "TOKEN", "ID_TOKEN", "CODE_TOKEN", "CODE_ID_TOKEN", "ID_TOKEN_TOKEN", "CODE_ID_TOKEN_TOKEN"],
  "supportedGrantTypes": ["AUTHORIZATION_CODE", "IMPLICIT", "PASSWORD", "CLIENT_CREDENTIALS", "REFRESH_TOKEN"],
  "supportedTokenAuthMethods": ["NONE", "CLIENT_SECRET_BASIC", "CLIENT_SECRET_POST"],
  "supportedDisplays": ["PAGE", "POPUP", "TOUCH", "WAP"],
  "supportedClaimTypes": ["NORMAL"],
  "supportedClaims": [...],
  "createdAt": 1510652454389,
  "modifiedAt": 1510652454389,
  "clientsPerDeveloper": 0,
  "directAuthorizationEndpointEnabled": true,
  "directTokenEndpointEnabled": true,
  "directRevocationEndpointEnabled": true,
  "directUserInfoEndpointEnabled": true,
  "directJwksEndpointEnabled": true,
  "directIntrospectionEndpointEnabled": true,
  "singleAccessTokenPerSubject": false,
  "pkceRequired": false,
  "refreshTokenKept": false,
  "errorDescriptionOmitted": false,
  "errorUriOmitted": false,
  "clientIdAliasEnabled": false,
  "tlsClientCertificateBoundAccessTokens": false,
  "mutualTlsValidatePkiCertChain": false,
  "dynamicRegistrationSupported": false,
  "accessTokenType": "Bearer",
  "accessTokenDuration": 86400,
  "refreshTokenDuration": 864000,
  "idTokenDuration": 86400,
  "authorizationResponseDuration": 0,
  "metadata": [...],
  "backchannelUserCodeParameterSupported": false,
  "backchannelAuthReqIdDuration": 0,
  "backchannelPollingInterval": 0,
  "allowableClockSkew": 0
}

Get information about a service.

Request

GET /api/service/get/{serviceApiKey}

Authorization

Basic Authentication with API key & API secret of a service owner.

Parameters

Name	Required	Description
`serviceApiKey`	YES	The API key of the service to be retrieved.

Response

Content-Type

application/json

Parameters

A JSON which represents the service. The detailed format is described in Service.

/service/get/list API

curl -v https://api.authlete.com/api/service/get/list?start=0\&end=3 \
-u '9503564165:cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

int start = 0;
int end   = 3;

api.getServiceList(start, end);

require 'authlete'

api = Authlete::Api.new(
  host: 'https://api.authlete.com',
  service_owner_api_key: 9503564165,
  service_owner_api_secret: 'cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4'
)

parameters = { start: 0, end: 3 }

api.service_get_list(parameters)

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

int start = 0;
int end   = 3;

await api.GetServiceList(start, end);

{
  "start": 0,
  "end": 3,
  "totalCount": 3,
  "services": [
    {
      "number": 1034,
      "serviceOwnerNumber": 2,
      "serviceName": "My Service",
      "apiKey": 10167240235,
      "apiSecret": "LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE",
      "issuer": "https://authlete.com",
      "supportedScopes": [...],
      "supportedResponseTypes": ["NONE", "CODE", "TOKEN", "ID_TOKEN", "CODE_TOKEN", "CODE_ID_TOKEN", "ID_TOKEN_TOKEN", "CODE_ID_TOKEN_TOKEN"],
      "supportedGrantTypes": ["AUTHORIZATION_CODE", "IMPLICIT", "PASSWORD", "CLIENT_CREDENTIALS", "REFRESH_TOKEN"],
      "supportedTokenAuthMethods": ["NONE", "CLIENT_SECRET_BASIC", "CLIENT_SECRET_POST"],
      "supportedDisplays": ["PAGE", "POPUP", "TOUCH", "WAP"],
      "supportedClaimTypes": ["NORMAL"],
      "supportedClaims": [...],
      "createdAt": 1510652454389,
      "modifiedAt": 1510652454389,
      "clientsPerDeveloper": 0,
      "directAuthorizationEndpointEnabled": true,
      "directTokenEndpointEnabled": true,
      "directRevocationEndpointEnabled": true,
      "directUserInfoEndpointEnabled": true,
      "directJwksEndpointEnabled": true,
      "directIntrospectionEndpointEnabled": true,
      "singleAccessTokenPerSubject": false,
      "pkceRequired": false,
      "refreshTokenKept": false,
      "errorDescriptionOmitted": false,
      "errorUriOmitted": false,
      "clientIdAliasEnabled": false,
      "tlsClientCertificateBoundAccessTokens": false,
      "mutualTlsValidatePkiCertChain": false,
      "dynamicRegistrationSupported": false,
      "accessTokenType": "Bearer",
      "accessTokenDuration": 86400,
      "refreshTokenDuration": 864000,
      "idTokenDuration": 86400,
      "authorizationResponseDuration": 0,
      "metadata": [...],
      "backchannelUserCodeParameterSupported": false,
      "backchannelAuthReqIdDuration": 0,
      "backchannelPollingInterval": 0,
      "allowableClockSkew": 0
    },
    {...},
    {...}
  ]
}

Get information about services.

Request

GET /api/service/get/list

Authorization

Basic Authentication with API key & API secret of a service owner.

Parameters

Name	Required	Description
`start`	NO	The start index (inclusive) of the result set. The default value is 0. Must not be a negative number.
`end`	NO	The end index (exclusive) of the result set. The default value is 5. Must not be a negative number.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`start`	i32	The start index (inclusive) of the result set of the query.
`end`	i32	The end index (exclusive) of the result set of the query.
`totalCount`	i32	The total number of services owned by the service owner. This is different from the number of services contained in the response.
`services`	Service array	An array of services.

/service/update API

curl -v -X POST https://api.authlete.com/api/service/update/10167240235 \
-H 'Content-Type:application/json' \
-u '9503564165:cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4' \
-d '{ "description": "This is My Updated Test Service.", "serviceName": "My Updated Test Service" }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

Service service = new Service()
  .setApiKey(10167240235)
  .setServiceName("My Updated Service")
  .setDescription("This is My Updated Service.")
;

api.updateService(request);

require 'authlete'

api = Authlete::Api.new(
  host: 'https://api.authlete.com',
  service_owner_api_key: 9503564165,
  service_owner_api_secret: 'cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4'
)

# The API key of the service to be updated.
service_api_key = 10167240235

service = Authlete::Model::Request::Service.new(
  service_name: 'My Updated Service',
  description: 'This is My Updated Service.'
)

api.service_update(service_api_key, service)

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

Service service     = new Service();
service.ApiKey      = 10167240235;
service.Name        = "My Updated Service";
service.Description = "This is My Updated Service.";

await api.UpdateService(service);

{
  "number": 1034,
  "serviceOwnerNumber": 2,
  "serviceName": "My Service",
  "apiKey": 10167240235,
  "apiSecret": "LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE",
  "issuer": "https://authlete.com",
  "supportedScopes": [...],
  "supportedResponseTypes": ["NONE", "CODE", "TOKEN", "ID_TOKEN", "CODE_TOKEN", "CODE_ID_TOKEN", "ID_TOKEN_TOKEN", "CODE_ID_TOKEN_TOKEN"],
  "supportedGrantTypes": ["AUTHORIZATION_CODE", "IMPLICIT", "PASSWORD", "CLIENT_CREDENTIALS", "REFRESH_TOKEN"],
  "supportedTokenAuthMethods": ["NONE", "CLIENT_SECRET_BASIC", "CLIENT_SECRET_POST"],
  "supportedDisplays": ["PAGE", "POPUP", "TOUCH", "WAP"],
  "supportedClaimTypes": ["NORMAL"],
  "supportedClaims": [...],
  "createdAt": 1510652454389,
  "modifiedAt": 1510738648894,
  "clientsPerDeveloper": 0,
  "directAuthorizationEndpointEnabled": true,
  "directTokenEndpointEnabled": true,
  "directRevocationEndpointEnabled": true,
  "directUserInfoEndpointEnabled": true,
  "directJwksEndpointEnabled": true,
  "directIntrospectionEndpointEnabled": true,
  "singleAccessTokenPerSubject": false,
  "pkceRequired": false,
  "refreshTokenKept": false,
  "errorDescriptionOmitted": false,
  "errorUriOmitted": false,
  "clientIdAliasEnabled": false,
  "tlsClientCertificateBoundAccessTokens": false,
  "mutualTlsValidatePkiCertChain": false,
  "dynamicRegistrationSupported": false,
  "accessTokenType": "Bearer",
  "accessTokenDuration": 86400,
  "refreshTokenDuration": 864000,
  "idTokenDuration": 86400,
  "authorizationResponseDuration": 0,
  "metadata": [...],
  "backchannelUserCodeParameterSupported": false,
  "backchannelAuthReqIdDuration": 0,
  "backchannelPollingInterval": 0,
  "allowableClockSkew": 0
}

Update an existing service.

Request

POST /api/service/update
PUT /api/service/update

Content-Type

application/json

Authorization

Basic Authentication with API key & API secret of a service owner.

Parameters

A JSON which represents the service to be updated. The detailed format is described in Service.

Response

Content-Type

application/json

Parameters

A JSON which represents the updated service. The detailed format is described in Service.

/service/delete API

curl -v -X DELETE https://api.authlete.com/api/service/delete/4656860419614 \
-u '9503564165:cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

// The API key of the service to be deleted.
long serviceApiKey = 10167240235;

api.deleteService(serviceApiKey);

require 'authlete'

api = Authlete::Api.new(
  host: 'https://api.authlete.com',
  service_owner_api_key: 9503564165,
  service_owner_api_secret: 'cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4'
)

# The API key of the service to be deleted.
service_api_key = 10167240235

api.service_delete(service_api_key)

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

// The API key of the service to be deleted.
long serviceApiKey = 10167240235;

await api.DeleteService(serviceApiKey);

Delete a service.

Request

DELETE /api/service/delete/{serviceApiKey}

Content-Type

application/json

Authorization

Basic Authentication with API key & API secret of a service owner.

Parameters

Name	Required	Description
`serviceApiKey`	YES	The API key of the service to be deleted.

Client Management

/client/create API

curl -v -X POST https://api.authlete.com/api/client/create \
-H 'Content-Type:application/json' \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
-d '{ "developer": "john", "clientName": "My Client", "description": "This is My Client." }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

Client client = new Client()
  .setClientName("My Client")
  .setDescription("This is My Client.")
;

api.createClient(client);

require 'authlete'

api = Authlete::Api.new(
  host: 'https://api.authlete.com',
  service_api_key: 10167240235,
  service_api_secret: 'LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
)

client = Authlete::Model::Client.new(
  client_name: 'My Client',
  description: 'This is My Client.'
)

api.client_create(client)

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

Client client      = new Client();
client.Name        = "My Client";
client.Description = "This is My Client.";

await api.CreateClient(client);

{
  "number": 1344,
  "serviceNumber": 1043,
  "developer": "john",
  "clientId": 57297408867,
  "clientIdAliasEnabled": false,
  "clientSecret": "J_3C7P0nDTP7CwCg_HyPQh7bTQ1696CC8GWot-EjesZmdBiU5Gsidq5Ve3tMaN2x2_VcKV1UE1U3ZdGKRuTs7A",
  "clientType": "PUBLIC",
  "grantTypes": ["AUTHORIZATION_CODE", "IMPLICIT", "PASSWORD", "CLIENT_CREDENTIALS", "REFRESH_TOKEN", "CIBA"],
  "responseTypes": ["NONE", "CODE", "TOKEN", "ID_TOKEN", "CODE_TOKEN", "CODE_ID_TOKEN", "ID_TOKEN_TOKEN", "CODE_ID_TOKEN_TOKEN"],
  "clientName": "My Client",
  "subjectType": "PUBLIC",
  "idTokenSignAlg": "HS256",
  "tokenAuthMethod": "NONE",
  "defaultMaxAge": 0,
  "authTimeRequired": false,
  "createdAt": 1510911877097,
  "modifiedAt": 1510911877097,
  "tlsClientCertificateBoundAccessTokens": false,
  "bcUserCodeRequired": false,
  "dynamicallyRegistered": false
}

Create a new client.

Request

POST /api/client/create

Content-Type

application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

A JSON which represents a new client. The detailed format is described in Client.

Response

Content-Type

application/json

Parameters

A JSON which represents the newly created client. The detailed format is described in Client. The pair of client ID & client secret of the client is embedded in the entity body of the response.

/client/get API

curl -v https://api.authlete.com/api/client/get/57297408867 \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

long clientId = 57297408867;

api.getClient(clientId);

require 'authlete'

api = Authlete::Api.new(
  host: "https://api.authlete.com",
  service_api_key: 4694807187524,
  service_api_secret: "mtztVQ1EDKMO3TozWJr22I2RRv8q4HlE-F9QibsHifQ"
)

client_id = 5774937767487

api.client_get(client_id)

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

long clientId = 57297408867;

await api.GetClient(clientId);

{
  "number": 1344,
  "serviceNumber": 1043,
  "developer": "john",
  "clientId": 57297408867,
  "clientIdAliasEnabled": false,
  "clientSecret": "J_3C7P0nDTP7CwCg_HyPQh7bTQ1696CC8GWot-EjesZmdBiU5Gsidq5Ve3tMaN2x2_VcKV1UE1U3ZdGKRuTs7A",
  "clientType": "PUBLIC",
  "grantTypes": ["AUTHORIZATION_CODE", "IMPLICIT", "PASSWORD", "CLIENT_CREDENTIALS", "REFRESH_TOKEN", "CIBA"],
  "responseTypes": ["NONE", "CODE", "TOKEN", "ID_TOKEN", "CODE_TOKEN", "CODE_ID_TOKEN", "ID_TOKEN_TOKEN", "CODE_ID_TOKEN_TOKEN"],
  "clientName": "My Client",
  "subjectType": "PUBLIC",
  "idTokenSignAlg": "HS256",
  "tokenAuthMethod": "NONE",
  "defaultMaxAge": 0,
  "authTimeRequired": false,
  "createdAt": 1510911877097,
  "modifiedAt": 1510911877097,
  "tlsClientCertificateBoundAccessTokens": false,
  "bcUserCodeRequired": false,
  "dynamicallyRegistered": false
}

Get information about a client.

Request

GET /api/client/get/{clientId}

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`clientId`	YES	The ID of the client to be retrieved.

Response

Content-Type

application/json

Parameters

A JSON which represents the client. The detailed format is described in Client.

/client/get/list API

curl -v https://api.authlete.com/api/client/get/4656860419614?start=0\&end=3 \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

int start = 0;
int end   = 3;

api.getClientList(start, end);

require 'authlete'

api = Authlete::Api.new(
  host: 'https://api.authlete.com',
  service_api_key: 10167240235,
  service_api_secret: 'LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
)

parameters = { start: 0, end: 3 }

api.client_get_list(parameters)

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

int start = 0;
int end   = 3;

await api.GetClientList(start, end);

{
  "clients": [
    {
      "number": 1344,
      "serviceNumber": 1043,
      "developer": "john",
      "clientId": 57297408867,
      "clientIdAliasEnabled": false,
      "clientSecret": "J_3C7P0nDTP7CwCg_HyPQh7bTQ1696CC8GWot-EjesZmdBiU5Gsidq5Ve3tMaN2x2_VcKV1UE1U3ZdGKRuTs7A",
      "clientType": "PUBLIC",
      "grantTypes": ["AUTHORIZATION_CODE", "IMPLICIT", "PASSWORD", "CLIENT_CREDENTIALS", "REFRESH_TOKEN", "CIBA"],
      "responseTypes": ["NONE", "CODE", "TOKEN", "ID_TOKEN", "CODE_TOKEN", "CODE_ID_TOKEN", "ID_TOKEN_TOKEN", "CODE_ID_TOKEN_TOKEN"],
      "clientName": "My Client",
      "subjectType": "PUBLIC",
      "idTokenSignAlg": "HS256",
      "tokenAuthMethod": "NONE",
      "defaultMaxAge": 0,
      "authTimeRequired": false,
      "createdAt": 1510911877097,
      "modifiedAt": 1510911877097,
      "tlsClientCertificateBoundAccessTokens": false,
      "bcUserCodeRequired": false,
      "dynamicallyRegistered": false
    },
    {...},
    {...}
  ],
  "end": 3,
  "start": 0,
  "totalCount": 3
}

Get information about services.

Request

GET /api/client/get/list

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`start`	NO	The start index (inclusive) of the result set. The default value is 0. Must not be a negative number.
`end`	NO	The end index (exclusive) of the result set. The default value is 5. Must not be a negative number.
`developer`	NO	The developer of client applications. The default value is `null`. If this parameter is not `null`, client application of the specified developer are returned. Otherwise, all client applications that belong to the service are returned.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`start`	i32	The start index (inclusive) of the result set of the query.
`end`	i32	The end index (exclusive) of the result set of the query.
`developer`	String	The developer of the client applications. If the request did not have `developer`, this property is `null`.
`totalCount`	i32	The total number of clients that belong to the service. This is different from the number of clients contained in the response.
`clients`	Client array	An array of clients.

/client/update API

curl -v -X POST https://api.authlete.com/api/client/update/57297408867 \
-H 'Content-Type:application/json' \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
-d '{ "developer": "john", "clientName": "My Updated Client", "description": "This is My Updated Client." }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

Client client = new Client()
  .setClientName("My Updated Client")
  .setDescription("This is My Updated Client.")
;

api.updateClient(client);

require 'authlete'

api = Authlete::Api.new(
  host: "https://api.authlete.com",
  service_api_key: 10167240235,
  service_api_secret: 'LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
)

client = Authlete::Model::Client.new(
  client_name: "My Updated Client",
  description: "This is My Updated Client."
)

api.client_update(client)

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

Client client      = new Client();
client.Name        = "My Client";
client.Description = "This is My Client.";

await api.CreateClient(client);

{
  "number": 1344,
  "serviceNumber": 1043,
  "developer": "john",
  "clientId": 57297408867,
  "clientIdAliasEnabled": false,
  "clientSecret": "J_3C7P0nDTP7CwCg_HyPQh7bTQ1696CC8GWot-EjesZmdBiU5Gsidq5Ve3tMaN2x2_VcKV1UE1U3ZdGKRuTs7A",
  "clientType": "PUBLIC",
  "grantTypes": ["AUTHORIZATION_CODE", "IMPLICIT", "PASSWORD", "CLIENT_CREDENTIALS", "REFRESH_TOKEN", "CIBA"],
  "responseTypes": ["NONE", "CODE", "TOKEN", "ID_TOKEN", "CODE_TOKEN", "CODE_ID_TOKEN", "ID_TOKEN_TOKEN", "CODE_ID_TOKEN_TOKEN"],
  "clientName": "My Client",
  "subjectType": "PUBLIC",
  "idTokenSignAlg": "HS256",
  "tokenAuthMethod": "NONE",
  "defaultMaxAge": 0,
  "authTimeRequired": false,
  "createdAt": 1510911877097,
  "modifiedAt": 1510913912201,
  "tlsClientCertificateBoundAccessTokens": false,
  "bcUserCodeRequired": false,
  "dynamicallyRegistered": false
}

Update an existing client.

Request

POST /api/client/update
PUT /api/client/update

Content-Type

application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

A JSON which represents the client to be updated. The detailed format is described in Client.

Response

Content-Type

application/json

Parameters

A JSON which represents the updated client. The detailed format is described in Client.

/client/delete API

curl -v -X DELETE https://api.authlete.com/api/client/delete/57297408867 \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

// The ID of the client to be deleted.
long clientId = 57297408867;

api.deleteClient(clientId);

require 'authlete'

api = Authlete::Api.new(
  host: 'https://api.authlete.com',
  service_api_key: 10167240235,
  service_api_secret: 'LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
)

# The ID of the client to be deleted.
client_id = 57297408867

api.client_delete(client_id)

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

// The ID of the client to be deleted.
long clientId = 57297408867;

await api.DeleteClient(clientId);

Delete a client.

Request

DELETE /api/client/delete/{clientId}

Content-Type

application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`clientId`	YES	The ID of the client to be deleted.

/client/secret/refresh API

curl -v https://api.authlete.com/api/client/secret/refresh/57297408867 \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

long clientId = 57297408867;

api.refreshClientSecret(clientId);

# This API is not supported yet.

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

long clientId = 57297408867;

await api.RefreshClientSecret(clientId);

{
  "type": "clientSecretRefreshResponse",
  "resultCode": "A148001",
  "resultMessage": "[A148001] Successfully refreshed the client secret of the client (ID = 57297408867).",
  "newClientSecret": "256LJ_49MISH6pP_3WeO8I9wa2LXkZKzqsNGS6XK8srtHYYJyV0jxg-jIaA2Sa0ZA67xA4bpQFKwc94WNUZrWA",
  "oldClientSecret": "J_3C7P0nDTP7CwCg_HyPQh7bTQ1696CC8GWot-EjesZmdBiU5Gsidq5Ve3tMaN2x2_VcKV1UE1U3ZdGKRuTs7A"
}

Refresh the client secret of a client. A new value of the client secret will be generated by the Authlete server.
If you want to specify a new value, use /api/client/secret/update API.

Request

GET /api/client/secret/refresh/{clientIdentifier}

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`clientIdentifier`	YES	The client ID or the client ID alias of a client.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.
`newClientSecret`	string	The new client secret.
`oldClientSecret`	string	The old client secret.

/client/secret/update API

curl -v https://api.authlete.com/api/client/secret/update/57297408867 \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
-H 'Content-Type:application/json' \
-d '{ "clientSecret": "my_new_client_secret" }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

long clientId       = 57297408867;
tring clientSecret = "my_new_client_secret";

api.updateClientSecret(clientId, clientSecret);

# This API is not supported yet.

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

long clientId       = 57297408867;
string clientSecret = "my_new_client_secret";

await api.UpdateClientSecret(clientId, clientSecret);

{
  "type": "clientSecretUpdateResponse",
  "resultCode": "A149001",
  "resultMessage": "[A149001] Successfully updated the client secret of the client (ID = 57297408867).",
  "newClientSecret": "my_new_client_secret",
  "oldClientSecret": "J_3C7P0nDTP7CwCg_HyPQh7bTQ1696CC8GWot-EjesZmdBiU5Gsidq5Ve3tMaN2x2_VcKV1UE1U3ZdGKRuTs7A"
}

Update the client secret of a client.
If you want to have the Authlete server generate a new value of the client secret, use /api/client/secret/refresh API.

Request

POST /api/client/secret/update/{clientIdentifier}

Content-Type

application/x-www-form-urlencoded
application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`clientIdentifier`	YES	The client ID or the client ID alias of a client.
`clientSecret`	YES	The new value of the client secret. Valid characters for a client secret are `A-Z`, `a-z`, `0-9`, `-`, and `_`. The maximum length of a client secret is 86.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.
`newClientSecret`	string	The new client secret.
`oldClientSecret`	string	The old client secret.

/client/extension/requestable_scopes/get API

curl -v https://api.authlete.com/api/client/extension/requestable_scopes/get/57297408867?pretty=true \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

long clientId = 57297408867;

api.getRequestableScopes(clientId);

# This API is not supported yet.

// This API is not supported yet.

{
  "requestableScopes": [
    "openid"
  ]
}

Get the set of scopes that a client application is allowed to request.

Request

GET /api/client/extension/requestable_scopes/get/{clientId}

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`clientId`	YES	A client ID.
`pretty`	NO	This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is false.

Response

Content-Type

application/json

Parameters

Name Type Description

Name	Type	Description
`requestableScopes`	string array	The set of scopes that the client application is allowed to request. This paramter will be one of the following. Details are described in the description. `null` an empty set a set with at least one element

requestableScopes

string array

The set of scopes that the client application is allowed to request. This paramter will be one of the following. Details are described in the description.

null
an empty set
a set with at least one element

Description

Possible values for requestableScopes parameter in the response from this API are as follows.

null: When the value of requestableScopes parameter is null, it means that the set of scopes that the client application is allowed to request is the set of the scopes that the service supports.
an empty set: When the value of requestableScopes parameter is an empty set, it means that the client application is not allowed to request any scopes.
a set with at least one element: When the value of requestableScopes parameter is a set with at least one element, it means that the set is the set of scopes that the client application is allowed to request.

/client/extension/requestable_scopes/update API

curl -v -X POST https://api.authlete.com/api/client/extension/requestable_scopes/update/57297408867 \
-H 'Content-Type:application/json' \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
-d '{ "requestableScopes": [ "openid", "email" ] }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

long clientId   = 57297408867;
String[] scopes = { "email", "openid" }; 

api.setRequestableScopes(clientId, scope);

# This API is not supported yet.

// This API is not supported yet.

{
  "requestableScopes": ["openid", "email"]
}

Update the set of scopes that a client application is allowed to request.

Request

POST /api/client/extension/requestable_scopes/update/{clientId}
PUT /api/client/extension/requestable_scopes/update/{clientId}

Content-Type

application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name Required Description

clientId

YES

A client ID.

requestableScopes

A new set of scopes that the client application is allowed to request. This must be one of the following.

null
an empty set
a set with at least one element

If this parameter contains scopes that the service does not support, those scopes are just ignored. Also, if this parameter is null or is not included in the request, it is equivalent to calling /client/extension/requestable_scopes/delete API.

pretty

This boolean value indicates whether the JSON in the response should be formatted or not. If true, the JSON in the response is pretty-formatted. The default value is false.

Response

Content-Type

application/json

Parameters

Name Type Description

Name	Type	Description
`requestableScopes`	string array	The set of scopes that the client application is allowed to request. This paramter will be one of the following. Details are described in the description. `null` an empty set a set with at least one element

requestableScopes

string array

The set of scopes that the client application is allowed to request. This paramter will be one of the following. Details are described in the description.

null
an empty set
a set with at least one element

Description

Possible values for requestableScopes parameter in the response from this API are as follows.

null: When the value of requestableScopes parameter is null, it means that the set of scopes that the client application is allowed to request is the set of the scopes that the service supports.
an empty set: When the value of requestableScopes parameter is an empty set, it means that the client application is not allowed to request any scopes.
a set with at least one element: When the value of requestableScopes parameter is a set with at least one element, it means that the set is the set of scopes that the client application is allowed to request.

/client/extension/requestable_scopes/delete API

curl -v -X DELETE https://api.authlete.com/api/client/extension/requestable_scopes/delete/57297408867 \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

long clientId   = 57297408867;

api.deleteRequestableScopes(clientId);

# This API is not supported yet.

// This API is not supported yet.

Delete the set of scopes that a client application is allowed to request.

Request

DELETE /api/client/extension/requestable_scopes/delete/{clientId}

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`clientId`	YES	A client ID.

/client/authorization/get/list API

curl -v https://api.authlete.com/api/client/authorization/get/list/john?start=0\&end=3 \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

ClientAuthorizationGetListRequest request = new ClientAuthorizationGetListRequest()
  .setSubject("john")
  .setStart(0)
  .setEnd(3)
;

api.getClientAuthoriztionList(request);

# This API is not supported yet.

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

ClientAuthorizationGetListRequest request = new ClientAuthorizationGetListRequest();
request.Subject = "john";
request.Start   = 0;
request.End     = 3;

await api.GetClientAuthorizationList(request);

{
  "type": "authorizedClientListResponse",
  "clients": [
    {
      "number": 1344,
      "serviceNumber": 1043,
      "developer": "john",
      "clientId": 57297408867,
      "clientIdAliasEnabled": false,
      "clientSecret": "J_3C7P0nDTP7CwCg_HyPQh7bTQ1696CC8GWot-EjesZmdBiU5Gsidq5Ve3tMaN2x2_VcKV1UE1U3ZdGKRuTs7A",
      "clientType": "PUBLIC",
      "grantTypes": ["AUTHORIZATION_CODE", "IMPLICIT", "PASSWORD", "CLIENT_CREDENTIALS", "REFRESH_TOKEN", "CIBA"],
      "responseTypes": ["NONE", "CODE", "TOKEN", "ID_TOKEN", "CODE_TOKEN", "CODE_ID_TOKEN", "ID_TOKEN_TOKEN", "CODE_ID_TOKEN_TOKEN"],
      "clientName": "My Client",
      "subjectType": "PUBLIC",
      "idTokenSignAlg": "HS256",
      "tokenAuthMethod": "NONE",
      "defaultMaxAge": 0,
      "authTimeRequired": false,
      "createdAt": 1510911877097,
      "modifiedAt": 1510911877097,
      "tlsClientCertificateBoundAccessTokens": false,
      "bcUserCodeRequired": false,
      "dynamicallyRegistered": false
    },
    {...},
    {...}
  ],
  "end": 3,
  "start": 0,
  "totalCount": 3,
  "subject": "john"
}

Get a list of client applications that an end-user has authorized.

Request

GET /api/client/authorization/get/list/{subject}
GET /api/client/authorization/get/list?subject={subject}
POST /api/client/authorization/get/list

Content-Type

application/x-www-form-urlencoded (POST only)
application/json (POST only)

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`subject`	YES	Unique user ID.
`start`	NO	Start index of search results (inclusive). The default value is 0.
`end`	NO	End index of search results (exclusive). The default value is 5.
`developer`	NO	Unique Developer ID. The default value is null.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`start`	i32	Start index of search results (inclusive).
`end`	i32	End index of search results (exclusive).
`developer`	string	Unique developer ID.
`totalCount`	i32	The total number of clients that meet the conditions.
`clients`	Client array	An array of clients.

/client/authorization/update API

curl -v -X POST https://api.authlete.com/api/client/authorization/update/57297408867 \
-H 'Content-Type:application/json' \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
-d '{ "subject": "john", "scopes": [{ "name": "my_custom_scope1" }] }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

long clientId  = 57297408867;
String subject = "john";

ClientAuthorizationUpdateRequest request = new ClientAuthorizationUpdateRequest().setSubject(subject);

ClientAuthorizationUpdateResponse = api.updateClientAuthoriztion(clientId, request);

# This API is not supported yet.

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

long clientId = 57297408867;

ClientAuthorizationUpdateRequest request = new ClientAuthorizationUpdateRequest();
request.Subject = "john";

await api.UpdateClientAuthoriztion(clientId, request);

{
  "resultCode": "A138001",
  "resultMessage": "[A138001] Updated 1 access token(s) issued to the client (ID = 57297408867) of the service (API Key = 10167240235)."
}

Update attributes of all existing access tokens given to a client application.

Request

POST /api/client/authorization/update/{clientId}

Content-Type

application/x-www-form-urlencoded
application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`clientId`	YES	The ID of the target client.
`subject`	YES	Unique user ID.
`scopes`	NO	An array of new scopes. Optional. If a non-null value is given, the new scopes are set to all existing access tokens. If an API call is made using "Content-Type: application/x-www-form-urlencoded", scope names listed in this request parameter should be delimited by spaces (after form encoding, spaces are converted to '+').

Response

Content-Type

application/json

Parameters

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.

/client/authorization/delete API

curl -v -X DELETE https://api.authlete.com/api/client/authorization/delete/57297408867/john \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

long clientId  = 57297408867;
String subject = "john";

api.deleteClientAuthoriztion(clientId, subject);

# This API is not supported yet.

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

long clientId  = 57297408867;
String subject = "john";

await api.DeleteClientAuthorization(clientId, subject);

{
  "resultCode": "A137001",
  "resultMessage": "[A137001] Deleted 3 access token(s) issued to the client (ID = 57297408867) of the service (API Key = 10167240235)."
}

Delete all existing access tokens issued to a client application by an end-user.

Request

DELETE /api/client/authorization/delete/{clientId}/{subject}
DELETE /api/client/authorization/delete/{clientId}?subject={subject}
POST /api/client/authorization/delete/{clientId}

Content-Type

application/x-www-form-urlencoded (POST only)
application/json (POST only)

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`clientId`	YES	The ID of the target client.
`subject`	YES	Unique user ID.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.

/client/granted_scopes/get API

curl -v https://api.authlete.com/api/client/granted_scopes/get/57297408867/john \
-H 'Content-Type:application/json' \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

long clientId  = 57297408867;
String subject = "john";

api.getGrantedScopes(clientId, subject);

# This API is not supported yet.

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

long clientId  = 57297408867;
string subject = "john";

await api.GetGrantedScopes(clientId, subject);

{
  "type": "GrantedScopesGetResponse",
  "serviceApiKey": 10167240235,
  "clientId": 57297408867,
  "subject": "john",
  "latestGrantedScopes": ["email"],
  "mergedGrantedScopes": ["email", "openid"]
}

Get the set of scopes that a user has granted to a client application.

Request

GET /api/client/granted_scopes/get/{clientId}/{subject}
GET /api/client/granted_scopes/get/{clientId}&subject={subject}
POST /api/client/granted_scopes/get/{clientId}

Content-Type

application/x-www-form-urlencoded (POST only)
application/json (POST only)

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`clientId`	YES	Client ID.
`subject`	YES	Unique user ID.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`serviceApiKey`	string	Service API key.
`clientId`	string	Client ID.
`subject`	string	Unique user ID.
`latestGrantedScopes`	string array	Scopes granted by the last authorization process. (See Description for details.)
`mergedGrantedScopes`	string array	All scopes granted so far. (See Description for details.)

Description

Description of values for latestGrantedScopes and mergedGrantedScopes:

null: The user has not granted authorization to the client application in the past, or records about the combination of the user and the client application have been deleted from Authlete's DB.
[]: The user has granted authorization to the client application in the past, but no scopes are associated with the authorization.
a set with at least one element: The user has granted authorization to the client application in the past and some scopes are associated with the authorization. These scopes are returned.
Example: [ "profile", "email" ]

/client/granted_scopes/delete API

curl -v -X DELETE https://api.authlete.com/api/client/granted_scopes/delete/57297408867/john \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

long clientId  = 57297408867;
String subject = "john";

api.deleteGrantedScopes(clientId, subject);

# This API is not supported yet.

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

long clientId  = 57297408867;
string subject = "john";

await api.DeleteGrantedScopes(clientId, subject);

{
  "resultCode" : "A140002",
  "resultMessage" : "[A140002] Successfully deleted the information about scopes granted to the combination of the client (ID = 57297408867) and the subject (john)."
}

Delete the set of scopes that a user has granted to a client application.

Request

DELETE /api/client/granted_scopes/delete/{clientId}/{subject}
DELETE /api/client/granted_scopes/delete/{clientId}&subject={subject}
POST /api/client/granted_scopes/delete/{clientId}

Content-Type

application/x-www-form-urlencoded (POST only)
application/json (POST only)

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`clientId`	YES	Client ID.
`subject`	YES	Unique user ID.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.

Description

Even if records about granted scopes are deleted by calling this API, existing access tokens are not deleted and scopes of existing access tokens are not changed.

Authorization Endpoint

/auth/authorization API

curl -v -X POST https://api.authlete.com/api/auth/authorization \
-H 'Content-Type: application/json' \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
-d '{ "parameters": "response_type=code&client_id=57297408867&redirect_uri=https%3A%2F%2Fapi.authlete.com%2Fapi%2Fmock%2Fredirection%2F10167240235" }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

// Extract request parameters that the OAuth 2.0 authorization endpoint of 
// this OAuth 2.0 serever implementation received from the client application.
String parameters = extractRequestParameters();

AuthorizationRequest request = new AuthorizationRequest().setParameters(parameters);

api.authorization(request);

require 'authlete'

api = Authlete::Api.new(
  host: 'https://api.authlete.com',
  service_api_key: 10167240235,
  service_api_secret: 'LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
)

# Extract request parameters that the OAuth 2.0 authorization endpoint of 
# this OAuth 2.0 serever implementation received from the client application.
parameters = extract_request_parameters

request = Authlete::Model::Request::AuthorizationRequest.new(
  parameters: parameters
)

api.authorization(request)

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

// Extract request parameters that the OAuth 2.0 authorization endpoint of 
// this OAuth 2.0 serever implementation received from the client application.
string parameters = ExtractRequestParameters();

AuthorizationRequest request = new AuthorizationRequest();
request.Parameters = parameters;

await api.Authorization(request);

{
  "type": "authorizationResponse",
  "resultCode": "A004001",
  "resultMessage": "[A004001] Authlete has successfully issued a ticket to the service (API Key = 10167240235) for the authorization request from the client (ID = 57297408867). [response_type=code, openid=false]",
  "acrEssential": false,
  "action": "INTERACTION",
  "client": {...},
  "clientIdAliasUsed": false,
  "display": "PAGE",
  "maxAge": 1209600,
  "service": {...},
  "ticket": "c4iy3TWGn74UMO7ihRl0ZS8OEUzV9axBlBbJbqxH-9Q"
}

This API parses request parameters of an authorization request and returns necessary data for the service implementation to process the authorization request further.

Request

POST /api/auth/authorization

Content-Type

application/x-www-form-urlencoded
application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name Required Description

Name	Required	Description
`parameters`	YES	OAuth 2.0 authorization request parameters which are the request parameters that the OAuth 2.0 authorization endpoint of the service implementation received from the client application. The value of `parameters` is either (1) the entire query string when the HTTP method of the request from the client application is `GET` or (2) the entire entity body (which is formatted in `application/x-www-form-urlencoded`) when the HTTP method of the request from the client application is `POST`.

parameters

YES

OAuth 2.0 authorization request parameters which are the request parameters that the OAuth 2.0 authorization endpoint of the service implementation received from the client application.

The value of parameters is either (1) the entire query string when the HTTP method of the request from the client application is GET or (2) the entire entity body (which is formatted in application/x-www-form-urlencoded) when the HTTP method of the request from the client application is POST.

Response

Content-Type

application/json

Parameters

Name Type Description

resultCode

string

The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

resultMessage

string

A short message which explains the result of the API call.

action

string

The next action that the service implementation should take. One of the following. Details are described in the description.

INTERNAL_SERVER_ERROR
BAD_REQUEST
LOCATION
FORM
NO_INTERACTION
INTERACTION

client

Client

Information about the client application which made the authorization request. This may be null if the authorization request does not contain a valid client ID (client_id) or if the client application is locked.

display

string

The display mode which the client application requests by display request parameter ^[1]. One of the values listed in Display.

When the authorization request does not have display request parameter, PAGE is set as the default value.

It is ensured that the value of display is one of the supported display modes which are specified by supportedDisplays configuration parameter of the service. If the display mode specified by the authorization request is not supported, an error is raised.

The values listed above correspond to the values listed in "OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, display".

maxAge

integer

The maximum authentication age. This value comes from max_age request parameter ^[1], or defaultMaxAge configuration parameter of the client application when the authorization request does not contain max_age request parameter.

See " OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, max_age" for max_age request parameter, and see " OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata, default_max_age" for defaultMaxAge configuration parameter.

service

Service

Information about the service to which the authorization request was made.

scopes

Scope array

The scopes that the client application requests. This value comes from scope request parameter ^[1]. If the request does not contain scope parameter, this parameter is a list of scopes which are registered as default. If the authorization request does not have scope request parameter and the service has not registered any default scope, the value of this parameter is null.

It is ensured that scopes listed by this parameters are contained in the list of supported scopes which are specified by supportedScopes configuration parameter of the service. Unsupported scopes in the authorization request do not cause an error and are just ignored.

OpenID Connect defines some scope names which need to be treated specially. The table below lists the special scope names.

Name	Description
`openid`	This scope must be contained in `scope` request parameter to promote an OAuth 2.0 authorization request to an OpenID Connect request. It is described in " OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, scope".
`profile`	This scope is used to request some claims to be embedded in the ID token. The claims are `name`, `family_name`, `given_name`, `middle_name`, `nickname`, `preferred_username`, `profile`, `picture`, `website`, `gender`, `birthdate`, `zoneinfo`, `locale`, and `updated_at`. It is described in OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values.
`email`	This scope is used to request some claims to be embedded in the ID token. The claims are `email` and `email_verified`. It is described in OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values.
`address`	This scope is used to request `address` claim to be embedded in the ID token. It is described in OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values. The format of `address` claim is not a simple string. It is described in OpenID Connect Core 1.0, 5.1.1. Address Claim.
`phone`	This scope is used to request some claims to be embedded in the ID token. The claims are `phone_number` and `phone_number_verified`. It is described in OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values.
`offline_access`	The following is an excerpt about this scope from OpenID Connect Core 1.0, 11. Offline Access. OPTIONAL. This scope value requests that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token that grants access to the End-User's UserInfo Endpoint even when the End-User is not present (not logged in).

Note that, if response_type request parameter does not contain code, offline_acccess scope is removed from this list even when scope request parameter contains offline_access. This behavior is a requirement written in OpenID Connect Core 1.0, 11. Offline Access.

uiLocales

string array

The locales that the client application presented as candidates to be used for UI. This value comes from ui_locales request parameter ^[1]. The format of ui_locales is a space-separated list of language tag values defined in RFC5646. See " OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, ui_locales" for details.

It is ensured that locales listed by this parameters are contained in the list of supported UI locales which are specified by supportedUiLocales configuration parameter of the service. Unsupported UI locales in the authorization request do not cause an error and are just ignored.

claimsLocales

string array

End-user's preferred languages and scripts for claims. This value comes from claims_locales request parameter ^[1]. The format of claims_locales is a space-separated list of language tag values defined in RFC5646. See " OpenID Connect Core 1.0, 5.2. Claims Languages and Scripts" for details.

It is ensured that locales listed by this parameters are contained in the list of supported claim locales which are specified by supportedClaimsLocales configuration parameter of the service. Unsupported claim locales in the authorization request do not cause an error and are just ignored.

claims

string array

The list of claims that the client application requests to be embedded in the ID token. The value comes from (1) id_token in claims request parameter ^[1] and/or (2) special scopes (profile, email, address and phone) which are expanded to claims.

See OpenID Connect Core 1.0, 5.5. Requesting Claims using the "claims" Request Parameter for claims request parameter, and see OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values for the special scopes.

acrEssential

boolean

This boolean value indicates whether the authentication of the end-user must be one of the ACRs (Authentication Context Class References) listed in acrs parameter. This parameter becomes true only when (1) the authorization request contains claims request parameter ^[1] and (2) acr claim is in it, and (3) essential property of the acr claim is true. See OpenID Connect Core 1.0, 5.5.1.1. Requesting the "acr" Claim for details.

clientIdAliasUsed

boolean

true if the value of the client_id request parameter included in the authorization request is the client ID alias. false if the value is the original numeric client ID.

acrs

string array

The list of ACRs (Authentication Context Class References) one of which the client application requests to be satisfied for the authentication of the end-user. This value comes from acr_values request parameter ^[1] or defaultAcrs configuration parameter of the client application.

See " OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, acr_values" for acr_values request parameter, and see " OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata, default_acr_values" for defaultAcrs configuration parameter.

subject

string

The subject (= unique user ID managed by the service implementation) that the client application expects to grant authorization. The value comes from sub claim in claims request parameter.

loginHint

string

A hint about the login identifier of the end-user. The value comes from login_hint request parameter.

prompts

string array

The list of values of prompt request parameter. Possible element values are liseted in Prompt.

See " OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, prompt" for prompt request parameter.

lowestPrompt

string

The prompt that the UI displayed to the end-user must satisfy as the minimum level. This value comes from prompt request parameter ^[1] and one of the values listed in Prompt except for NONE.

When the authorization request does not contain prompt request parameter, CONSENT is used as the default value.

See " OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, prompt" for prompt request parameter.

requestObjectPayload

string

The payload part of the request object. The value of this proprty is null if the authorization request does not include a request object.

idTokenClaims

string

The value of the "id_token" property in the "claims" request parameter or in the "claims" property in a request object.

A client application may request certain claims be embedded in an ID token or in a response from the UserInfo endpoint. There are several ways. Including the claims request parameter and including the claims property in a request object are such examples. In both the cases, the value of the claims parameter/property is JSON. Its format is described in 5.5. Requesting Claims using the "claims" Request Parameter of OpenID Connect Core 1.0.

The following is an excerpt from the specification. You can find "userinfo" and "id_token" are top-level properties.

{
  "userinfo":
  {
    "given_name": {"essential": true},
    "nickname": null,
    "email": {"essential": true},
    "email_verified": {"essential": true},
    "picture": null,
    "http://example.info/claims/groups": null
  },
  "id_token":
  {
    "auth_time": {"essential": true},
    "acr": {"values": ["urn:mace:incommon:iap:silver"] }
  }
}

This value of this property is the value of the "id_token" property in JSON format. For example, if the JSON above is included in an authorization request, this method returns JSON equivalent to the following.

{
  "auth_time": {"essential": true},
  "acr": {"values": ["urn:mace:incommon:iap:silver"] }
}

Note that if a request object is given and it contains the claims property and if the claims request parameter is also given, the value of this property the value in the former.

userInfoClaims

string

The value of the "userinfo" property in the "claims" request parameter or in the "claims" property in a request object.

The following is an excerpt from the specification. You can find "userinfo" and "id_token" are top-level properties.

{
  "userinfo":
  {
    "given_name": {"essential": true},
    "nickname": null,
    "email": {"essential": true},
    "email_verified": {"essential": true},
    "picture": null,
    "http://example.info/claims/groups": null
  },
  "id_token":
  {
    "auth_time": {"essential": true},
    "acr": {"values": ["urn:mace:incommon:iap:silver"] }
  }
}

This value of this property is the value of the "uderinfo" property in JSON format. For example, if the JSON above is included in an authorization request, this method returns JSON equivalent to the following.

{
  "auth_time": {"essential": true},
  "acr": {"values": ["urn:mace:incommon:iap:silver"] }
}

Note that if a request object is given and it contains the claims property and if the claims request parameter is also given, the value of this property the value in the former.

responseContent

string

The content that the service implementation is to return to the client application. Its format varies depending on the value of action parameter. See description for details.

ticket

string

A ticket issued by Authlete to the service implementation. This is needed when the service implementation calls either /auth/authorization/fail API or /auth/authorization/issue API.

[1] OpenID Connect introduces request parameter and request_uri parameter as means to specify request parameters indirectly. See OpenID Connect Core 1.0, 6. Passing Request Parameters as JWTs for details.

Description

This API is supposed to be called from within the implementation of the Authorization Endpoint of the service. The endpoint implementation must extract the request parameters from the authorization request from the client application and pass them as the value of parameters request parameter for Authlete's /auth/authorization API.

The following code snippet is an example in JAX-RS showing how to extract request parameters from the authorization request.

@GET
public Response get(@Context UriInfo uriInfo)
{
    // The query parameters of the authorization request.
    String parameters = uriInfo.getRequestUri().getQuery();
    ......
}
 
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response post(String parameters)
{
    // 'parameters' is the entity body of the authorization request.
    ......
}

The endpoint implementation does not have to parse the request parameters from the client application because Authlete's /auth/authorization API does it.

The response from /auth/authorization API has various parameters. Among them, it is action parameter that the service implementation should check first because it denotes the next action that the service implementation should take. According to the value of action, the service implementation must take the steps described below.

INTERNAL_SERVER_ERROR

When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the service implementation was wrong or that an error occurred in Authlete.

In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with HTTP status of "500 Internal Server Error". Authlete recommends application/json as the content type although OAuth 2.0 specification does not mention the format of the error response when the redirect URI is not usable.

The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the service implementation should generate and return to the client application.

HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

{responseContent}

The endpoint implementation may return another different response to the client application since "500 Internal Server Error" is not required by OAuth 2.0.

BAD_REQUEST

When the value of action is BAD_REQUEST, it means that the request from the client application is invalid.

A response with HTTP status of "400 Bad Request" should be returned to the client application and Authlete recommends application/json as the content type although OAuth 2.0 specification does not mention the format of the error response when the redirect URI is not usable.

The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the service implementation should generate and return to the client application.

HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

{responseContent}

The endpoint implementation may return another different response to the client application since "400 Bad Request" is not required by OAuth 2.0.

LOCATION

When the value of action is LOCATION, it means that the request from the client application is invalid but the redirect URI to which the error should be reported has been determined.

A response with HTTP status of "302 Found" must be returned to the client application with Location header which has a redirect URI with error parameter.

The parameter responseContent contains a redirect URI with error parameter, so it can be used as the value of Location header.

The following illustrates the response which the service implementation must generate and return to the client application.

HTTP/1.1 302 Found
Location: {responseContent}
Cache-Control: no-store
Pragma: no-cache

FORM

When the value of action is FORM, it means that the request from the client application is invalid but the redirect URI to which the error should be reported has been determined, and that the authorization request contains response_mode=form_post as is defined in OAuth 2.0 Form Post Response Mode.

A response with HTTP status of "200 OK" must be returned to the client application with an HTML which satisfies the requirements of response_mode=form_post.

The parameter responseContent contains an HTML which can be used as the entity body of the response.

The following illustrates the response which the service implementation must generate and return to the client application.

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{responseContent}

NO_INTERACTION

When the value of action is NO_INTERACTION, it means that the request from the client application has no problem and requires the service to process the request without displaying any user interface pages for authentication or consent. This case happens when the authorization request contains prompt=none.

The service must follow the steps described below.

[END-USER AUTHENTICATION]
Check whether an end-user has already logged in. If an end-user has logged in, go to the next step ([MAX_AGE]). Otherwise, call Authlete's /auth/authorization/fail API with reason=NOT_LOGGED_IN and use the response from the API to generate a response to the client application.
[MAX_AGE]
Get the value of maxAge parameter. The value represents the maximum authentication age which has come from max_age request parameter or defaultMaxAge configuration parameter of the client application. If the value is 0, go to the next step ([SUBJECT]). Otherwise, follow the sub steps described below.
1. Get the time at which the end-user was authenticated. Note that this value is not managed by Authlete, meaning that it is expected that the service implementation manages the value. If the service implementation does not manage authentication time of end-users, call Authlete's /auth/authorization/fail API with reason=MAX_AGE_NOT_SUPPORTED and use the response from the API to generate a response to the client application.
2. Add the value of the maximum authentication age (which is represented in seconds) to the authentication time. The calculated value is the expiration time.
  
  Check whether the calculated value is equal to or greater than the current time. If this condition is satisfied, go to the next step ([SUBJECT]). Otherwise, call Authlete's /auth/authorization/fail API with reason=EXCEEDS_MAX_AGE and use the response from the API to generate a response to the client application.
[SUBJECT]
Get the value of subject. The value represents an end-user who the client application expects to grant authorization. If the value is null, go to the next step ([ACRs]). Otherwise, follow the sub steps described below.
1. Compare the value of the requested subject to the current end-user.
2. If they are equal, go to the next step ([ACRs]).
3. If they are not equal, call Authlete's /auth/authorization/fail API with reason=DIFFERENT_SUBJECT and use the response from the API to generate a response to the client application.
[ACRs]
Get the value of acrs. The value represents a list of ACRs (Authentication Context Class References) and comes from (1) acr claim in claims request parameter, (2) acr_values rquest parameter, or (3) defaultAcrs configuration parameter of the client application.

It is ensured that all the ACRs in acrs are supported by the service implementation. In other words, it is ensured that all the ACRs are listed in supportedAcrs configuration parameter of the service implementation.

If the value of ACRs is null, go to the next step ([ISSUE]). Otherwise, follow the sub steps described below.
1. Get the ACR performed for the authentication of the current end-user. Note that this value is managed not by Authlete but by the service implementation. (If the service implementation cannot handle ACRs, it should not have listed ACRs in supportedAcrs.)
2. Compare the ACR value obtained in the above step to each element in the ACR array (acrs) in the listed order. If the ACR value was found in the array, go to the next step ([ISSUE]).
3. If the ACR value was not found in the ACR array, in other words, if the ACR performed for the authentication of the current end-user did not match any one of the ACRs requested by the client application, get the value of acrEssential. If the boolean value is true, call Authlete's /auth/authorization/fail API with reason=ACR_NOT_SATISFIED and use the response from the API to generate a response to the client application. Otherwise, go to the next step ([ISSUE]).
[ISSUE]
If all the above steps succeeded, the last step is to issue an authorization code, an ID token and/or an access token. (There is a special case, though. In the case of response_type=none, nothing is issued.) It can be performed by calling Authlete's /auth/authorization/issue API. The API requires the following parameters. Prepare these parameters and call /auth/authorization/issue API and use the response from the API to generate a response to the client application.
- ticket (required)
  This parameter represents a ticket which is exchanged with tokens at /auth/authorization/issue. Use the value of ticket contained in the response from /auth/authorization API.
- subject (conditionally required)
  This parameter represents the unique identifier of the current end-user. It is often called "user ID" and it may or may not be visible to the user. In any case, it is a number or a string assigned to an end-user by the service implementation. Authlete does not care about the format of the value of subject, but it must consist of only ASCII letters and its length must not exceed 100.
  
  When subject parameter in the response from /auth/authorization API is not null, it is necessarily identical to the value of subject parameter for /auth/authorization/issue API.
  
  The value of this parameter will be embedded in an ID token as the value of sub claim. When the value of subjectType configuration parameter of the client application is PAIRWISE, the value of sub claim is different from the value specified by this parameter, but PAIRWISE is not supported by Authlete yet. See 8. Subject Identifier Types of OpenID Connect Core 1.0 for details about subject types.
  
  You can use the sub request parameter to adjust the value of the sub claim in an ID token. See the description of the sub request parameter for details.
- authTime (optional)
  This parameter represents the time when the end-user authentication occurred. Its value is the number of seconds from 1970-01-01. The value of this parameter will be embedded in an ID token as the value of auth_time claim.
- acr (optional)
  This parameter represents the ACR (Authentication Context Class Reference) which the authentication of the end-user satisfies. When acrs in the response from /auth/authorization API is a non-empty array and acrEssential is true, the value of this parameter must be one of the array elements. Otherwise, even null is allowed. The value of this parameter will be embedded in an ID token as the value of acr claim.
- claims (optional)
  This parameter represents claims of the end-user. "Claims" here are pieces of information about the end-user such as "name", "email" and "birthdate". The service implementation is required to gather claims of the end-user, format the claim values into JSON and set the JSON string as the value of this parameter.
  
  The claims which the service implementation is required to gather are listed in claims parameter in the response from /auth/authorization API. It is ensured that the values in claims parameter are contained in the list of supported claims which are specified by supportedClaims configuration parameter of the service.
  
  For example, if claims parameter lists name, email and birthdate, the value of this parameter should look like the following.
```
{
  "name": "John Smith",
  "email": "john@example.com",
  "birthdate": "1974-05-06"
}
```
  claimsLocales parameter in the response from /auth/authorization API lists the end-user's preferred languages and scripts, ordered by preference. When claimsLocales parameter is a non-empty array, its elements should be taken into account when the service implementation gathers claim values. Especially, note the excerpt below from 5.2. Claims Languages and Scripts of OpenID Connect Core 1.0.
  
  When the OP determines, either through the claims_locales parameter, or by other means, that the End-User and Client are requesting Claims in only one set of languages and scripts, it is RECOMMENDED that OPs return Claims without language tags when they employ this language and script. It is also RECOMMENDED that Clients be written in a manner that they can handle and utilize Claims using language tags.
  
  If claims parameter in the response from /auth/authorization API is null or an empty array, the value of this parameter should be null.
  
  See 5.1. Standard Claims of OpenID Connect core 1.0 for claim names and their value formats. Note (1) that the service implementation support its special claims (5.1.2. Additional Claims) and (2) that claim names may be followed by a language tag (5.2. Claims Languages and Scripts). Read the specification of OpenID Connect Core 1.0 for details.
  
  Claim names (listed in claims parameter) that the service implementation cannot understand can be ignored and their claim values do not have to be gathered.
  
  The claim values in this parameter will be embedded in an ID token.
- properties (optional)
  Extra properties to associate with an access token and/or an authorization code that may be issued by this request. Note that properties parameter is accepted only when Content-Type of the request is application/json, so don't use application/x-www-form-urlencoded for details.
- scopes (optional)
  Scopes to associate with an access token and/or an authorization code. If this parameter is null, the scopes specified in the original authorization request from the client application are used. In other cases, including the case of an empty array, the specified scopes will replace the original scopes contained in the original authorization request.
  
  Even scopes that are not included in the original authorization request can be specified. However, as an exception, "openid" scope is ignored on the server side if it is not included in the original request. It is because the existence of "openid" scope considerably changes the validation steps and because adding "openid" triggers generation of an ID token (although the client application has not requested it) and the behavior is a major violation against the specification.
  
  If you add "offline_access" scope although it is not included in the original request, keep in mind that the specification requires explicit consent from the user for the scope (OpenID Connect Core 1.0, 11. Offline Access). When "offline_access" is included in the original request, the current implementation of Authlete's /auth/authorization API checks whether the request has come along with prompt request parameter and the value includes "consent". However, note that the implementation of Authlete's /auth/authorization/issue API does not perform such checking if "offline_access" scope is added via this scopes parameter.
- sub (optional)
  The value of the sub claim in an ID token. If the value of this request parameter is not empty, it is used as the value of the sub claim. Otherwise, the value of the subject request parameter is used as the value of the sub claim. The main purpose of this parameter is to hide the actual value of the subject from client applications.
  
  Note that even if this sub parameter is not empty, the value of the subject request parameter is used as the value of the subject which is associated with the access token.

INTERACTION

When the value of action is INTERACTION, it means that the request from the client application has no problem and requires the service to process the request with user interaction by an HTML form.

The purpose of the UI displayed to the end-user is to ask the end-user to grant authorization to the client application. The items described below are some points which the service implementation should take into account when it builds the UI.

[DISPLAY MODE]
The response from /auth/authorization API has display parameter. It is one of PAGE (default), POPUP, TOUCH and WAP The meanings of the values are described in 3.1.2.1. Authentication Request of OpenID Connect Core 1.0. Basically, the service implementation should display the UI which is suitable for the display mode, but it is okay for the service implementation to "attempt to detect the capabilities of the User Agent and present an appropriate display."

It is ensured that the value of display is one of the supported display modes which are specified by supportedDisplays configuration parameter of the service.
[UI LOCALE]
The response from /auth/authorization API has uiLocales parameter. It it is not null, it lists language tag values (such as fr-CA, ja-JP and en) ordered by preference. The service implementation should display the UI in one of the language listed in the parameter when possible.

It is ensured that language tags listed in uiLocales are contained in the list of supported UI locales which are specified by supportedUiLocales configuration parameter of the service.
[CLIENT INFORMATION]
The service implementation should show information about the client application to the end-user. The information is embedded in client parameter in the response from /auth/authorization API. The format of client parameter is described in Data Type, Client.
[SCOPES]
A client application requires authorization for specific permissions. In OAuth 2.0 specification, "scope" is a technical term which represents a permission. scopes parameter in the response from /auth/authorization API is a list of scopes requested by the client application. The service implementation should show the end-user the scopes.

It is ensured that the values in scopes parameter are contained in the list of supported scopes which are specified by supportedScopes configuration parameter of the service.
[CLAIMS]
A client application may require claims of the end-user. In OpenID Connect specification, "claim" is a technical term which represents a piece of information about an end-user. claims parameter in the response from /auth/authorization API is a list of claims requested by the client aplication. The service implementation should show the end-user the claim names.

It is ensured that the values in claims parameter are contained in the list of supported claims which are specified by supportedClaims configuration parameter of the service.
[END-USER AUTHENTICATION]
Necessarily, the end-user must be authenticated (= must login the service) before granting authorization to the client application. Simply put, a login form is expected to be displayed for end-user authentication. The service implementation must follow the steps described below to comply with OpenID Connect. (Or just always show a login form if it's too much of a bother.)
1. Get the value of lowestPrompt in the response from /auth/authorization API. The value is one of LOGIN, CONSENT and SELECT_ACCOUNT. The meanings of the values are described in 3.1.2.1. Authentication Request of OpenID Connect Core 1.0. Note that prompts response parameter has been included in the response since August, 2016. So, you may refer to the parameter directly for better control (especially if the logic here does not meet your requirements).
2. When the value of lowestPrompt is SELECT_ACCOUNT display a form to let the end-user select on of his/her accounts for login. If subject parameter in the response from /auth/authorization API is not null it is the end-user ID that the client expects, so it should be set to the input field for the login ID. When subject is null, loginHint may be referred to calculate the initial value of the input field.
3. Otherwise, when the value of the lowest prompt is LOGIN, display a form to let the end-user login. If subject parameter in the response from /auth/authorization API is not null it is the end-user ID that the client expects, so it should be set to the input field for the login ID. When subject is null, loginHint may be referred to calculate the initial value of the input field.
4. Otherwise, when the value of the lowest prompt is CONSENT, the service implementation can omit a login form and use the end-user who has currently logged in the service if all the conditions described below are satisfied. If any one of the conditions is not satisfied, show a login form to authenticate the end-user.
  1. An end-user has already logged in the service.
  2. The login ID of the current end-user matches the value of subject parameter in the response from /auth/authorization API. This check should be performed only when subject is not null.
  3. The maximum authentication age, which is the value of maxAge parameter in the response from /auth/authorization API, has not passed since the current end-user logged in the service. This check should be performed only when maxAge is not 0.
    
    If the service implementation does not manage authentication time of end-users (= cannot know when end-users logged in) and if maxAge is not 0, a login form should be displayed.
  4. The ACR (Authentication Context Class Reference) of the authentication performed for the current end-user satisfies one of the ACRs listed in acrs parameter in the response from /auth/authorization API. This check should be performed only when acrs is a non-empty array.
In every case, the end-user authentication must satisfy one of the ACRs listed in acrs parameter when acrs is a non-empty array and acrEssential is true.
[GRANT/DENY BUTTONS]
The end-user is supposed to choose either (1) to grant authorization to the client applicationor (2) to deny the authorization request. The UI must have UI components to accept the judgment by the user. Usually, a button to grant authorization and a button to deny the request are provided.

When subject parameter in the response from /auth/authorization API is not null, the service implementation must check whether the value matches the login ID of the authenticated user. The service implementation should repeatedly show a login form until the specified subject is successfully authenticated.

The end-user will choose either (1) to grant authorization to the client application or (2) to deny the authorization request. When the end-user chose to deny the authentication request, call Authlete's /auth/authorization/fail API with reason=DENIED and use the response from the API to generate a response to the client application.

When the end-user chose to grant authorization to the client application, the service implementation has to issue an authorization code, an ID token and/or an access token to the client application. (There is a special case. In the case of response_type=none, nothing is issued.) It can be performed by calling Authlete's /auth/authorization/issue API. Read [ISSUE] written above in the description for the case of action=NO_INTERACTION.

The following code snippet is an excerpt from the sample code of the Authorization Endpoint. This illustrates how to dispatch processing based on the value of action parameter.

/**
 * Process the parameters of the authorization request.
 */
private Response process(HttpServletRequest request, String parameters)
{
    // Call Authlete's /auth/authorization API.
    AuthorizationResponse response =
        callAuthleteAuthorizationApi(parameters);
 
    // 'action' in the response denotes the next action which
    // this service implementation should take.
    Action action = response.getAction();
 
    // The content of the response to the client application.
    // The format of the content varies depending on the action.
    String content = response.getResponseContent();
 
    // Dispatch according to the action.
    switch (action)
    {
        case INTERNAL_SERVER_ERROR:
            // 500 Internal Server Error
            return ResponseUtil.internalServerError(content);
 
        case BAD_REQUEST:
            // 400 Bad Request
            return ResponseUtil.badRequest(content);
 
        case LOCATION:
            // 302 Found
            return ResponseUtil.location(content);
 
        case FORM:
            // 200 OK
            return ResponseUtil.form(content);
 
        case NO_INTERACTION:
            // Process the authorization request without user interaction.
            return handleNoInteraction(response);
 
        case INTERACTION:
            // Process the authorization request with user interaction.
            return handleInteraction(request.getSession(), response);
 
        default:
            // This never happens.
            throw new InternalServerErrorException("Unknown action");
    }
}

/auth/authorization/fail API

curl -v -X POST https://api.authlete.com/api/auth/authorization \
-H 'Content-Type: application/json' \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
-d '{ "ticket": "c4iy3TWGn74UMO7ihRl0ZS8OEUzV9axBlBbJbqxH-9Q", "reason": "NOT_AUTHENTICATED" }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

// Extract the ticket issued by '/auth/authorization' API.
String ticket = extractTicket();

AuthorizationFailRequest request = new AuthorizationFailRequest()
  .setTicket(ticket)
  .setReason(AuthorizationFailRequest.Reason.NOT_AUTHENTICATED)
;

api.authorizationFail(request);

require 'authlete'

api = Authlete::Api.new(
  host: 'https://api.authlete.com',
  service_api_key: 10167240235,
  service_api_secret: LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE
)

# Extract the ticket issued by '/auth/token' API.
ticket = extract_ticket

# The reason of the failure of the token request. 
reason = 'NOT_AUTHENTICATED'

request = Authlete::Model::Request::AuthorizationFailRequest.new(
  ticket: ticket, 
  reason: reason
)

api.authorization_fail(request)

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

// Extract the ticket issued by '/auth/authorization' API.
string ticket = ExtractTicket();

AuthorizationFailRequest request = new AuthorizationFailRequest();
request.Ticket = ticket;
reqeust.Reason = AuthorizationFailReason.NOT_AUTHENTICATED;

await api.AuthorizationFail(request);

{
  "type": "authorizationFailResponse",
  "resultCode": "A060309",
  "resultMessage": "[A060309] The authorization request failed because the end-user was not authenticated or did not exist.",
  "action": "LOCATION",
  "responseContent": "https://api.authlete.com/api/mock/redirection/10167240235?error=login_required&error_description=%5BA060309%5D+The+authorization+request+failed+because+the+end-user+was+not+authenticated+or+did+not+exist.&error_uri=https%3A%2F%2Fwww.authlete.com%2Fdocuments%2Fapis%2Fresult_codes%23A060309"
}

This API generates a content of an error authorization response that the service implementation returns to the client application.

Request

POST /api/auth/authorization/fail

Content-Type

application/x-www-form-urlencoded
application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name Required Description

ticket

YES

The ticket issued from Authlete's /auth/authorization API.

reason

YES

The reason of the failure of the authorization request. One of the following.

UNKNOWN
NOT_LOGGED_IN
MAX_AGE_NOT_SUPPORTED
EXCEEDS_MAX_AGE
DIFFERENT_SUBJECT
ACR_NOT_SATISFIED
DENIED
SERVER_ERROR
NOT_AUTHENTICATED
ACCOUNT_SELECTION_REQUIRED
CONSENT_REQUIRED
INTERACTION_REQUIRED

description

The custom description about the authorization failure.

The following are descriptions about the values of reason parameter. The description of the /auth/authorization API describes as to which reason should be used when.

UNKNOWN: Unknown reason.
NOT_LOGGED_IN: The authorization request from the client application contained prompt=none, but any end-user has logged in.
MAX_AGE_NOT_SUPPORTED: The authorization request from the client application contained max_age parameter with a non-zero value or the value of defaultMaxAge configuration parameter of the client application is not 0, but the service implementation cannot behave properly based the maximum authentication age value mainly because the service implementation does not manage authentication time of end-users.
EXCEEDS_MAX_AGE: The authorization request from the client application contained prompt=none, but the maximum authentication age (= the time specified by max_age request parameter or by defaultMaxAge configuration parameter of the client application) has passed since the time when the end-user logged in.
DIFFERENT_SUBJECT: The authorization request from the client application requested a specific value for sub claim, but the current end-user (in the case of prompt=none) or the end-user after the authentication is different from the specified value.
ACR_NOT_SATISFIED: The authorization request from the client application contained acr claim in claims request parameter and the claim was marked as essential, but the ACR (Authentication Context Class Reference) performed for the end-user does not match any of the requested ACRs.
DENIED: The end-user denied the authorization request from the client application.
SERVER_ERROR: Server error.
NOT_AUTHENTICATED: The end-user was not authenticated.
ACCOUNT_SELECTION_REQUIRED: The authorization server cannot obtain an account selection choice made by the end-user.
CONSENT_REQUIRED: The authorization server cannot obtain consent from the end-user.
INTERACTION_REQUIRED: The authorization server needs interaction with the end-user.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.
`action`	string	The next action that the service implementation should take. One of the following. Details are described in the description. `INTERNAL_SERVER_ERROR` `BAD_REQUEST` `LOCATION` `FORM`
`responseContent`	string	The content that the service implementation is to return to the client application. Its format varies depending on the value of `action` parameter. See description for details.

Description

This API is supposed to be called from within the implementation of the Authorization Endpoint of the service in order to generate an error response to the client application.

The description of the /auth/authorization API describes the timing when this API should be called.

The response from /auth/authorization/fail API has some parameters. Among them, it is action parameter that the service implementation should check first because it denotes the next action that the service implementation should take. According to the value of action, the service implementation must take the steps described below.

INTERNAL_SERVER_ERROR

When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the service implementation was wrong or that an error occurred in Authlete.

The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the service implementation should generate and return to the client application.

HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

{responseContent}

The endpoint implementation may return another different response to the client application since "500 Internal Server Error" is not required by OAuth 2.0.

BAD_REQUEST

When the value of action is BAD_REQUEST, it means that the ticket is no longer valid (deleted or expired) and that the reason of the invalidity was probably due to the end-user's too-delayed response to the authorization UI.

A response with HTTP status of "400 Bad Request" should be returned to the client application and Authlete recommends application/json as the content type.

The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the service implementation should generate and return to the client application.

HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

{responseContent}

The endpoint implementation may return another different response to the client application since "400 Bad Request" is not required by OAuth 2.0.

LOCATION

When the value of action is LOCATION, it means that the response to the client application must be "302 Found" with Location header.

The parameter responseContent contains a redirect URI with error parameter, so it can be used as the value of Location header.

The following illustrates the response which the service implementation must generate and return to the client application.

HTTP/1.1 302 Found
Location: {responseContent}
Cache-Control: no-store
Pragma: no-cache

FORM

When the value of action is FORM, it means that the response to the client application must be 200 OK with an HTML which triggers redirection by JavaScript. This happens when the authorization request from the client application contained response_mode=form_post.

The parameter responseContent contains an HTML which can be used as the entity body of the response.

The following illustrates the response which the service implementation must generate and return to the client application.

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{responseContent}

The following code snippet is an excerpt from the sample code of the Authorization Endpoint. This illustrates how to dispatch processing based on the value of action parameter.

/**
 * Create a response that describes the failure. This method
 * calls Authlete's {@code /auth/authorization/fail} API.
 */
private Response createFailureResponse(String ticket, Reason reason)
{
    // Call Authlete's /auth/authorization/fail API.
    AuthorizationFailResponse response =
        callAuthleteAuthorizationFailApi(ticket, reason);
 
    // 'action' in the response denotes the next action which
    // this service implementation should take.
    AuthorizationFailResponse.Action action = response.getAction();
 
    // The content of the response to the client application.
    // The format of the content varies depending on the action.
    String content = response.getResponseContent();
 
    // Dispatch according to the action.
    switch (action)
    {
        case INTERNAL_SERVER_ERROR:
            // 500 Internal Server Error
            return ResponseUtil.internalServerError(content);
 
        case BAD_REQUEST:
            // 400 Bad Request
            return ResponseUtil.badRequest(content);
 
        case LOCATION:
            // 302 Found
            return ResponseUtil.location(content);
 
        case FORM:
            // 200 OK
            return ResponseUtil.form(content);
 
        default:
            // This never happens.
            throw new InternalServerErrorException("Unknown action");
    }
}

/auth/authorization/issue API

curl -v -X POST https://api.authlete.com/api/auth/authorization/issue \
-H 'Content-Type: application/json' \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
-d '{ "ticket": "FFgB9gwb_WXh6g1u-UQ8ZI-d_k4B-o-cm7RkVzI8Vnc", "subject": "john" }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

// Extract the ticket issued by '/auth/authorization' API.
String ticket = extractTicket();

// Get the subject (= unique identifier) of the end-user.
String subject = getSubject();

AuthorizationIssueRequest request = new AuthorizationIssueRequest()
  .setTicket(ticket)
  .setSubject(subject)
;

api.authorizationIssue(request);

require 'authlete'

api = Authlete::Api.new(
  host: 'https://api.authlete.com',
  service_api_key: 10167240235,
  service_api_secret: 'LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
)

# Extract the ticket issued by '/auth/authorization' API.
ticket = extract_ticket

# Get the subject (= unique identifier) of the end-user.
subject = get_subject

request = Authlete::Model::Request::AuthorizationIssueRequest.new(
  ticket: ticket, 
  reason: subject
)

api.authorization_issue(request)

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

// Extract the ticket issued by '/auth/authorization' API.
string ticket = ExtractTicket();

// Get the subject (= unique identifier) of the end-user.
string subject = GetSubject();

AuthorizationIssueRequest request = new AuthorizationIssueRequest();
request.Ticket  = ticket;
request.Subject = subject;

await api.AuthorizationIssue(request);

{
    "type": "authorizationIssueResponse",
    "resultCode": "A040001",
    "resultMessage": "[A040001] The authorization request was processed successfully.",
    "accessTokenDuration": 0,
    "accessTokenExpiresAt": 0,
    "action": "LOCATION",
    "authorizationCode": "_VSzpgug3OpdUymcbLYJjH1v9tE4hSPaxX_pSkxUUyk",
    "responseContent": "https://api.authlete.com/api/mock/redirection/10167240235?code=_VSzpgug3OpdUymcbLYJjH1v9tE4hSPaxX_pSkxUUyk"
}

This API generates a content of a successful authorization response that the service implementation returns to the client application.

Request

POST /api/auth/authorization/issue

Content-Type

application/x-www-form-urlencoded
application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`ticket`	YES	The ticket issued from Authlete's `/auth/authorization` API.
`subject`	YES	The subject (= a user account managed by the service) who has granted authorization to the client application.
`authTime`	NO	The time when the authentication of the end-user occurred. Its value is the number of seconds from 1970-01-01.
`acr`	NO	The Authentication Context Class Reference performed for the end-user authentication.
`claims`	NO	The claims of the end-user (= pieces of information about the end-user) in JSON format See OpenID Connect Core 1.0, 5.1. Standard Claims for details about the format.
`properties`	NO	Extra properties to associate with an access token and/or an authorization code. See Extra Properties for details.
`scopes`	NO	Scopes to associate with an access token and/or an authorization code. If a non-empty string array is given, it replaces the scopes specified by the original authorization request.
`sub`	NO	The value of the `sub` claim to embed in an ID token. If this request parameter is null or empty, the value of the `subject` request parameter is used as the value of the `sub` claim.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.
`action`	string	The next action that the service implementation should take. One of the following. Details are described in the description. `INTERNAL_SERVER_ERROR` `BAD_REQUEST` `LOCATION` `FORM`
`responseContent`	string	The content that the service implementation is to return to the client application. Its format varies depending on the value of `action` parameter. See description for details.
`accessToken`	string	The newly issued access token. Note that an access token is issued from an Authorization Endpoint only when `response_type` contains `token`.
`accessTokenExpiresAt`	integer	The datetime at which the newly issued access token will expire. The value is represented in milliseconds since the Unix epoch (1970-01-01).
`accessTokenDuration`	integer	The duration of the newly issued access token in seconds.
`idToken`	string	The newly issued ID token. Note that an ID token is issued from an Authorization Endpoint only when `response_type` contains `id_token`.
`authorizationCode`	string	The newly issued authorization code. Note that an authorization code is issued only when `response_type` contains `code`.
`jwtAccessToken`	string	The newly issued access token in JWT format. If the service is not configured to issue JWT-based access tokens, this method always returns `null`.

Description

This API is supposed to be called from within the implementation of the Authorization Endpoint of the service in order to generate a successful response to the client application.

The description of the /auth/authorization API describes the timing when this API should be called and the meaning of request parameters. See [ISSUE] in NO_INTERACTION.

The response from /auth/authorization/issue API has some parameters. Among them, it is action parameter that the service implementation should check first because it denotes the next action that the service implementation should take. According to the value of action, the service implementation must take the steps described below.

INTERNAL_SERVER_ERROR

When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the service implementation was wrong or that an error occurred in Authlete.

The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the service implementation should generate and return to the client application.

HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
 
{responseContent}

The endpoint implementation may return another different response to the client application since "500 Internal Server Error" is not required by OAuth 2.0.

BAD_REQUEST

A response with HTTP status of "400 Bad Request" should be returned to the client application and Authlete recommends application/json as the content type.

The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the service implementation should generate and return to the client application.

HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
 
{responseContent}

The endpoint implementation may return another different response to the client application since "400 Bad Request" is not required by OAuth 2.0.

LOCATION

When the value of action is LOCATION, it means that the response to the client application must be "302 Found" with Location header.

The parameter responseContent contains a redirect URI with (1) an authorization code, an ID token and/or an access token (on success) or (2) an error code (on failure), so it can be used as the value of Location header.

The following illustrates the response which the service implementation must generate and return to the client application.

HTTP/1.1 302 Found
Location: {responseContent}
Cache-Control: no-store
Pragma: no-cache

FORM

The parameter responseContent contains an HTML which can be used as the entity body of the response.

The following illustrates the response which the service implementation must generate and return to the client application.

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
 
{responseContent}

Token Endpoint

/auth/token API

curl -v -X POST https://api.authlete.com/api/auth/token \
-H "Content-Type: application/json" \
-u "10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE" \
-d '{ "parameters": "grant_type=authorization_code&code=DkKMvKzrRAsWErsWCChNX_gydqqgA55AW2OJlXmNTQI&redirect_uri=https%3A%2F%2Fapi.authlete.com%2Fapi%2Fmock%2Fredirection%2F10167240235" }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

// Extract request parameters that the OAuth 2.0 token endpoint of 
// this OAuth 2.0 serever implementation received from the client application.
String parameters = extractRequestParameters();

TokenRequest request = new TokenRequest().setParameters(parameters);

api.token(request);

require 'authlete'

api = Authlete::Api.new(
  host: "https://api.authlete.com",
  service_api_key: "10167240235",
  service_api_secret: "LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE"
)

# Extract request parameters that the OAuth 2.0 token endpoint of 
# this OAuth 2.0 serever implementation received from the client application.
parameters = extract_request_parameters

request = Authlete::Model::Request::TokenRequest.new(
  parameters: parameters
)

api.token(request)

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

// Extract request parameters that the OAuth 2.0 token endpoint of 
// this OAuth 2.0 serever implementation received from the client application.
string parameters = ExtractRequestParameters();

TokenRequest request = new TokenRequest();
request.Parameters(parameters);

await api.Token(request);

{
    "type": "tokenResponse",
    "resultCode": "A050001",
    "resultMessage": "[A050001] The token request (grant_type=authorization_code) was processed successfully.",
    "accessToken": "rt5bUJsGfS17YCSmYGtgelMtokTLdoCmBe4VUFCk1YZ",
    "accessTokenDuration": 86400,
    "accessTokenExpiresAt": 1510647924410,
    "action": "OK",
    "clientId": 57297408867,
    "clientIdAliasUsed": false,
    "grantType": "AUTHORIZATION_CODE",
    "refreshToken": "sdQqY9Tbhsq6ZsWm1rZLgW4A3yxIk6RcgmmexHZ9BXB",
    "refreshTokenDuration": 864000,
    "refreshTokenExpiresAt": 1511425524410,
    "responseContent": "{\"scope\":null,\"expires_in\":86400,\"token_type\":\"Bearer\",\"refresh_token\":\"sdQqY9Tbhsq6ZsWm1rZLgW4A3yxIk6RcgmmexHZ9BXB\",\"access_token\":\"rt5bUJsGfS17YCSmYGtgelMtokTLdoCmBe4VUFCk1YZ\"}",
    "subject": "john"
}

This API parses request parameters of a token request and returns necessary data for the service implementation to process the token request further.

Request

POST /api/auth/token

Content-Type

application/x-www-form-urlencoded
application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`parameters`	YES	OAuth 2.0 token request parameters which are the request parameters that the OAuth 2.0 Token Endpoint of the service implementation received from the client application. The value of `parameters` is the entire entity body (which is formatted in `application/x-www-form-urlencoded`) of the request from the client application.
`clientId`	NO	The client ID extracted from `Authorization` header of the token request from the client application. If the Token Endpoint of the service implementation supports Basic Authentication as a means of client authentication, and the request from the client application contained its client ID in `Authorization` header, the value should be extracted and set to this parameter.
`clientSecret`	NO	The client secret extracted from `Authorization` header of the token request from the client application. If the Token Endpoint of the service implementation supports Basic Authentication as a means of client authentication, and the request from the client application contained its client secret in `Authorization` header, the value should be extracted and set to this parameter.
`clientCertificate`	NO	The client certificate from the MTLS of the token request from the client application.
`clientCertificatePath`	NO	The certificate path presented by the client during client authentication. These certificates are strings in PEM format.
`properties`	NO	Extra properties to associate with an access token. See Extra Properties for details.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.
`action`	string	The next action that the service implementation should take. One of the following. Details are described in the description. `INVALID_CLIENT` `INTERNAL_SERVER_ERROR` `BAD_REQUEST` `PASSWORD` `OK`
`responseContent`	string	The content that the service implementation is to return to the client application. Its format is JSON.
`username`	string	The value of `username` request parameter in the token request. The client application must specify `username` when it uses Resource Owner Password Grant. In other words, when the value of `grant_type` request parameter is `password`, `username` request parameter must come along. This parameter has a value only if the value of `grant_type` request parameter is `password` and the token request is valid.
`password`	string	The value of `password` request parameter in the token request. The client application must specify `password` when it uses Resource Owner Password Grant. In other words, when the value of `grant_type` request parameter is `password`, `password` request parameter must come along. This parameter has a value only if the value of `grant_type` request parameter is `password` and the token request is valid.
`ticket`	string	The ticket which is necessary to call Authlete's `/auth/token/fail` API or `/auth/token/issue` API. This parameter has a value only if the value of `grant_type` request parameter is `password` and the token request is valid.
`accessToken`	string	The newly issued access token.
`accessTokenExpiresAt`	integer	The datetime at which the newly issued access token will expire. The value is represented in milliseconds since the Unix epoch (1970-01-01).
`accessTokenDuration`	integer	The duration of the newly issued access token in seconds.
`refreshToken`	string	The newly issued refresh token.
`refreshTokenExpiresAt`	integer	The datetime at which the newly issued refresh token will expire. The value is represented in milliseconds since the Unix epoch (1970-01-01).
`refreshTokenDuration`	integer	The duration of the newly issued refresh token in seconds.
`idToken`	string	The newly issued ID token. Note that an ID token is issued from a Token Endpoint only when the `response_type` request parameter of the authorization request to an Authorization Endpoint has contained `code` and the `scope` request parameter has contained `openid`.
`grantType`	string	The grant type of the token request.
`clientId`	i64	The client ID.
`clientIdAlias`	string	The client ID alias when the token request was made. If the client did not have an alias, this parameter is `null`. Also, if the token request was invalid and it failed to identify a client, this parameter is `null`.
`clientIdAliasUsed`	boolean	The flag which indicates whether the client ID alias was used when the token request was made. `true` if the client ID alias was used when the token request was made.
`subject`	string	The subject (= resource owner's ID) of the access token. Even if an access token has been issued by the call of `/api/auth/token` API, this parameter is `null` if the flow of the token request was Client Credentials Flow (`grant_type=client_credentials`) because it means the access token is not associated with any specific end-user.
`scopes`	string array	The scopes covered by the access token.
`properties`	string	The extra properties associated with the access token. This parameter is `null` when no extra property is associated with the issued access token.
`jwtAccessToken`	string	The newly issued access token in JWT format. If the authorization server is configured to issue JWT-based access tokens (= if the Service's `accessTokenSignAlg` value is a non-null value), a JWT-based access token is issued along with the original random-string one.

Description

This API is supposed to be called from with the implementation of the Token Endpoint of the service. The endpoint implementation must extract the request parameters from the token request from the client application and pass them as the value of parameters request parameter to Authlete's /auth/token API.

The value of parameters is the entire entity body (which is formatted in application/x-www-form-urlencoded) of the token request.

In addition, if the Token Endpoint of the service implementation supports Basic Authentication as a means of client authentication, the client credentials must be extracted from Authorization header and they must be passed as clientId request parameter and clientSecret request parameter to Authlete's /auth/token API.

The following code snippet is an example in JAX-RS showing how to extract request parameters from the token request and client credentials from Authorization header.

@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response post(
        @HeaderParam(HttpHeaders.AUTHORIZATION) String auth,
        String parameters)
{
    // Convert the value of Authorization header (credentials of
    // the client application), if any, into BasicCredentials.
    BasicCredentials credentials = BasicCredentials.parse(auth);
 
    // The credentials of the client application extracted from
    // 'Authorization' header. These may be null.
    String clientId     = credentials == null ? null
                        : credentials.getUserId();
    String clientSecret = credentials == null ? null
                        : credentials.getPassword();
 
    // Process the given parameters.
    return process(parameters, clientId, clientSecret);
}

The response from /auth/token API has some parameters. Among them, it is action parameter that the service implementation should check first because it denotes the next action that the service implementation should take. According to the value of action, the service implementation must take the steps described below.

INVALID_CLIENT

When the value of action is INVALID_CLIENT, it means that authentication of the client failed. In this case, the HTTP status of the response to the client application is either "400 Bad Request" or "401 Unauthorized". This requirement comes from RFC 6749, 5.2. Error Response. The description about invalid_client shown below is an excerpt from RFC 6749.

Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.

In either case, the value of responseContent contains a JSON string which can be used as the entity body of the response to the client application.

The following illustrate responses which the service implementation must generate and return to the client application.

HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
 
{responseContent}

HTTP/1.1 401 Unauthorized
WWW-Authenticate: {challenge}
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
 
{responseContent}

INTERNAL_SERVER_ERROR

When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the service implementation was wrong or that an error occurred in Authlete.

The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the service implementation should generate and return to the client application.

HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
 
{responseContent}

The endpoint implementation may return another different response to the client application since "500 Internal Server Error" is not required by OAuth 2.0.

BAD_REQUEST

When the value of action is BAD_REQUEST, it means that the request from the client is invalid.

A response with HTTP status of "400 Bad Request" must be returned to the client application and the content type must be application/json.

The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the service implementation should generate and return to the client application.

HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
 
{responseContent}

PASSWORD

When the value of action is PASSWORD, it means that the request from the client application is valid and the value of grant_type request parameter is password. That is, the flow is Resource Owner Password Credentials.

In this case, subject parameter and password parameter are the credentials of the resource owner (= end-user). The service implementation must validate the credentials and take either of the actions below according to the validation result.

When the credentials are valid,: Call Authlete's /auth/token/issue API to generate an access token for the client application. The response from /auth/token/issue API contains data (an access token and others) which must be returend to the client application. Use the data to generate a response to the client application.
When the credentials are invalid,: Call Authlete's /auth/token/fail API with reason=INVALID_RESOURCE_OWNER_CREDENTIALS to generate an error response for the client application. The response from /auth/token/fail API contains error information which must be returned to the client application. Use the data to generate a response to the client application.

Both /auth/token/issue API and /auth/token/fail API require ticket request parameter whose value must be the ticket in the response from Authlete's /auth/token API.

OK

When the value of action is OK, it means that the request from the client application is valid and an access token, and optionally an ID token, is ready to be issued.

The HTTP status of the response returned to the client application must be "200 OK" and the content type must be application/json.

The parameter responseContent contains a JSON string which contains an access token (and optionally an ID token), so it can be used as the entity body of the response.

The following illustrates the response which the service implementation must generate and return to the client application.

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
 
{responseContent}

The following code snippet is an excerpt from the sample code of the Token Endpoint. This illustrates how to dispatch processing based on the value of action parameter.

private Response process(
    String parameters, String clientId, String clientSecret)
{
    // Call Authlete's /auth/token API.
    TokenResponse response =
        callAuthleteTokenApi(parameters, clientId, clientSecret);
 
    // 'action' in the response denotes the next action which
    // this service implementation should take.
    Action action = response.getAction();
 
    // The content of the response to the client application.
    String content = response.getResponseContent();
 
    // Dispatch according to the action.
    switch (action)
    {
        case INVALID_CLIENT:
            // 401 Unauthorized
            return ResponseUtil.unauthorized(content, CHALLENGE);
 
        case INTERNAL_SERVER_ERROR:
            // 500 Internal Server Error
            return ResponseUtil.internalServerError(content);
 
        case BAD_REQUEST:
            // 400 Bad Request
            return ResponseUtil.badRequest(content);
 
        case PASSWORD:
            // Process the token request whose flow is
            // "Resource Owner Password Credentials".
            return handlePassword(response);
 
        case OK:
            // 200 OK
            return ResponseUtil.ok(content);
 
        default:
            // This never happens.
            throw new InternalServerErrorException("Unknown action");
    }
}

/auth/token/fail API

curl -v -X POST https://api.authlete.com/api/auth/token/fail \
-H "Content-Type: application/json" \
-u "10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE" \
-d '{ "ticket": "83BNqKIhGMyrkvop_7jQjv2Z1612LNdGSQKkvkrf47c", "reason": "INVALID_RESOURCE_OWNER_CREDENTIALS" }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

// Extract the ticket issued by '/auth/token' API.
String ticket = extractRequestTicket();

TokenFailRequest request = new TokenFailRequest()
  .setTicket(ticket)
  .setReason(TokenFailRequest.Reason.INVALID_RESOURCE_OWNER_CREDENTIALS)
;

api.tokenFail(request);

require 'authlete'

api = Authlete::Api.new(
  host: "https://api.authlete.com",
  service_api_key: "10167240235",
  service_api_secret: "LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE"
)

# Extract the ticket issued by '/api/token' API.
ticket = extract_ticket

# The reason of the failure of the authorization request. 
reason = 'INVALID_RESOURCE_OWNER_CREDENTIALS'

request = Authlete::Model::Request::TokenFailRequest.new(
  ticket: ticket, 
  reason: reason
)

api.token_fail(request)

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

// Extract the ticket issued by '/auth/token' API.
string ticket = ExtractTicket();

TokenFailRequest request = new TokenFailRequest();
request.Ticket = ticket;
reqeust.Reason = TokenFailReason.INVALID_RESOURCE_OWNER_CREDENTIALS;

await api.TokenFail(request);

{
    "type": "tokenFailResponse",
    "resultCode": "A067301",
    "resultMessage": "[A067301] The credentials (username & password) passed to the token endpoint are invalid.",
    "action": "BAD_REQUEST",
    "responseContent": "{\"error_uri\":\"https://www.authlete.com/documents/apis/result_codes#A067301\",\"error\":\"invalid_request\",\"error_description\":\"[A067301] The credentials (username & password) passed to the token endpoint are invalid.\"}"
}

This API generates a content of an error token response that the service implementation returns to the client application. This API is used only for Resource Owner Password Credentials Grant.

Request

POST /api/auth/token/fail

Content-Type

application/x-www-form-urlencoded
application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name Required Description

ticket

YES

The ticket issued from Authlete's /auth/token API.

reason

YES

The reason of the failure of the token request.

UNKNOWN
INVALID_RESOURCE_OWNER_CREDENTIALS

Response

Content-Type

application/json

Parameters

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.
`action`	string	The next action that the service implementation should take. One of the following. Details are described in the description. `INTERNAL_SERVER_ERROR` `BAD_REQUEST`
`responseContent`	string	The content that the service implementation is to return to the client application. Its format varies depending on the value of `action` parameter. See description for details.

Description

This API is supposed to be called from within the implementation of the Token Endpoint of the service in order to generate an error response to the client application.

The description of the /auth/token API describes the timing when this API should be called.

The response from /auth/token/fail API has some parameters. Among them, it is action parameter that the service implementation should check first because it denotes the next action that the service implementation should take. According to the value of action, the service implementation must take the steps described below.

INTERNAL_SERVER_ERROR

When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the service implementation was wrong or that an error occurred in Authlete.

The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the service implementation should generate and return to the client application.

HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

{responseContent}

The endpoint implementation may return another different response to the client application since "500 Internal Server Error" is not required by OAuth 2.0.

BAD_REQUEST

When the value of action is BAD_REQUEST, it means that Authlete's /auth/token/fail API successfully generated an error response for the client application.

The HTTP status of the response returned to the client application must be "400 Bad Request" and the content type must be application/json.

The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the service implementation should generate and return to the client application.

HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

{responseContent}

/auth/token/issue API

curl -v -X POST https://api.authlete.com/api/auth/token/issue \
-H "Content-Type: application/json" \
-u "10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE" \
-d '{ "ticket": "83BNqKIhGMyrkvop_7jQjv2Z1612LNdGSQKkvkrf47c" }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

// Extract the ticket issued by '/auth/token' API.
String ticket = extractTicket();

TokenIssueRequest request = new TokenIssueRequest().setTicket(ticket);

api.tokenIssue(request);

require 'authlete'

api = Authlete::Api.new(
  host: 'https://api.authlete.com',
  service_api_key: 10167240235,
  service_api_secret: 'LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
)

# Extract the ticket issued by '/auth/token' API.
ticket = extract_ticket

request = Authlete::Model::Request::TokenIssueRequest.new(ticket: ticket)

api.token_issue(request)

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

// Extract the ticket issued by '/auth/token' API.
string ticket = ExtractTicket();

TokenIssueRequest request = new TokenIssueRequest();
request.Ticket = ticket;

await api.TokenIssue(request);

{
  "type": "tokenIssueResponse",
  "resultCode": "A054001",
  "resultMessage": "[A054001] The token request (grant_type=password) was processed successfully.",
  "accessToken": "W04RiPBuTJB6cQ-MppuVOKWAEezwU6jMx2-Q7ouSiBz",
  "accessTokenDuration": 86400,
  "accessTokenExpiresAt": 1513064337919,
  "action": "OK",
  "clientId": 57297408867,
  "clientIdAliasUsed": false,
  "refreshToken": "_zfwGRZ9cQhSm-qLGWAF4JHnk0i_Y7CNHHxf8poUtAX",
  "refreshTokenDuration": 864000,
  "refreshTokenExpiresAt": 1513841937919,
  "responseContent": "{\"scope\":null,\"expires_in\":86400,\"token_type\":\"Bearer\",\"refresh_token\":\"_zfwGRZ9cQhSm-qLGWAF4JHnk0i_Y7CNHHxf8poUtAX\",\"access_token\":\"W04RiPBuTJB6cQ-MppuVOKWAEezwU6jMx2-Q7ouSiBz\"}",
  "subject": "john"
}

This API generates a content of a successful token response that the service implementation returns to the client application. This API is used only for Resource Owner Password Credentials Grant.

Request

POST /api/auth/token/issue

Content-Type

application/x-www-form-urlencoded
application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`ticket`	YES	The ticket issued from Authlete's `/auth/token` API.
`properties`	NO	Extra properties to associate with a newly created access token. Note that `properties` parameter is accepted only when Content-Type of the request is `application/json`, so don't use `application/x-www-form-urlencoded` if you want to specify `properties`. See Extra Properties for details.
`subject`	YES	The subject (= unique identifier) of the authenticated user.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.
`action`	string	The next action that the service implementation should take. One of the following. Details are described in the description. `INTERNAL_SERVER_ERROR` `OK`
`responseContent`	string	The content that the service implementation is to return to the client application. Its format is JSON.
`accessToken`	string	The newly issued access token. This parameter is a `non-null` value only when the value of `action` parameter is `OK`.
`accessTokenExpiresAt`	string	The date in milliseconds since the Unix epoch (1970-01-01) at which the access token will expire.
`accessTokenDuration`	string	The duration of the access token in seconds.
`refreshToken`	string	The refresh token. This parameter is a `non-null` value only when `action`> `OK` and the service supports the refresh token flow. If "Refresh Token Continuous Use" configuration parameter is `NO` (= `refreshTokenKept=false`), a new refresh token is issued and the old refresh token used in the refresh token flow is invalidated. On the contrary, if the configuration parameter is `YES`, the refresh token itself is not refreshed.
`refreshTokenExpiresAt`	string	The date in milliseconds since the Unix epoch (1970-01-01) at which the refresh token will expire.
`refreshTokenDuration`	string	The duration of the refresh token in seconds.
`clientId`	i64	The client ID.
`clientIdAlias`	string	If the client did not have an alias, this parameter is `null`.
`clientIdAliasUsed`	boolean	The flag which indicates whether the client ID alias was used when the token request was made. `true` if the client ID alias was used when the token request was made.
`subject`	string	The subject (= resource owner's ID) of the access token. Even if an access token has been issued by the call of `/api/auth/token` API, this parameter is `null` if the flow of the token request was Client Credentials Flow (`grant_type=client_credentials`) because it means the access token is not associated with any specific end-user.
`scopes`	string array	The scopes covered by the access token.
`properties`	string	The extra properties associated with the access token. This parameter is `null` when no extra property is associated with the issued access token.

Description

This API is supposed to be called from within the implementation of the Token Endpoint of the service in order to generate a successful response to the client application.

The description of the /auth/token API describes the timing when this API should be called. See the description for the case of action=PASSWORD.

The response from /auth/token/issue API has some parameters. Among them, it is action parameter that the service implementation should check first because it denotes the next action that the service implementation should take. According to the value of action, the service implementation must take the steps described below.

INTERNAL_SERVER_ERROR

When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the service implementation was wrong or that an error occurred in Authlete.

The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the service implementation should generate and return to the client application.

HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

{responseContent}

The endpoint implementation may return another different response to the client application since "500 Internal Server Error" is not required by OAuth 2.0.

OK

When the value of action is OK, it means that Authlete's /auth/token/issue API successfully generated an access token.

The HTTP status of the response returned to the client application must be "200 OK" and the content type must be application/json.

The parameter responseContent contains a JSON string which contains an access token, so it can be used as the entity body of the response.

The following illustrates the response which the service implementation must generate and return to the client application.

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
 
{responseContent}

Introspection Endpoint

/auth/introspection API

curl -v -X POST https://api.authlete.com/api/auth/introspection \
-H 'Content-Type:application/json' \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
-d '{ "token": "VFGsNK-5sXiqterdaR7b5QbRX9VTwVCQB87jbr2_xAI" }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

// An access token to introspect.
String token = "VFGsNK-5sXiqterdaR7b5QbRX9VTwVCQB87jbr2_xAI";

IntrospectionRequest request = new IntrospectionRequest().setToken(token);

api.introspection(request);

require 'authlete'

api = Authlete::Api.new(
  host: 'https://api.authlete.com',
  service_api_key: 10167240235,
  service_api_secret: 'LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
)

# An access token to introspect.
token = 'VFGsNK-5sXiqterdaR7b5QbRX9VTwVCQB87jbr2_xAI'

api.introspection(token)

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

// An access token to introspect.
string token = "VFGsNK-5sXiqterdaR7b5QbRX9VTwVCQB87jbr2_xAI";

IntrospectionRequest request = new IntrospectionRequest();
request.Token = token;

await api.Introspection(request);

{
  "type": "introspectionResponse",
  "resultCode": "A056001",
  "resultMessage": "[A056001] The access token is valid.",
  "action": "OK",
  "clientId": 57297408867,
  "clientIdAliasUsed": false,
  "existent": true,
  "expiresAt": 1511252965000,
  "refreshable": true,
  "responseContent": "Bearer error=\"invalid_request\"",
  "subject": "john",
  "sufficient": true,
  "usable": true
}

This API gathers information about an access token.

Request

POST /api/auth/introspection

Content-Type

application/x-www-form-urlencoded
application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`token`	YES	An access token to introspect.
`scopes`	NO	A string array listing names of scopes which the caller (= a protected resource endpoint of the service) requires. When the content type of the request from the service is `application/x-www-form-urlencoded`, the format of `scopes` is a space-separated list of scope names. If this parameter is a non-empty array and if it contains a scope which is not covered by the access token, `action=FORBIDDEN` with `error=insufficient_scope` is returned from Authlete.
`subject`	NO	A subject (= a user account managed by the service) whom the caller (= a protected resource endpoint of the service) requires. If this parameter is not `null` and if the value does not match the subject who is associated with the access token, `action=FORBIDDEN` with `error=invalid_request` is returned from Authlete.
`clientCertificate`	NO	The client certificate in PEM format, used to validate binding against access tokens using the TLS client certificate confirmation method.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.
`action`	string	The next action that the service implementation should take. One of the following. Details are described in the description. `INTERNAL_SERVER_ERROR` `BAD_REQUEST` `UNAUTHORIZED` `FORBIDDEN` `OK`
`clientId`	i64	The ID of the client application which is associated with the access token.
`clientIdAlias`	string	The client ID alias when the authorization request or the token request for the access token was made.
`clientIdAliasUsed`	boolean	The flag which indicates whether the client ID alias was used when the authorization request or the token request for the access token was made.
`expiresAt`	i64	The time at which the access token expires.
`subject`	subject	The subject who is associated with the access token. This is null if the access token was issued using the flow of Client Credentials Grant.
`scopes`	string array	Scopes which are associated with the access token.
`existent`	boolean	`true` if the access token exists in the database of Authlete. This does not always mean the access token is usable.
`usable`	boolean	`true` if the access token is usable (= exists and has not expired).
`sufficient`	boolean	`true` if the access token covers all the required scopes.
`refreshable`	boolean	`true` if the access token can be refreshed using the associated refresh token which had been issued along with the access token. `false` if the refresh token for the access token has expired or the access token has no associated refresh token.
`responseContent`	string	The content that the service implementation can use as the value of `WWW-Authenticate` header on errors.
`properties`	Property array	Extra properties associated with the access token. See Extra Properties for details.
`certificateThumbpint`	Property array	The client certificate thumbprint used to validate the access token.

Description

This API is supposed to be called from within the implementations of protected resource endpoints of the service implementation in order to get information about the access token which was presented by the client application.

In general, a client application accesses a protected resource endpoint of a service with an access token, and the implementation of the endpoint checks whether the presented access token has enough privileges (= scopes) to access the protected resource before returning the protected resource to the client application. To achieve this flow, the endpoint implementation has to know detailed information about the access token. Authlete's /auth/introspection API can be used to get such information.

The response from /auth/introspection API has some parameters. Among them, it is action parameter that the service implementation should check first because it denotes the next action that the service implementation should take. According to the value of action, the service implementation must take the steps described below.

INTERNAL_SERVER_ERROR

When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the service implementation was wrong or that an error occurred in Authlete.

The parameter responseContent contains a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage), so if the protected resource of the service implementation wants to return an error response to the client application in the way that complies with RFC 6750 (in other words, if accessTokenType configuration parameter of the service is Bearer), the value of responseContent can be used as the value of WWW-Authenticate header.

The following is an example response which complies with RFC 6750.

HTTP/1.1 500 Internal Server Error
WWW-Authenticate: {responseContent}
Cache-Control: no-store
Pragma: no-cache

BAD_REQUEST

When the value of action is BAD_REQUEST, it means that the request from the client application does not contain an access token (= the request from the service implementation to Authlete does not contain token request parameter).

The following is an example response which complies with RFC 6750.

HTTP/1.1 400 Bad Request
WWW-Authenticate: {responseContent}
Cache-Control: no-store
Pragma: no-cache

UNAUTHORIZED

When the value of action is UNAUTHORIZED, it means that the access token does not exist or has expired.

The following is an example response which complies with RFC 6750.

HTTP/1.1 401 Unauthorized
WWW-Authenticate: {responseContent}
Cache-Control: no-store
Pragma: no-cache

FORBIDDEN

When the value of action is FORBIDDEN, it means that the access token does not cover the required scopes or that the subject associated with the access token is different from the subject contained in the request.

The following is an example response which complies with RFC 6750.

HTTP/1.1 403 Forbidden
WWW-Authenticate: {responseContent}
Cache-Control: no-store
Pragma: no-cache

OK

When the value of action is OK, it means that the access token which the client application presented is valid (= exists and has not expired).

The implementation of the protected resource endpoint is supposed to return the protected resource to the client application.

When action is OK, the value of responseContent is "Bearer error=\"invalid_request\"". This is the simplest string which can be used as the value of WWW-Authenticate header to indicate "400 Bad Request". The implementation of the protected resource endpoint may use this string to tell the client application that the request was bad (e.g. in case necessary request parameters for the protected resource endpoint are missing). However, in such a case, the implementation should generate a more informative error message to help developers of client applications.

The following is an example error response which complies with RFC 6750.

HTTP/1.1 400 Bad Request
WWW-Authenticate: {responseContent}
Cache-Control: no-store
Pragma: no-cache

Basically, responseContent is a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage). So, if the service has selected Bearer as the value of accessTokenType configuration parameter, the value of responseContent can be used directly as the value of WWW-Authenticate header. However, if the service has selected another different token type, the service has to generate error messages for itself.

/auth/introspection/standard API

curl -v -X POST https://api.authlete.com/api/auth/introspection/standard \
-H "Content-Type:application/json" \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
-d '{ "parameters":"token=VFGsNK-5sXiqterdaR7b5QbRX9VTwVCQB87jbr2_xAI&token_type_hint=access_token" }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

// Extract request parameters which comply with the introspection request defined
// in "2.1. Introspection Request" in RFC 7662.
String parameters = extractRequestParameters();

StandardIntrospectionRequest request = new StandardIntrospectionRequest().setParameters(parameters);

api.standardIntrospection(request);

# This API is not supported yet.

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

// Extract request parameters which comply with the introspection request defined
// in "2.1. Introspection Request" in RFC 7662.
string parameters = ExtractRequestParameters();

StandardIntrospectionRequest request = new StandardIntrospectionRequest();
request.Parameters = parameters;

await api.StandardIntrospection(request);

{
  "type": "standardIntrospectionResponse",
  "resultCode": "A145001",
  "resultMessage": "[A145001] Introspection was performed successfully (type=access_token, active=true).",
  "action": "OK",
  "responseContent": "{\"exp\":1513679256,\"sub\":\"john\",\"scope\":null,\"iss\":\"https://authlete.com\",\"aud\":[\"57297408867\"],\"active\":true,\"token_type\":\"Bearer\",\"client_id\":\"57297408867\"}"
}

This API exists to help your authorization server provide its own introspection API which complies with RFC 7662 (OAuth 2.0 Token Introspection).

Request

POST /api/auth/introspection/standard

Content-Type

application/x-www-form-urlencoded
application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name Required Description

parameters

YES

Request parameters which comply with the introspection request defined in "2.1. Introspection Request" in RFC 7662. The following is an example value of parameters.

token=pNj1h24a4geA_YHilxrshkRkxJDsyXBZWKp3hZ5ND7A&token_type_hint=access_token

The implementation of the introspection endpoint of your service will receive an HTTP POST [RFC 7231] request with parameters in the application/x-www-form-urlencoded format. It is the entity body of the request that Authlete's /api/auth/introspection/standard API expects as the value of parameters.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.
`action`	string	The next action that the service implementation should take. One of the following. Details are described in the description. `INTERNAL_SERVER_ERROR` `BAD_REQUEST` `OK`
`responseContent`	string	The response content which can be used as the entity body of the response returned to the client application.

Description

This API is supposed to be called from within the implementations of the introspection endpoint of your service. The service implementation should retrieve the value of action from the response and take the following steps according to the value.

INTERNAL_SERVER_ERROR

When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the service implementation was wrong or that an error occurred in Authlete.

The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response if you want. Note that, however, RFC 7662 does not mention anything about the response body of error responses.

The following illustrates an example response which the introspection endpoint of the service implementation generates and returns to the client application.

HTTP/1.1 500 Internal Server Error
Content-Type: application/json

{responseContent}

BAD_REQUEST

When the value of action is BAD_REQUEST, it means that the request from the client application is invalid. This happens when the request from the client did not include the token request parameter. See "2.1. Introspection Request" in RFC 7662 for details about requirements for introspection requests.

The HTTP status of the response returned to the client application should be "400 Bad Request".

The following illustrates an example response which the introspection endpoint of the service implementation generates and returns to the client application.

HTTP/1.1 400 Bad Request
Content-Type: application/json

{responseContent}

OK

When the value of action is OK, the request from the client application is valid.

The HTTP status of the response returned to the client application must be "200 OK" and its content type must be application/json.

The parameter responseContent contains a JSON string which complies with the introspection response defined in "2.2. Introspection Response" in RFC7662.

The following illustrates the response which the introspection endpoint of your service implementation should generate and return to the client application.

 HTTP/1.1 200 OK
Content-Type: application/json

{responseContent}

Note that RFC 7662 says "To prevent token scanning attacks, the endpoint MUST also require some form of authorization to access this endpoint". This means that you have to protect your introspection endpoint in some way or other. Authlete does not care about how your introspection endpoint is protected. In most cases, as mentioned in RFC 7662, "401 Unauthorized" is a proper response when an introspection request does not satisfy authorization requirements imposed by your introspection endpoint.

Revocation Endpoint

/auth/revocation API

curl -v -X POST https://api.authlete.com/api/auth/revocation \
-H 'Content-Type:application/json' \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
-d '{ "parameters": "token=VFGsNK-5sXiqterdaR7b5QbRX9VTwVCQB87jbr2_xAI&token_type_hint=access_token" }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

// Extract request parameters that the OAuth 2.0 token revocation endpoint of 
// this OAuth 2.0 serever implementation received from the client application.
String parameters = extractRequestParameters();

RevocationRequest request = new RevocationRequest().setParameters(parameters);

api.revocation(request);

# This API is not supported yet.

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

// Extract request parameters that the OAuth 2.0 token revocation endpoint of 
// this OAuth 2.0 serever implementation received from the client application.
string parameters = ExtractRequestParameters();

RevocationRequest request = new RevocationRequest();
request.Parameters = parameters;

await api.Revocation(request);

{
  "type": "revocationResponse",
  "resultCode": "A113001",
  "resultMessage": "[A113001] The token has been revoked successfully.",
  "action": "OK"
}

This API revokes access tokens and refresh tokens.

Request

POST /api/auth/revocation

Content-Type

application/x-www-form-urlencoded
application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name Required Description

parameters

YES

OAuth 2.0 token revocation request parameters which are the request parameters that the OAuth 2.0 token revocation endpoint (RFC 7009) of the service implementation received from the client application.

The value of parameters is the entire entity body (which is formatted in application/x-www-form-urlencoded) of the request from the client application.

clientId

The client ID extracted from Authorization header of the token request from the client application.

If the token revocation endpoint of the service implementation supports Basic Authentication as a means of client authentication, and the request from the client application contains its client ID in Authorization header, the value should be extracted and set to this parameter.

clientSecret

The client secret extracted from Authorization header of the token request from the client application.

If the token revocation endpoint of the service implementation supports Basic Authentication as a means of client authentication, and the request from the client application contains its client secret in Authorization header, the value should be extracted and set to this parameter.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.
`action`	string	The next action that the service implementation should take. One of the following. Details are described in the description. `INVALID_CLIENT` `INTERNAL_SERVER_ERROR` `BAD_REQUEST` `OK`
`responseContent`	string	The content that the service implementation is to return to the client application. Its format is JSON.

Description

This API is supposed to be called from within the implementation of the revocation endpoint (RFC 7009) of the service implementation in order to revoke access tokens and refresh tokens.

The response from /auth/revocation API has some parameters. Among them, it is action parameter that the service implementation should check first because it denotes the next action that the service implementation should take. According to the value of action, the service implementation must take the steps described below.

INVALID_CLIENT

When the value of action is INVALID_CLIENT, it means that authentication of the client failed. In this case, the HTTP status of the response to the client application is either "400 Bad Request" or "401 Unauthorized". The description about invalid_client shown below is an excerpt from RFC 6749.

invalid_client: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the WWW-Authenticate response header field matching the authentication scheme used by the client.

In either case, the value of responseContent contains a JSON string which can be used as the entity body of the response to the client application.

The following illustrates the response which the service implementation should generate and return to the client application.

HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
 
{responseContent}

HTTP/1.1 401 Unauthorized
WWW-Authenticate: {challenge}
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
 
{responseContent}

INTERNAL_SERVER_ERROR

When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the service implementation was wrong or that an error occurred in Authlete.

The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the service implementation should generate and return to the client application.

HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
 
{responseContent}

BAD_REQUEST

When the value of action is BAD_REQUEST, it means that the request from the client application is invalid.

The HTTP status of the response returned to the client application must be "400 Bad Request" and the content type must be application/json. RFC 7009, 2.2.1. Error Response states "The error presentation conforms to the definition in Section 5.2 of [RFC 6749]."

The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

The following illustrates the response which the service implementation should generate and return to the client application.

HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
 
{responseContent}

OK

When the value of action is OK, it means that the request from the client application is valid and the presented token has been revoked successfully or if the client submitted an invalid token. Note that invalid tokens do not cause an error. See 2.2. Revocation Response for details.

The HTTP status of the response returned to the client application must be 200 OK.

If the original request from the client application contains callback request parameter and its value is not empty, the content type should be application/javascript and the content should be a JavaScript snippet for JSONP.

The parameter responseContent contains a JavaScript snippet if the original request from the client application contains callback request parameter and its value is not empty. Otherwise, the value of responseContent is null.

HTTP/1.1 200 OK
Content-Type: application/javascript
Cache-Control: no-store
Pragma: no-cache
 
{responseContent}

Userinfo Endpoint

/auth/userinfo API

curl -v -X POST https://api.authlete.com/api/auth/userinfo \
-H 'Content-Type:application/json' \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
-d '{ "token": "Ntm9MDb8WXQAevqrBkd84KTTHbYHVQrTjgUZCOWqEUI" }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

// An access token to get user information.
String token = "Ntm9MDb8WXQAevqrBkd84KTTHbYHVQrTjgUZCOWqEUI";

UserInfoRequest request = new UserInfoRequest().setToken(token);

api.userinfo(request);

# This API is not supported yet.

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

// An access token to get user information.
string token = "Ntm9MDb8WXQAevqrBkd84KTTHbYHVQrTjgUZCOWqEUI";

UserInfoRequest request = new UserInfoRequest();
request.Token = token;

await api.UserInfo(request);

{
  "type": "userInfoResponse",
  "resultCode": "A091001",
  "resultMessage": "[A091001] The access token presented at the userinfo endpoint is valid.",
  "action": "OK",
  "clientId": 57297408867,
  "clientIdAliasUsed": false,
  "scopes": ["openid"],
  "subject": "john",
  "token": "Ntm9MDb8WXQAevqrBkd84KTTHbYHVQrTjgUZCOWqEUI"
}

This API gathers information about a user.

Request

POST /api/auth/userinfo

Content-Type

application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name Required Description

token

YES

An access token to get user information.

clientCertificate

The client certificate used in the TLS connection established between the client application and the userinfo endpoint.

The value of this request parameter is referred to when the access token given to the userinfo endpoint was bound to a client certificate when it was issued. See " OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens" for details about the specification of certificate-bound access tokens.

Response

Content-Type

application/x-www-form-urlencoded
application/json

Parameters

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.
`action`	string	The next action that the service implementation should take. One of the following. Details are described in the description. `INTERNAL_SERVER_ERROR` `BAD_REQUEST` `UNAUTHORIZED` `FORBIDDEN` `OK`
`claims`	string array	The list of claims that the client application requests to be embedded in the ID token.
`clientId`	i64	The ID of the client application which is associated with the access token.
`clientIdAlias`	string	The client ID alias when the authorization request for the access token was made.
`clientIdAliasUsed`	boolean	The flag which indicates whether the client ID alias was used when the authorization request for the access token was made.
`responseContent`	string	The content that the service implementation can use as the value of `WWW-Authenticate` header on errors.
`scopes`	string array	The scopes covered by the access token.
`subject`	string	The subject (= resource owner's ID).
`token`	string	The access token that came along with the userinfo request.

Description

This API is supposed to be called from within the implementation of the UserInfo Endpoint of the service in order to get information about the user that is associated with an access token.

The response from /auth/userinfo API has various parameters. Among them, it is action parameter that the service implementation should check first because it denotes the next action that the service implementation should take. According to the value of action, the service implementation must take the steps described below.

INTERNAL_SERVER_ERROR

When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the service implementation was wrong or that an error occurred in Authlete.

The parameter responseContent returns a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage) so the UserInfo Endpoint implementation of your service can use the value of responseContent as the value of WWW-Authenticate header.

The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from UserInfo Endpoint comply with RFC 6750. See 5.3.3. UserInfo Response for details.

HTTP/1.1 500 Internal Server Error
WWW-Authenticate: {responseContent}
Cache-Control: no-store
Pragma: no-cache

BAD_REQUEST

The parameter responseContent contains a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage), so the UserInfo Endpoint implementation of your service can use the value of responseContent as the value of WWW-Authenticate header.

HTTP/1.1 400 Bad Request
WWW-Authenticate: {responseContent}
Cache-Control: no-store
Pragma: no-cache

UNAUTHORIZED

When the value of action is UNAUTHORIZED, it means that the access token does not exist, has expired, or is not associated with any subject (= any user account).

HTTP/1.1 401 Unauthorized
WWW-Authenticate: {responseContent}
Cache-Control: no-store
Pragma: no-cache

FORBIDDEN

When the value of action is FORBIDDEN, it means that the access token does not include the openid scope.

HTTP/1.1 403 Forbidden
WWW-Authenticate: {responseContent}
Cache-Control: no-store
Pragma: no-cache

OK

When the value of action is OK, it means that the access token which the client application presented is valid. To be concrete, it means that the access token exists, has not expired, includes the openid scope, and is associated with a subject (= a user account).

What the UserInfo Endpoint of your service should do next is to collect information about the subject (user) from your database. The value of the subject is contained in the subject parameter in the response from this API and the names of data, i.e., the claims names are contained in the claims parameter in the response. For example, if the subject parameter is joe123 and the claims parameter is ["given_name", "email"], you need to extract information about joe123's given name and email from your database.

Then, call Authlete's /auth/userinfo/issue API with the collected information and the access token in order to make Authlete generate an ID token.

If an error occurred during the above steps, generate an error response to the client. The response should comply with RFC 6750. For example, if the subject associated with the access token does not exist in your database any longer, you may feel like generating a response like below.

HTTP/1.1 400 Bad Request
WWW-Authenticate: Bearer error="invalid_token",
 error_description="The subject associated with the access token does not exist."
Cache-Control: no-store
Pragma: no-cache

Also, an error might occur on database access. If you treat the error as an internal server error, then the response would be like the following.

HTTP/1.1 500 Internal Server Error
WWW-Authenticate: Bearer error="server_error",
 error_description="Failed to extract information about the subject from the database."
Cache-Control: no-store
Pragma: no-cache

/auth/userinfo/issue API

curl -v -X POST https://api.authlete.com/api/auth/userinfo/issue \
-H 'Content-Type:application/json' \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
-d '{ "token": "Ntm9MDb8WXQAevqrBkd84KTTHbYHVQrTjgUZCOWqEUI" }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

// The access token that has been passed to the service's UserInfo Endpoint by the client application.
String token = "Ntm9MDb8WXQAevqrBkd84KTTHbYHVQrTjgUZCOWqEUI"

UserInfoIssueRequest request = new UserInfoIssueRequest().setToken(token);

api.userinfoIssue(request);

# This API is not supported yet.

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

// The access token that has been passed to the service's UserInfo Endpoint by the client application.
string token = "Ntm9MDb8WXQAevqrBkd84KTTHbYHVQrTjgUZCOWqEUI";

UserInfoIssueRequest request = new UserInfoIssueRequest();
request.Token = token;

await api.UserInfoIssue(request);

{
  "type": "userInfoIssueResponse",
  "resultCode": "A096001",
  "resultMessage": "[A096001] An ID token was generated successfully.",
  "action": "JSON",
  "responseContent": "{\"exp\":1511600971,\"sub\":\"john\",\"aud\":[\"57297408867\"],\"iss\":\"https://authlete.com\",\"iat\":1511514571}"
}

This API generates an ID token.

Request

POST /api/auth/userinfo/issue

Content-Type

application/x-www-form-urlencoded
application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`token`	YES	The access token that has been passed to the service's UserInfo Endpoint by the client application. In other words, the access token which was contained in the userinfo request.
`claims`	NO	Claims in JSON format. As for the format, see "OpenID Connect Core 1.0, 5.1. Standard Claims".
`sub`	NO	The value of the `sub` claim. If the value of this request parameter is not empty, it is used as the value of the `sub` claim. Otherwise, the value of the subject associated with the access token is used.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.
`action`	string	The next action that the service implementation should take. One of the following. Details are described in the description. `INTERNAL_SERVER_ERROR` `BAD_REQUEST` `UNAUTHORIZED` `FORBIDDEN` `JSON` `JWT`
`responseContent`	string	The content that the service implementation can use as the value of `WWW-Authenticate` header on errors.

Description

This API is supposed to be called from within the implementation of the UserInfo Endpoint of the service in order to generate an ID token. Before calling this API, a valid response from /auth/userinfo API must be obtained. Then, call this API with the access token contained in the response and the claims values of the user (subject) associated with the access token. See OK written in the description of /auth/userinfo API for details.

The response from /auth/userinfo/issue API has various parameters. Among them, it is action parameter that the service implementation should check first because it denotes the next action that the service implementation should take. According to the value of action, the service implementation must take the steps described below.

INTERNAL_SERVER_ERROR

When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the service implementation was wrong or that an error occurred in Authlete.

HTTP/1.1 500 Internal Server Error
WWW-Authenticate: {responseContent}
Cache-Control: no-store
Pragma: no-cache

BAD_REQUEST

HTTP/1.1 400 Bad Request
WWW-Authenticate: {responseContent}
Cache-Control: no-store
Pragma: no-cache

UNAUTHORIZED

When the value of action is UNAUTHORIZED, it means that the access token does not exist, has expired, or is not associated with any subject (= any user account).

HTTP/1.1 401 Unauthorized
WWW-Authenticate: {responseContent}
Cache-Control: no-store
Pragma: no-cache

FORBIDDEN

When the value of action is FORBIDDEN, it means that the access token does not include the openid scope.

HTTP/1.1 403 Forbidden
WWW-Authenticate: {responseContent}
Cache-Control: no-store
Pragma: no-cache

JSON

When the value of action is JSON, it means that the access token which the client application presented is valid and an ID token was successfully generated in the format of JSON.

The UserInfo Endpoint of your service is expected to generate a response to the client application. The content type of the response must be application/json and the response body must be an ID token in JSON format.

The parameter responseContent contains the ID token in JSON format when action is JSON, so a response to the client can be built like below.

HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
 
{responseContent}

JWT

When the value of action is JWT, it means that the access token which the client application presented is valid and an ID token was successfully generated in the format of JWT (JSON Web Token) (RFC 7519)

The UserInfo Endpoint of your service is expected to generate a response to the client application. The content type of the response must be application/jwt and the response body must be an ID token in JWT format.

The parameter responseContent contains the ID token in JWT format when action is JWT, so a response to the client can be built like below.

HTTP/1.1 200 OK
Cache-Control: no-store
Pragma: no-cache
Content-Type: application/jwt
 
{responseContent}

JWK Set Endpoint

/service/jwks/get API

curl -v https://api.authlete.com/api/service/jwks/get?pretty=true \
-H 'Content-Type:application/json' \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

api.getServiceJwks();

# This API is not supported yet.

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

await api.GetServiceJwks();

{
  "keys": [
    {
      "e": "AQAB",
      "n": "kVXi0XB8LGYZfFPXymaszWjBQsO22tasQH3PEiPeLSymBHbp7PtqM8O8xblqhbxV-24lKNs2zDugQaBiVt4zpalyYxL5kqnfY247priZRfmeUatdECh81T-i3VcLpz_M5yfljfVp3sFdaURUQNA3ow9VtUfvPIxN_9YIxXN1zP2nLP5amC2XA8xMt5iubRwbbPbrLyg69zTOzosDVhRTSs5adHK5HNwVn8wCCZPbU7u1cQD8hFNn8xlQcmOmJjSXUQ9slBpLc7G-dUEOI59RxiPd4R44GtSe8gA1WFXvOAdtGjivSm8BAbxuNO8HFtDJmpVl9YsDr9FsxirFl9ZPKs",
      "kty": "RSA",
      "use": "sig",
      "kid": "rsa-sig-001"
    },
    {
      "e": "AQAB",
      "n": "lQui3_DlrkLs_dyaOQBOclphIIRTTMo0gNlnAgfEM9xjbYQJQzi0CLtO6eseecE3HtvDBWVTw-rMM_NMJTlPTO0_ODWvmJRjXy9DZGEm05LFd_qr6jZ7cdOvjD7zUC3GI9TIokPbjGzueBPJjtAvv_tAazRFCQQfiFy7sQR3u-J4tM8fNo9szo9H09R_eA29llZ3hU39JDKs9nzG60I1mVZtJYPx0_bnO8eYeVDHqoj4SZ4jeru3iX9iDeccH_cDm3M87UomUh-Ri4LlAxXgewDvOaPxAef9ADkDvBVmRo5t60_PJxQ3Tug2EKK-xF1_T7I4TxgS7ga8entMmCxLca",
      "kty": "RSA",
      "use": "enc",
      "kid": "rsa-enc-001"
    },
    {
      "crv": "P-256",
      "kty": "EC",
      "use": "sig",
      "y": "824At71mYpbGK2oOCKAL1Z2scLPrbVwhM882v3a9gBq",
      "x": "ZXE3h9BxCyyb_Z9ZJ5qH4Vx650y09qwI1EpZO4o4OmL",
      "kid": "ec256-sig-001"
    },
    {
      "crv": "P-256",
      "kty": "EC",
      "use": "enc",
      "y": "j80Y3leZHHnxC_gN-Ols_l_VfEBQkfGDFFDG5LNJKMl",
      "x": "xAdEkaExYWGGAC1xYjwxzvqcaCyDloylZk04yiE9_OF",
      "kid": "ec256-enc-001"
    }
  ]
}

This API gathers JWK Set information for a service so that its client applications can verify signatures by the service and encrypt their requests to the service.

Request

GET /service/jwks/get

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`includePrivateKeys`	NO	This boolean value indicates whether the response should include the private keys associated with the service or not. If `true`, the private keys are included in the response. The default value is false.
`pretty`	NO	This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is false.

Response

Content-Type

application/json

Parameters

A JSON which represents the JWK Set of the service.

Description

This API is supposed to be called from within the implementation of the JWK Set Endpoint of the service where the service that supports OpenID Connect must expose its JWK Set information so that client applications can verify signatures by the service and encrypt their requests to the service. The URI of the endpoint can be found as the value of jwks_uri in OpenID Provider Metadata if the service supports OpenID Connect Discovery 1.0.

Discovery Endpoint

/service/configuration API

curl -v https://api.authlete.com/api/service/configuration?pretty=true \
-H "Content-Type:application/json" \
-u "10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE"

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

api.getServiceConfiguration();

# This API is not supported yet.

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

await api.GetServiceConfiguration();

{
  "issuer": "https://authlete.com",
  "authorization_endpoint": "https://api.authlete.com/api/auth/authorization/direct/10167240235",
  "token_endpoint": "https://api.authlete.com/api/auth/token/direct/10167240235",
  "userinfo_endpoint": "https://api.authlete.com/api/auth/userinfo/direct/10167240235",
  "jwks_uri": "https://api.authlete.com/api/service/jwks/get/direct/10167240235",
  "scopes_supported": [
    "address",
    "email",
    "openid",
    "offline_access",
    "phone",
    "profile"
  ],
  "response_types_supported": [
    "none",
    "id_token",
    "code token",
    "code id_token",
    "id_token token",
    "code id_token token"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post",
    "query.jwt",
    "fragment.jwt",
    "form_post.jwt",
    "jwt"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit",
    "password",
    "client_credentials",
    "refresh_token"
  ],
  "acr_values_supported": [
    "urn:mace:incommon:iap:silver",
    "urn:openbanking:psd2:sca",
    "urn:openbanking:psd2:ca"
  ],
  "subject_types_supported": [
    "public",
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "PS256",
    "PS384",
    "PS512"
  ],
  "id_token_encryption_alg_values_supported": [
    "RSA1_5",
    "RSA-OAEP",
    "RSA-OEAP-256",
    "A128KW",
    "A192KW",
    "A256KW",
    "dir",
    "ECDH-ES",
    "ECDH-ES+A128KW",
    "ECDH-ES+A192KW",
    "ECDH-ES+A256KW",
    "A128GCMKW",
    "A192GCMKW",
    "A256GCMKW",
    "PBES2-HS256+A128KW",
    "PBES2-HS384+A192KW",
    "PBES2-HS512+A256KW"
  ],
  "id_token_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512",
    "A128GCM",
    "A192GCM",
    "A256GCM"
  ],
  "userinfo_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "PS256",
    "PS384",
    "PS512"
  ],
  "userinfo_encryption_alg_values_supported": [
    "RSA1_5",
    "RSA-OAEP",
    "RSA-OEAP-256",
    "A128KW",
    "A192KW",
    "A256KW",
    "dir",
    "ECDH-ES",
    "ECDH-ES+A128KW",
    "ECDH-ES+A192KW",
    "ECDH-ES+A256KW",
    "A128GCMKW",
    "A192GCMKW",
    "A256GCMKW",
    "PBES2-HS256+A128KW",
    "PBES2-HS384+A192KW",
    "PBES2-HS512+A256KW"
  ],
  "userinfo_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512",
    "A128GCM",
    "A192GCM",
    "A256GCM"
  ],
  "request_object_signing_alg_values_supported": [
    "none",
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "PS256",
    "PS384",
    "PS512"
  ],
  "request_object_encryption_alg_values_supported": [
    "RSA1_5",
    "RSA-OAEP",
    "RSA-OEAP-256",
    "A128KW",
    "A192KW",
    "A256KW",
    "dir",
    "ECDH-ES",
    "ECDH-ES+A128KW",
    "ECDH-ES+A192KW",
    "ECDH-ES+A256KW",
    "A128GCMKW",
    "A192GCMKW",
    "A256GCMKW",
    "PBES2-HS256+A128KW",
    "PBES2-HS384+A192KW",
    "PBES2-HS512+A256KW"
  ],
  "request_object_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512",
    "A128GCM",
    "A192GCM",
    "A256GCM"
  ],
  "authorization_signing_alg_values_supported": [
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "PS256",
    "PS384",
    "PS512"
  ],
  "authorization_encryption_alg_values_supported": [
    "RSA1_5",
    "RSA-OAEP",
    "RSA-OEAP-256",
    "A128KW",
    "A192KW",
    "A256KW",
    "dir",
    "ECDH-ES",
    "ECDH-ES+A128KW",
    "ECDH-ES+A192KW",
    "ECDH-ES+A256KW",
    "A128GCMKW",
    "A192GCMKW",
    "A256GCMKW",
    "PBES2-HS256+A128KW",
    "PBES2-HS384+A192KW",
    "PBES2-HS512+A256KW"
  ],
  "authorization_encryption_enc_values_supported": [
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512",
    "A128GCM",
    "A192GCM",
    "A256GCM"
  ],
  "token_endpoint_auth_methods_supported": [
    "none",
    "client_secret_basic",
    "client_secret_post"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "PS256",
    "PS384",
    "PS512"
  ],
  "display_values_supported": [
    "page",
    "popup",
    "touch",
    "wap"
  ],
  "claim_types_supported": [
    "normal"
  ],
  "claims_supported": [
    "sub",
    "website",
    "zoneinfo",
    "email_verified",
    "birthdate",
    "address",
    "gender",
    "profile",
    "phone_number_verified",
    "preferred_username",
    "given_name",
    "middle_name",
    "locale",
    "picture",
    "updated_at",
    "name",
    "nickname",
    "phone_number",
    "family_name",
    "email",
    "openbanking_intent_id",
    "acr"
  ],
  "claims_parameter_supported": true,
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": true,
  "revocation_endpoint": "https://api.authlete.com/api/auth/revocation/direct/10167240235",
  "revocation_endpoint_auth_methods_supported": [],
  "revocation_endpoint_auth_signing_alg_values_supported": [
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "PS256",
    "PS384",
    "PS512"
  ],
  "introspection_endpoint_auth_methods_supported": [],
  "introspection_endpoint_auth_signing_alg_values_supported": [
    "HS256",
    "HS384",
    "HS512",
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "PS256",
    "PS384",
    "PS512"
  ],
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ],
  "tls_client_certificate_bound_access_tokens": false,
  "backchannel_token_delivery_modes_supported": [],
  "backchannel_authentication_request_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "ES256",
    "ES384",
    "ES512",
    "PS256",
    "PS384",
    "PS512"
  ],
  "backchannel_user_code_parameter_supported": false
}

This API gathers configuration information of a service.

Request

GET /service/configuration

Content-Type

application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`pretty`	NO	This boolean value indicates whether the JSON in the response should be formatted or not. If `true`, the JSON in the response is pretty-formatted. The default value is false.

Response

Content-Type

application/json

Parameters

A JSON which represents the configuration of the service. The detailed format is described in OpenID Provider Configuration Response

Description

This API is supposed to be called from within the implementation of the Configuration Endpoint of the service where the service that supports OpenID Connect and OpenID Connect Discovery 1.0 must expose its configuration information in a JSON format. Details about the format are described in "3. OpenID Provider Metadata" in OpenID Connect Discovery 1.0.

Token Operations

/auth/token/get/list API

curl -v https://api.authlete.com/api/auth/token/get/list/john?start=0\&end=3 \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

int start = 0;
int end   = 3;

api.getTokenList(start, end);

# This API is not supported yet.

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

int start = 0;
int end   = 3;

await api.GetTokenList(start, end);

{
  "accessTokens": [
    {
      "accessTokenExpiresAt": 1527583747000,
      "accessTokenHash": "kjjduowWXMPiHt1AjxbgkqWANOsVWQfKYCyFO76q1MU",
      "clientId": 11867130158,
      "createdAt": 1527497347000,
      "grantType": "AUTHORIZATION_CODE",
      "lastRefreshedAt": 0,
      "refreshTokenExpiresAt": 1528361347000,
      "refreshTokenHash": "hCkIkuS6py0drpe5XOybw0MxkgsYNOk2q3dtilLiI64",
      "scopes": ["openid"],
      "subject": "john"
    }, 
    {...},
    {...}
  ],
  "client": {...}
  "end": 3,
  "start": 0,
  "totalCount": 15
}

Get a list of access tokens.

Request

GET /auth/token/get/list

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`clientIdentifier`	NO	Client Identifier (client ID or client ID alias).
`subject`	NO	Unique user ID.
`start`	NO	Start index of search results (inclusive). The default value is 0.
`end`	NO	End index of search results (exclusive). The default value is 5.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`start`	i32	Start index of search results (inclusive).
`end`	i32	End index of search results (exclusive).
`totalCount`	i32	The total number of access tokens that meet the conditions.
`client`	Client	The client associated with the access tokens.
`subject`	string	The identifier of the user associated with the access tokens.
`accessTokens`	AccessToken array	An array of access tokens.

/auth/token/create API

curl -v -X POST https://api.authlete.com/api/auth/token/create \
-H 'Content-Type:application/json' \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
-d '{ "grantType": "AUTHORIZATION_CODE", "clientId": 57297408867, "subject": "john", "scopes": [ "openid" ] }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

TokenCreateRequest request = new TokenCreateRequest()
  .setGrantType(GrantType.AUTHORIZATION_CODE)
  .setClientId(57297408867)
  .setSubject("john")
  .setScopes({ "openid" });

api.tokenCreate(request);

# This API is not supported yet.

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

TokenCreateRequest request = new TokenCreateRequest();
request.GrantType = GrantType.AUTHORIZATION_CODE;
request.ClientId  = 57297408867;
request.Subject   = "john";
request.Scopes    = { "openid" };

await api.TokenCreate(request);

{
  "type": "tokenCreateResponse",
  "resultCode": "A109001",
  "resultMessage": "[A109001] An access token was created successfully: authorization_code, client = 57297408867",
  "accessToken": "ILuFMMKP-oTY9hFVSUKo9NKiyOwyrcSvxNicxSQ9maA",
  "action": "OK",
  "clientId": 57297408867,
  "expiresAt": 1511246182637,
  "expiresIn": 86400,
  "grantType": "AUTHORIZATION_CODE",
  "refreshToken": "zRMu25sREDJS9qRZUr3j9Qb_hrUZxSUQRkahi0giyyZ",
  "subject": "john",
  "tokenType": "Bearer"
}

Create an access token.

Request

GET /api/auth/token/create
POST /api/auth/token/create

Content-Type

application/x-www-form-urlencoded (POST only)
application/json (POST only)

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`grantType`	YES	The grant type for a newly created access token. One of the following. `REFRESH_TOKEN` is not allowed. `AUTHORIZATION_CODE` `IMPLICIT` `PASSWORD` `CLIENT_CREDENTIALS` When `grantType` is either `IMPLICIT` or `CLIENT_CREDENTIALS`, a refresh token is not issued. See the description of grant types for details about the values above.
`clientId`	YES	The ID of the client application which will be associated with a newly created access token.
`subject`	CONDITIONALLY REQUIRED	The subject (= unique identifier) of the user who will be associated with a newly created access token. This parameter is required unless the grant type is `CLIENT_CREDENTIALS`. The value must consist of only ASCII characters and its length must not exceed 100.
`scopes`	NO	The scopes which will be associated with a newly created access token. Scopes that are not supported by the service cannot be specified and requesting them will cause an error.
`accessTokenDuration`	NO	The duration of a newly created access token in seconds. If the value is 0, the duration is determined according to the settings of the service.
`refreshTokenDuration`	NO	The duration of a newly created refresh token in seconds. If the value is 0, the duration is determined according to the settings of the service. A refresh token is not created (1) if the service does not support `REFRESH_TOKEN`, or (2) if the specified grant type is either `IMPLICIT` or `CLIENT_CREDENTIALS`.
`properties`	NO	Extra properties to associate with a newly created access token. Note that `properties` parameter is accepted only when the HTTP method of the request is `POST` and Content-Type of the request is `application/json`, so don't use `GET` method or `application/x-www-form-urlencoded` if you want to specify properties. See Extra Properties for details.
`clientIdAliasUsed`	NO	A boolean request parameter which indicates whether to emulate that the client ID alias is used instead of the original numeric client ID when a new access token is created. This has an effect only on the value of the `aud` claim in a response from UserInfo endpoint. When you access the UserInfo endpoint (which is expected to be implemented using Authlete's `/api/auth/userinfo` API and `/api/auth/userinfo/issue` API) with an access token which has been created using Authlete's `/api/auth/token/create` API with this property (`clientIdAliasUsed`) true, the client ID alias is used as the value of the `aud` claim in a response from the UserInfo endpoint. Note that if a client ID alias is not assigned to the client when Authlete's `/api/auth/token/create` API is called, this property (`clientIdAliasUsed`) has no effect (it is always regarded as `false`).
`accessToken`	NO	The value of the new access token. The `/api/auth/token/create` API generates an access token. Therefore, callers of the API do not have to specify values of newly created access tokens. However, in some cases, for example, if you want to migrate existing access tokens from an old system to Authlete, you may want to specify values of access tokens. In such a case, you can specify the value of a newly created access token by passing a non-null value as the value of `accessToken` request parameter. The implementation of the `/api/auth/token/create` uses the value of the `accessToken` request parameter instead of generating a new value when the request parameter holds a non-null value. Note that if the hash value of the specified access token already exists in Authlete's database, the access token cannot be inserted and the `/api/auth/token/create` API will report an error.
`refreshToken`	NO	The value of the new refresh token. The `/api/auth/token/create` API may generate a refresh token. Therefore, callers of the API do not have to specify values of newly created refresh tokens. However, in some cases, for example, if you want to migrate existing refresh tokens from an old system to Authlete, you may want to specify values of refresh tokens. In such a case, you can specify the value of a newly created refresh token by passing a non-null value as the value of `refreshToken` request parameter. The implementation of the `/api/auth/token/create` uses the value of the `refreshToken` request parameter instead of generating a new value when the request parameter holds a non-null value. Note that if the hash value of the specified refresh token already exists in Authlete's database, the refresh token cannot be inserted and the `/api/auth/token/create` API will report an error.
`accessTokenPersistent`	NO	Get whether the access token expires or not. By default, all access tokens expire after a period of time determined by their service. If this request parameter is true then the access token will not automatically expire and must be revoked or deleted manually at the service. If this request parameter is `true`, the `accessTokenDuration` request parameter is ignored.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.
`action`	string	The next action that the service implementation should take. One of the following. Details are described in the description. `INTERNAL_SERVER_ERROR` `BAD_REQUEST` `FORBIDDEN` `OK`
`accessToken`	string	The newly issued access token.
`clientId`	i64	The ID of the client application which is associated with the access token.
`expiresAt`	i64	The time at which the access token expires.
`expiresIn`	i64	The duration of the newly issued access token in seconds.
`grantType`	GrantType	The grant type for the newly issued access token.
`properties`	Property array	The properties associated with the access token. See Extra Properties for details.
`refreshToken`	string	The newly issued refresh token.
`scopes`	string array	Scopes which are associated with the access token.
`subject`	string	The subject (= unique identifier) of the user associated with the newly issued access token.
`tokenType`	string	The token type of the access token.

/auth/token/update API

curl -v -X POST https://api.authlete.com/api/auth/token/update \
-H 'Content-Type:application/json' \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
-d '{ "accessToken": "JDGiiM9PuWT63FIwGjG9eYlGi-aZMq6CQ2IB475JUxs", "scopes": ["email", "openid"] }'

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

TokenUpdateRequest request = new TokenUpdateRequest()
  .setAccessToken("JDGiiM9PuWT63FIwGjG9eYlGi-aZMq6CQ2IB475JUxs")
  .setScopes({ "email", "openid" });

api.tokenUpdate(request);

# This API is not supported yet.

IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
IAuthleteApi api            = new AuthleteApi(conf);

TokenUpdateRequest request = new TokenUpdateRequest();
request.AccessToken = "JDGiiM9PuWT63FIwGjG9eYlGi-aZMq6CQ2IB475JUxs";
request.Scopes      = { "email", "openid" };

await api.TokenUpdate(request);

{
  "type": "tokenUpdateResponse",
  "resultCode": "A135001",
  "resultMessage": "[A135001] Updated the access token successfully.",
  "accessToken": "JDGiiM9PuWT63FIwGjG9eYlGi-aZMq6CQ2IB475JUxs",
  "accessTokenExpiresAt": 1511847449000,
  "action": "OK",
  "scopes": ["email", "openid"]
}

Update an existing access token.

Request

POST /api/auth/token/update
PUT /api/auth/token/update

Content-Type

application/x-www-form-urlencoded
application/json

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`accessToken`	YES	An existing access token.
`accessTokenExpiresAt`	NO	A new date at which the access token will expire in milliseconds since the Unix epoch (1970-01-01). If the `accessTokenExpiresAt` request parameter is not included in a request or its value is 0 (or negative), the expiration date of the access token is not changed.
`scopes`	NO	A new set of scopes assigned to the access token. Scopes that are not supported by the service and those that the client application associated with the access token is not allowed to request are ignored on the server side. If the `scopes` request parameter is not included in a request or its value is `null`, the scopes of the access token are not changed. Note that `properties` parameter is accepted only when Content-Type of the request is `application/json`, so don't use `application/x-www-form-urlencoded` if you want to specify properties.
`properties`	NO	A new set of properties assigned to the access token. If the `properties` request parameter is not included in a request or its value is `null`, the properties of the access token are not changed.
`accessTokenExpiresAtUpdatedOnScopeUpdate`	NO	A boolean request parameter which indicates whether the API attempts to update the expiration date of the access token when the scopes linked to the access token are changed by this request.
`accessTokenHash`	NO	The hash of the access token value. Used when the hash of the token is known (perhaps from lookup) but the value of the token itself is not. The value of the accessToken parameter takes precedence.
`accessTokenValueUpdated`	NO	A boolean request parameter which indicates whether to update the value of the access token in the data store. If this parameter is set to `true` then a new access token value is generated by the server and returned in the response.
`accessTokenPersistent`	NO	The flag which indicates whether the access token expires or not. By default, all access tokens expire after a period of time determined by their service. If this request parameter is `true` then the access token will not automatically expire and must be revoked or deleted manually at the service. If this request parameter is `true`, the `accessTokenExpiresAt` request parameter is ignored. If this request parameter is `false`, the `accessTokenExpiresAt` request parameter is processed normally.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.
`action`	string	The next action that the service implementation should take. One of the following. Details are described in the description. `INTERNAL_SERVER_ERROR` `BAD_REQUEST` `FORBIDDEN` `NOT_FOUND` `OK`
`accessToken`	string	The access token which has been specified by the request.
`accessTokenExpiresAt`	i64	The date at which the access token will expire.
`properties`	Property array	The properties associated with the access token. See Extra Properties for details.
`scopes`	string array	The scopes associated with the access token.

/auth/token/delete API

curl -v -X POST https://api.authlete.com/api/auth/token/delete \
-H 'Content-Type:application/json' \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
-d '{ "accessTokenIdentifier": "JDGiiM9PuWT63FIwGjG9eYlGi-aZMq6CQ2IB475JUxs" }'

// This API is not supported yet.

# This API is not supported yet.

// This API is not supported yet.

Delete an existing access token.

Request

DELETE /api/auth/token/delete/{accessTokenIdentifier}

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`accessTokenIdentifier`	YES	The identifier of an existing access token. The identifier is the value of the access token or the value of the hash of the access token.

Jose Object

/jose/verify API

curl -v https://api.authlete.com/api/jose/verify \
-u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
-d jose=eyJhbGciOiJFUzI1NiJ9.eyJleHAiOjE1NTk4MTE3NTAsImlzcyI6IjU3Mjk3NDA4ODY3In0K.csmdholMVcmjqHe59YWgLGNvm7I5Whp4phQCoGxyrlRGMnTgsfxtwyxBgMXQqEPD5q5k9FaEWNk37K8uAtSwrA \
-d clockSkew=100 \
-d signedByClient=true \
-d clientIdentifier=57297408867

AuthleteApi api = AuthleteApiFactory.getDefaultApi();

JoseVerifyRequest request = new JoseVerifyRequest()
    .setJose("eyJhbGciOiJFUzI1NiJ9.eyJleHAiOjE1NTk4MTE3NTAsImlzcyI6IjU3Mjk3NDA4ODY3In0K.csmdholMVcmjqHe59YWgLGNvm7I5Whp4phQCoGxyrlRGMnTgsfxtw")
    .setClockSkew(100)
    .setSinedByClient(true)
    .setClientIdentifier("57297408867")
;

api.verifyJose(request);

# This API is not supported yet.

// This API is not supported yet.

{
  "type": "joseVerifyResponse",
  "resultCode": "A160001",
  "resultMessage": "[A160001] The JOSE is valid.",
  "signatureValid": true,
  "valid": true
}

This API verifies a JOSE object.

Request

POST /api/jose/verify

Content-Type

application/json application/x-www-form-urlencoded

Authorization

Basic Authentication with API key & API secret of a service.

Parameters

Name	Required	Description
`jose`	YES	A JOSE object that will be verified.
`mandatoryClaims`	NO	Mandatory claims that are required to be included in the JOSE object.
`clockSkew`	NO	Allowable clock skew in seconds.
`clientIdentifier`	CONDITIONALLY REQUIRED	The identifier of the client application whose keys are required for verification of the JOSE object.
`signedByClient`	NO	The flag which indicates whether the signature of the JOSE object has been signed by a client application with the client's private key or a shared symmetric key.

Response

Content-Type

application/json

Parameters

Name	Type	Description
`resultCode`	string	The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
`resultMessage`	string	A short message which explains the result of the API call.
`valid`	boolean	The result of the verification on the JOSE object.
`signatureValid`	boolean	The result of the signature verification.
`missingClaims`	string array	The list of missing claims.
`invalidClaims`	string array	The list of invalid claims.
`errorDescriptions`	string array	The list of error messages.

Result Codes

A000101

Authlete Server error.

Sorry, an unexpected error occurred on Authlete's side.

A000102

Server Error: {Error Message}

A000103

Internal Server Error.

A000104

Other Web Error: {Error Message}

A000201

Client Error: {Error Message}

A000202

Redirection to {URI}: {Error Message}

A001101

{API Path}, Authlete Server error.

Sorry, an unexpected error occurred on Authlete's side.

A001201

{API Path}, TLS must be used.

Check if the API's URL you specified starts with https://, not http://.

A001202

{API Path}, Authorization header is missing.

This API requires Basic Authentication. Include Authorization HTTP header in your API call.

A001203

{API Path}, Credentials in Authorization header are malformed: {Header Value}

Check if the format of the value of Authorization HTTP header in your API call complies with the specification of Basic Authentication.

A001212

{API Path}, The client (ID = {Client ID}) does not exist.

Check if the client ID you specified is correct.

A001213

{API Path}, The client (ID = {Client ID}) does not belong to the service.

A001214

{API Path}, The client (ID = {Client ID}) has been deleted.

The client application has been logically deleted, so it cannot be used.

A001215

{API Path}, The client (ID = {Client ID}) is locked.

The client application is currently locked for some reasons, so it cannot be used.

A001216

{API Path}, The client ID is invalid.

A001217

{API Path}, This API is not usable under the current configuration.

Consult our support team if you want to use this API.

A001218

{API Path}, The client (identifier = {Client Identifier}) does not exist.

Check if the client identifier you specified is correct. If you used a client alias, check if the feature of client ID alias is enabled both in the client configuration and in the service configuration.

A001219

{API Path}, The client (identifier = {Client Identifier}) does not belong to the service.

A001220

{API Path}, The client (identifier = {Client Identifier}) has been deleted.

A001221

{API Path}, The client (identifier = {Client Identifier}) is locked.

A001222

{API Path}, The client (identifier = {Client Identifier}) exists but the configuration of the client does not allow 'Client ID Alias'.

A001223

{API Path}, The feature '{Feature}' must be enabled to use this API.

A001300

{API Path}, Unable to load introspected token data from external server ('{Introspection URL}').

A002101

{API Path}, Failed to get service owner information from 'service_owner' table.

Sorry, an error occurred on the server side in getting the information about the service owner from the database.

A002201

{API Path}, No service owner has the API credentials.

Check if the pair of API key and API secret you specified is correct.

A002202

{API Path}, The service owner (API Key = {Service Owner's API Key}) has been deleted.

The service owner has been logically deleted, so services and client applications that belong to the service owner cannot be used.

A002203

{API Path}, The service owner (API Key = {Service Owner's API Key}) is locked.

The service owner is currently locked for some reasons, so services and client applications that belong to the service owner cannot be used.

A002204

{API Path}, The service owner (API Key = {Service Owner's API Key}) has not been verified.

A002205

{API Path}, The API credentials do not match those of the service owner (API Key = {Service Owner's API Key}).

Check if the pair of API key and API secret you specified is correct.

A003101

{API Path}, No service owner owns the service (API Key = {Service's API Key}).

Sorry, there is an inconsistency on Authlete's side.

A003102

{API Path}, The service owner (API Key = {Service Owner's API Key}) of the service (API Key = {Service's API Key}) has not been verified.

Sorry, there is an inconsistency on Authlete's side.

A003103

{API Path}, Failed to get service information from 'service' table.

Sorry, an error occurred on the server side in getting the information about the service from the database.

A003104

{API Path}, Failed to get service owner information from 'service_owner' table.

Sorry, an error occurred on the server side in getting the information about the service owner from the database.

A003201

{API Path}, No service has the API credentials.

Check if the pair of API key and API secret you specified is correct.

A003202

{API Path}, The service (API Key = {Service's API Key}) has been deleted.

The service has been logically deleted, so it cannot be used.

A003203

{API Path}, The service (API Key = {Service's API Key}) is locked.

The service is currently locked for some reasons, so it cannot be used.

A003204

{API Path}, The API credentials do not match those of the service (API Key = {Service's API Key}).

Check if the API secret you specified is correct.

A003205

{API Path}, The service owner (API Key = {Service Owner's API Key}) of the service (API Key = {Service's API Key}) has been deleted.

The service owner of the service has been logically deleted, so the service cannot be used.

A003206

{API Path}, The service owner (API Key = {Service Owner's API Key}) of the service (API Key = {Service's API Key}) is locked.

The service owner of the service is currently locked for some reasons, so the service cannot be used.

A004001

Authlete has successfully issued a ticket to the service (API Key = {Service's API Key}) for the authorization request from the client (ID = {Client ID}). [response_type={Response Type}, openid={Boolean}]

The call of /api/auth/authorization API succeeded.

A004201

The authorization request from the service does not contain 'parameters' parameter.

Include the parameters request parameter when you call Authlete's /api/auth/authorization API.

A004202

The format of the value of 'parameters' request parameter is wrong.

Check if the value of the parameters request parameter given to Authlete's /api/auth/authorization API complies with x-www-form-urlencoded.

A004301

The authorization request does not contain any request parameters.

A004302

The value of 'response_type' ({Response Type}) is not allowed when 'scope' does not contain 'openid'.

A004303

'consent' must be explicitly included in 'prompt' parameter when 'offline_access' is included in 'scope'.

A005101

JOSEObject.parse(String) returned an instance of unknown class: {Class Name}

A005102

Failed to convert a JWK to a PublicKey.

A005103

The key type '{Key Type}' cannot have a private key.

A005104

Failed to put the JWK Set of the client (ID = {Client ID}) into 'client_jwks' table.

A005105

Failed to create a decrypter for the JWE passed by 'request' parameter. (client_id={Client ID}, alg={Algorithm}, enc={Algorithm})

A005106

Failed to create a decrypter for the JWE pointed to by 'request_uri' parameter. (client_id={Client ID}, alg={Algorithm}, enc={Algorithm})

A005107

Failed to create a decrypter for the JWE passed by 'request' parameter due to an unexpected key length. (client_id={Client ID}, alg={Algorithm}, enc={Algorithm}, expected key length={Key Length})

A005108

The JWK Set of the service is marked as hosted but not found in 'service_jwks' table.

A005109

Failed to convert a JWK to a PrivateKey.

A005110

Failed to store the fetched request object into the local database.

A005111

Failed to get request URI information from 'request_uri' table.

A005112

Failed to get an entity from 'client_jwks' table.

A005113

Failed to get an entity from 'service_jwks' table.

A005114

Failed to create a decrypter for the JWE pointed to by 'request_uri' parameter due to an unexpected key length. (client_id={Client ID}, alg={Algorithm}, enc={Algorithm}, expected key length={Key Length})

A005201

The request object passed by 'request' parameter cannot be decrypted because this service has not registered its JWK Set.

The client application should not encrypt the request object, or the service should register its JWK Set into Authlete.

A005202

The request object pointed to by 'request_uri' parameter cannot be decrypted because this service has not registered its JWK Set.

The request object pointed to by the URL should not be encrypted (the developer of the client application should fix it), or the service should register its JWK Set into Authlete.

A005203

The request object passed by 'request' parameter cannot be decrypted because this service has not registered its JWK Set.

The client application should not encrypt the request object, or the service should register its JWK Set into Authlete.

A005204

The request object pointed to by 'request_uri' parameter cannot be decrypted because this service has not registered its JWK Set.

The request object pointed to by the URL should not be encrypted (the developer of the client application should fix it), or the service should register its JWK Set into Authlete.

A005301

The value of 'request' parameter failed to be parsed as a JOSE.

The client application should be fixed to construct a valid request object.

A005302

The payload of the JWE passed by 'request' parameter failed to be parsed as a JOSE.

The client application should be fixed to construct a valid request object.

A005303

The value pointed to by 'request_uri' parameter failed to be parsed as a JOSE.

The developer of the client application should fix the request object pointed to by the URL (request_uri).

A005304

The payload of the JWE pointed to by 'request_uri' parameter failed to be parsed as a JOSE.

The developer of the client application should fix the request object pointed to by the URL (request_uri).

A005305

The payload of the JWE passed by 'request' parameter must not be a JWE.

The client application should be fixed to construct a valid request object.

A005306

The payload of the JWE pointed to by 'request_uri' parameter must not be a JWE.

The developer of the client application should fix the request object pointed to by the URL (request_uri).

A005307

The JWS header of the request object passed by 'request' parameter does not contain 'alg' parameter.

The client application should be fixed to include the alg parameter.

A005308

The JWS header of the payload of the JWE passed by 'request' parameter does not contain 'alg' parameter.

The client application should be fixed to include the alg parameter.

A005309

The JWS header of the request object pointed to by 'request_uri' parameter does not contain 'alg' parameter.

The developer of the client application should fix the request object pointed to by the URL (request_uri) to include the alg parameter.

A005310

The JWS header of the payload of the JWE pointed to by 'request_uri' parameter does not contain 'alg' parameter.

The developer of the client application should fix the request object pointed to by the URL (request_uri) to include the alg parameter.

A005311

Failed to fetch the JWK Set of the client (ID = {Client ID}) from the location pointed to by 'jwks_uri' ({URL}): {Error Message}

Authlete tried to fetch the JWK Set of the client application from the registered URL but in vain. The developer of the client application should check if the URL is valid and it returns a valid JWK Set.

A005312

The algorithm in the JWS header of the request object passed by 'request' parameter does not match the registered one ({Algorithm}).

The client application should be fixed to use the registered algorithm for signing the request object, or the developer of the client application should change the registered value of the requestSignAlg property.

A005313

The algorithm in the JWS header of the payload of the JWE passed by 'request' parameter does not match the registered one ({Algorithm}).

A005314

The algorithm in the JWS header of the request object pointed to by 'request_uri' parameter does not match the registered one ({Algorithm}).

The request object pointed to by the URL (request_uri) should be signed with the registered algorithm, or the developer of the client application should change the registered value of the requestSignAlg property.

A005315

The algorithm in the JWS header of the payload of the JWE pointed to by 'request' parameter does not match the registered one ({Algorithm}).

The client application should be signed with the registered algorithm, or the developer of the client application should change the registered value of the requestSignAlg property.

A005316

The algorithm in the JWS header of the request object passed by 'request' parameter is symmetric ({Algorithm}), but the client type is not confidential.

The client application should not use the algorithm for signing the request object. The developer of the client application should either change the client type to confidential (= change the registered value of the clientType property to CONFIDENTIAL) or change the registered algorithm to one of asymmetric algorithms (= change the registered value of the requestSignAlg property) and fix the application code to use the asymmetric algorithm.

A005317

The algorithm in the JWS header of the JWE passed by 'request' parameter is symmetric ({Algorithm}), but the client type is not confidential.

A005318

The algorithm in the JWS header of the request object pointed to by 'request_uri' parameter is symmetric ({Algorithm}), but the client type is not confidential.

The algorithm should not be used to sign the request object pointed to by the URL (request_uri). The developer of the client application should either change the client type to confidential (= change the registered value of the clientType property to CONFIDENTIAL) or change the registered algorithm to one of asymmetric algorithms (= change the registered value of the requestSignAlg property) and sign the request object with the asymmetric algorithm.

A005319

The algorithm in the JWS header of the JWE pointed to by 'request_uri' parameter is symmetric ({Algorithm}), but the client type is not confidential.

A005320

The algorithm in the JWS header of the request object passed by 'request' parameter is not supported.

The client application should be fixed to use one of the supported algorithms for sigining the request object.

A005321

The algorithm in the JWS header of the payload of the JWE passed by 'request' parameter is not supported.

The client application should be fixed to use one of the supported algorithms for sigining the request object.

A005322

The algorithm in the JWS header of the request object pointed to by 'request_uri' parameter is not supported.

The request object pointed to by the URL (request_uri) should be signed with one of the supported algorithms.

A005323

The algorithm in the JWS header of the payload of the JWE pointed to by 'request_uri' parameter is not supported.

The client application should be fixed to use one of the supported algorithms for sigining the request object.

A005324

The signature of the request object passed by 'request' parameter failed to be verified: {Error Message}

The client application should be fixed to sign the request object correctly.

A005325

The signature of the payload of the JWE passed by 'request' parameter failed to be verified: {Error Message}

The client application should be fixed to sign the request object correctly.

A005326

The signature of the request object pointed to by 'request_uri' parameter failed to be verified: {Error Message}

The request object pointed to by the URL (request_uri) should be signed correctly.

A005327

The signature of the payload of the JWE pointed to by 'request_uri' parameter failed to be verified: {Error Message}

The request object pointed to by the URL (request_uri) should be signed correctly.

A005328

The signature of the request object passed by 'request' parameter was not verified.

The client application should be fixed to use the correct private or shared key for signing the request object.

A005329

The signature of the payload of the JWE passed by 'request' parameter was not verified.

The client application should be fixed to use the correct private or shared key for signing the request object.

A005330

The signature of the request object pointed to by 'request_uri' parameter was not verified.

The request object pointed to by the URL (request_uri) should be signed with the correct private or shared key.

A005331

The signature of the payload of the JWE pointed to by 'request_uri' parameter was not verified.

The request object pointed to by the URL (request_uri) should be signed with the correct private or shared key.

A005332

The request object passed by 'request' parameter is signed using a private key, but neither 'jwks_uri' nor 'jwks' to get its associated public key is registered.

The developer of the client application should register the JWK Set (containing the paired public key) of the client application into the service (as the value of the jwks property), or make it accessible somewhere and register its URL into the service (as the value of the jwksUri property).

A005333

The payload of the JWE passed by 'request' parameter is signed using a private key, but neither 'jwks_uri' nor 'jwks' to get its associated public key is registered.

A005334

The request object pointed to by 'request_uri' parameter is signed using a private key, but neither 'jwks_uri' nor 'jwks' to get its associated public key is registered.

A005335

The payload of the JWE pointed by 'request_uri' parameter is signed using a private key, but neither 'jwks_uri' nor 'jwks' to get its associated public key is registered.

A005336

The request object passed by 'request' parameter is not signed but the registered value of 'request_object_signing_alg' is neither 'none' nor null.

The client application should be fixed to sign the request object with the registered algorithm (the value of the requestSignAlg property), or the developer of the client application should change the value of the registered algorithm to none or null.

A005337

The payload of the JWE passed by 'request' parameter is not signed but the registered value of 'request_object_signing_alg' is neither 'none' nor null.

A005338

The request object pointed to by 'request_uri' parameter is not signed but the registered value of 'request_object_signing_alg' is neither 'none' nor null.

The request object pointed to by the URL (request_uri) should be signed with the registered algorithm (the value of the requestSignAlg property), or the developer of the client application should change the value of the registered algorithm to none or null.

A005339

The payload of the JWE pointed to by 'request_uri' parameter is not signed but the registered value of 'request_object_signing_alg' is neither 'none' nor null.

A005340

The JWK Set pointed to by 'jwks_uri' does not contain the public key to verify the signature of the request object passed by 'request' parameter. (alg={Algorithm}, kid={Key ID})

The developer of the client application should check if the JWK Set pointed to by the registered URL (the value of jwksUri property) contains the public key for the combination of the algorithm and the key ID.

A005341

The JWK Set pointed to by 'jwks_uri' does not contain the public key to verify the signature of the payload of the JWE passed by 'request' parameter. (alg={Algorithm}, kid={Key ID})

A005342

The JWK Set pointed to by 'jwks_uri' does not contain the public key to verify the signature of the request object pointed to by 'request_uri' parameter. (alg={Algorithm}, kid={Key ID})

A005343

The JWK Set pointed to by 'jwks_uri' does not contain the public key to verify the signature of the payload of the JWE pointed to by 'request_uri' parameter. (alg={Algorithm}, kid={Key ID})

A005344

The JWK Set pointed to by 'jwks_uri' contains multiple candidate public keys to verify the signature of the request object passed by 'request' parameter. (alg={Algorithm}, kid={Key ID})

Either or both the client application and the JWK Set pointed to by the registered URL (the value of jwksUri property) should be fixed so that Authlete can identify the public key to use for signature verification. For example, unique key IDs should be assigned to the candidate public keys and the client application should specify one of the key IDs in the request object as the value of kid.

A005345

The JWK Set pointed to by 'jwks_uri' contains multiple candidate public keys to verify the signature of the payload of the JWE passed by 'request' parameter. (alg={Algorithm}, kid={Key ID})

A005346

The JWK Set pointed to by 'jwks_uri' contains multiple candidate public keys to verify the signature of the request object pointed to by 'request_uri' parameter. (alg={Algorithm}, kid={Key ID})

Either or both the request object pointed to by the URL (request_uri) and the JWK Set pointed to by the registered URL (the value of jwksUri property) should be fixed so that Authlete can identify the public key to use for signature verification. For example, unique key IDs should be assigned to the candidate public keys and the request object should include one of the key IDs as the value of kid.

A005347

The JWK Set pointed to by 'jwks_uri' contains multiple candidate public keys to verify the signature of the payload of the JWE pointed to by 'request_uri' parameter. (alg={Algorithm}, kid={Key ID})

A005348

Failed to parse the JWK Set of the client (ID = {Client ID}) fetched from the location pointed to by 'jwks_uri' ({URL}) as JWKSet: {Error Message}

Check if the JWK Set is formatted correctly.

A005349

The JWK Set of the client (ID = {Client ID}) was not found in the database, unexpectedly.

This may happen while the configuration of the client application is temporarily inconsistent. Try later again.

A005350

The client (ID = {Client ID}) was not found in the database, unexpectedly.

Probably, the client application was deleted while the API call was being processed.

A005351

The client (ID = {Client ID}) has not registered its JWK Set.

The developer of the client application should register the JWK Set of the client application.

A005352

The registered JWK Set does not contain the public key to verify the signature of the request object passed by 'request' parameter. (alg={Algorithm}, kid={Key ID})

The developer of the client application should update the JWK Set (= the value of jwks property) to include the public key.

A005353

The registered JWK Set does not contain the public key to verify the signature of the payload of the JWE passed by 'request' parameter. (alg={Algorithm}, kid={Key ID})

The developer of the client application should update the JWK Set (= the value of jwks property) to include the public key.

A005354

The registered JWK Set does not contain the public key to verify the signature of the request object pointed to by 'request_uri' parameter. (alg={Algorithm}, kid={Key ID})

The developer of the client application should update the JWK Set (= the value of jwks property) to include the public key.

A005355

The registered JWK Set does not contain the public key to verify the signature of the payload of the JWE pointed to by 'request_uri' parameter. (alg={Algorithm}, kid={Key ID})

The developer of the client application should update the JWK Set (= the value of jwks property) to include the public key.

A005356

The registered JWK Set contains multiple candidate public keys to verify the signature of the request object passed by 'request' parameter. (alg={Algorithm}, kid={Key ID})

Either or both the client application and the registered JWK Set (the value of jwks property) should be fixed so that Authlete can identify the public key to use for signature verification. For example, unique key IDs should be assigned to the candidate public keys and the client application should specify one of the key IDs in the request object as the value of kid.

A005357

The registered JWK Set contains multiple candidate public keys to verify the signature of the payload of the JWE passed by 'request' parameter. (alg={Algorithm}, kid={Key ID})

A005358

The registered JWK Set contains multiple candidate public keys to verify the signature of the request object pointed to by 'request_uri' parameter. (alg={Algorithm}, kid={Key ID})

A005359

The registered JWK Set contains multiple candidate public keys to verify the signature of the payload of the JWE pointed to by 'request_uri' parameter. (alg={Algorithm}, kid={Key ID})

A005360

The JWE header of the request object passed by 'request' parameter does not contain 'alg' parameter.

A005361

The JWE header of the request object pointed to by 'request_uri' parameter does not contain 'alg' parameter.

A005362

The JWE header of the request object passed by 'request' parameter does not contain 'enc' parameter.

A005363

The JWE header of the request object pointed to by 'request_uri' parameter does not contain 'enc' parameter.

A005364

Failed to decrypt the JWE passed by 'request' parameter (alg={Algorithm}, enc={Algorithm}): {Error Message}

A005365

Failed to decrypt the JWE pointed to by 'request_uri' parameter (alg={Algorithm}, enc={Algorithm}): {Error Message}

A005366

The value of 'enc' in the header of the JWE passed by 'request' parameter is not supported.

A005367

The value of 'enc' in the header of the JWE pointed to by 'request_uri' parameter is not supported.

A005368

The value of 'alg' in the header of the JWE passed by 'request' parameter is not supported.

A005369

The value of 'alg' in the header of the JWE pointed to by 'request_uri' parameter is not supported.

A005370

The value of 'alg' in the header of the JWE passed by 'request' parameter is symmetric ({Algorithm}), but the client type is not confidential.

A005371

The value of 'alg' in the header of the JWE pointed to by 'request_uri' parameter is symmetric ({Algorithm}), but the client type is not confidential.

A005372

The request object passed by 'request' parameter is encrypted, but this service does not accept encrypted request objects.

A005373

The request object pointed to by 'request_uri' parameter is encrypted, but this service does not accept encrypted request objects.

A005374

The private key to decrypt the request object passed by 'request' parameter is not found. (alg={Algorithm}, kid={Key ID})

A005375

The private key to decrypt the request object pointed to by 'request_uri' parameter is not found. (alg={Algorithm}, kid={Key ID})

A005376

There are multiple candidate private keys to decrypt the request object passed 'request' parameter. (alg={Algorithm}, kid={Key ID})

A005377

There are multiple candidate private keys to decrypt the request object pointed to 'request_uri' parameter. (alg={Algorithm}, kid={Key ID})

A005378

Failed to parse the request object passed by 'request' parameter as a JSON.

A005379

Failed to parse the payload of the JWE passed by 'request' parameter as a JSON.

A005380

Failed to parse the request object pointed to by 'request_uri' parameter as a JSON.

A005381

Failed to parse the payload of the JWE pointed to by 'request_uri' parameter as a JSON.

A005382

Failed to fetch the request object of the client (ID = {Client ID}) from the location pointed to by 'request_uri' ({URL}): {Error Message}

A005383

The request object pointed to by 'request_uri' parameter is not signed but the scheme of the URI is not https.

A005384

The value of 'request_uri' parameter is not registered: {URL}

A005385

The client (ID = {Client ID}) has not registered the content of the request object for the request URI ({URL}) although the content is marked as hosted.

A005386

The value of 'request_uri' parameter is not registered: {URL}

A005387

The request object passed by 'request' parameter contains 'client_id' but its value is not a string.

A005388

The payload of the JWE passed by 'request' parameter contains 'client_id' but its value is not a string.

A005389

The request object pointed to by 'request_uri' parameter contains 'client_id' but its value is not a string.

A005390

The payload of the JWE pointed to by 'request_uri' parameter contains 'client_id' but its value is not a string.

A005391

The value of 'client_id' ({Client ID}) in the request object passed by 'request' parameter is different from the one specified by 'client_id' parameter ({Client ID}).

A005392

The value of 'client_id' ({Client ID}) in the payload of the JWE passed by 'request' parameter is different from the one specified by 'client_id' parameter ({Client ID}).

A005393

The value of 'client_id' ({Client ID}) in the request object pointed to by 'request_uri' parameter is different from the one specified by 'client_id' parameter ({Client ID}).

A005394

The value of 'client_id' ({Client ID}) in the payload of the JWE pointed to by 'request_uri' parameter is different from the one specified by 'client_id' parameter ({Client ID}).

A005395

The request object passed by 'request' parameter contains 'response_type' but its value is not a string.

A005396

The payload of the JWE passed by 'request' parameter contains 'response_type' but its value is not a string.

A005397

The request object pointed to by 'request_uri' parameter contains 'response_type' but its value is not a string.

A005398

The payload of the JWE pointed to by 'request_uri' parameter contains 'response_type' but its value is not a string.

A005399

The value of 'response_type' ({Response Type}) in the request object passed by 'request' parameter is invalid.

A006301

The value of 'response_type' ({Response Type}) in the payload of the JWE passed by 'request' parameter is invalid.

A006302

The value of 'response_type' ({Response Type}) in the request object pointed to by 'request_uri' parameter is invalid.

A006303

The value of 'response_type' ({Response Type}) in the payload of the JWE pointed to by 'request_uri' parameter is invalid.

A006304

The value of 'response_type' ({Response Type}) in the request object passed by 'request' parameter is different from the one specified by 'response_type' parameter ({Response Type}).

A006305

The value of 'response_type' ({Response Type}) in the payload of the JWE passed by 'request' parameter is different from the one specified by 'response_type' parameter ({Response Type}).

A006306

The value of 'response_type' ({Response Type}) in the request object pointed to by 'request_uri' parameter is different from the one specified by 'response_type' parameter ({Response Type}).

A006307

The value of 'response_type' ({Response Type}) in the payload of the JWE pointed to by 'request_uri' parameter is different from the one specified by 'response_type' parameter ({Response Type}).

A006308

The request object passed by 'request' parameter contains 'request' parameter, which is not allowed.

A006309

The payload of the JWE passed by 'request' parameter contains 'request' parameter, which is not allowed.

A006310

The request object pointed to by 'request_uri' parameter contains 'request' parameter, which is not allowed.

A006311

The payload of the JWE pointed to by 'request_uri' parameter contains 'request' parameter, which is not allowed.

A006312

The request object passed by 'request' parameter contains 'request_uri' parameter, which is not allowed.

A006313

The payload of the JWE passed by 'request' parameter contains 'request_uri' parameter, which is not allowed.

A006314

The request object pointed to by 'request_uri' parameter contains 'request_uri' parameter, which is not allowed.

A006315

The payload of the JWE pointed to by 'request_uri' parameter contains 'request_uri' parameter, which is not allowed.

A006316

Failed to create a verifier for the symmetric algorithm ({Algorithm}) specified in the JWS header of the request object passed by 'request' parameter.

A006317

Failed to create a verifier for the symmetric algorithm ({Algorithm}) specified in the JWS header of the JWE passed by 'request' parameter.

A006318

Failed to create a verifier for the symmetric algorithm ({Algorithm}) specified in the JWS header of the request object pointed to by 'request_uri' parameter.

A006319

Failed to create a verifier for the symmetric algorithm ({Algorithm}) specified in the JWS header of the JWE pointed to by 'request_uri' parameter.

A006320

Failed to create a verifier for the elliptic curve algorithm ({Algorithm}) specified in the JWS header of the request object passed by 'request' parameter.

A006321

Failed to create a verifier for the elliptic curve algorithm ({Algorithm}) specified in the JWS header of the JWE passed by 'request' parameter.

A006322

Failed to create a verifier for the elliptic curve algorithm ({Algorithm}) specified in the JWS header of the request object pointed to by 'request_uri' parameter.

A006323

Failed to create a verifier for the elliptic curve algorithm ({Algorithm}) specified in the JWS header of the JWE pointed to by 'request_uri' parameter.

A007101

Failed to get the list of pre-defined scopes from 'scope' table.

A007102

Failed to get the list of scope attributes from 'scope_attributes' table.

A007301

The value of 'scope' parameter in the request object is not a string.

A007302

The authorization request contains multiple 'scope' parameters.

A007303

The value of 'scope' in the request object contains 'openid' but the authorization request does not have 'scope' parameter.

A007304

The value of 'scope' in the request object contains 'openid' but the authorization request parameter 'scope' does not contain 'openid'.

A008101

Failed to get the list of registered request URIs from 'request_uri' table.

A008301

The authorization request contains multiple 'request' parameters.

A008302

The authorization request contains multiple 'request_uri' parameters.

A008303

The value of 'request_uri' parameter is not registered.

A008304

The authorization request contains both 'request' parameter and 'request_uri' parameter.

A009301

The authorization request does not contain 'response_type' parameter.

A009302

The value of 'response_type' parameter contained in the authorization request is empty.

A009303

The authorization request contains multiple 'response_type' parameters.

A009304

The value of 'response_type' parameter contained in the authorization request is invalid.

A009305

The response type '{Response Type}' is not supported by this service.

A009306

The client (ID = {Client ID}) does not declare it uses the response type '{Response Type}'.

A010101

Failed to get the client information from 'client' table.

A010102

Failed to get the client information by a client ID alias.

A010301

The authorization request does not contain 'client_id' parameter.

A010302

The value of 'client_id' parameter contained in the authorization request is empty.

A010303

The authorization request contains multiple 'client_id' parameters.

A010304

No client has the client ID ({Client ID}).

A010305

The client (ID = {Client ID}) does not belong to this service.

A010306

The client (ID = {Client ID}) has been deleted.

A010307

The client (ID = {Client ID}) is locked.

A010308

No client has the client ID ({Client ID}) or the client ID alias.

A010309

The client ID alias ({Client ID Alias}) of the client is not enabled.

A011101

Failed to get the list of registered redirect URIs from 'redirect_uri' table.

A011301

The value of 'redirect_uri' in the request object is not a string.

A011302

The authorization request contains multiple 'redirect_uri' parameters.

A011303

'redirect_uri' parameter must be explicitly specified when 'scope' parameter contains 'openid'.

A011304

The value of 'redirect_uri' ({URL}) is not registered.

A011305

The scheme of the redirect URI must be 'https' when 'response_type' of an authorization request from a 'web' client contains either 'token' or 'id_token'.

A011306

The host of the redirect URI must not be 'localhost' when 'response_type' of an authorization request from a 'web' client contains either 'token' or 'id_token'.

A011307

The scheme of the redirect URI must not be 'https' when the client's application type is 'native'.

A011308

The host of the redirect URI must be 'localhost' when the client's application type is 'native' and the scheme of the redirect URI is 'http'.

A011309

The client has not registered any redirect URI.

A011310

The client type is 'public', but the client has not registered any redirect URI.

A011311

An authorization request whose response_type contains either 'token' or 'id_token' requires the client to register at least one redirect URI even if the client type is 'confidential'.

A011312

'redirect_uri' parameter must be contained when a 'confidential' client that has not registered any redirect URI makes an authorization request of the authorization code grant type.

A011313

'redirect_uri' parameter must be contained when a client that has registered multiple redirect URIs makes an authorization request.

A011314

The value of 'redirect_uri' contained in the authorization request is not well-formed.

A011315

The value of 'redirect_uri' contained in the authorization request is not absolute.

A011316

The value of 'redirect_uri' contained in the authorization request has a fragment component.

A011317

The value of 'redirect_uri' ({URL}) is not registered.

A011318

The authorization request does not contain 'redirect_uri' parameter.

A011319

The value of 'redirect_uri' parameter contained in the authorization request is empty.

A012301

The value of 'response_mode' in the request object is not a string.

A012302

The authorization request contains multiple 'response_mode' parameters.

A012303

The value of 'response_mode' is not supported.

A012304

'response_mode=query' is not allowed when 'response_type' is '{Response Type}'.

A012305

A012306

The authorization request required the authorization response be encoded as JWT by specifying 'response_mode={Response Mode}', but the 'authorization_signed_response_alg' metadata of the client (ID = {Client ID}) is 'none'. Change the registered value of the metadata.

A012307

The authorization request required the authorization response be encoded as JWT by specifying 'response_mode={Response Mode}', but the 'authorization_signed_response_alg' metadata of the client (ID = {Client ID}) is a symmetric algorithm ('{Algorithm}'). Change the algorithm to an asymmetric one or change the client type to 'confidential'.

A012308

The authorization request required the authorization response be encoded as JWT by specifying 'response_mode={Response Mode}', but the 'authorization_encrypted_response_alg' metadata of the client (ID = {Client ID}) is a symmetric algorithm ('{Algorithm}'). Change the algorithm to an asymmetric one or change the client type to 'confidential'.

A012309

For the response type ('{Response Type}'), the response mode ('{Response Mode}') is allowed only when the authorization response JWT is encrypted. Set the value of the 'authorization_encrypted_response_alg' metadata of the client (ID = {Client ID}).

A013301

The value of 'state' in the request object is not a string.

A013302

The authorization request contains multiple 'state' parameters.

A013303

The value of 'state' contains non-ASCII letters.

A013304

The length of 'state' exceeds the maximum length ({Number}).

A014301

The value of 'nonce' in the request object is not a string.

A014302

The authorization request contains multiple 'nonce' parameters.

A014303

'nonce' is required when 'response_type' contains 'id_token'.

A014304

The value of 'nonce' contains non-ASCII letters.

A014305

The length of 'nonce' exceeds the maximum length ({Number}).

A015301

The value of 'display' in the request object is not a string.

A015302

The authorization request contains multiple 'display' parameters.

A015303

The value of 'display' is not supported.

A015304

The authorization request does not contain 'display' parameter but the default value 'page' is not supported by this service.

A015305

This service does not support the specified value of 'display'.

A016301

The value of 'prompt' in the request object is not a string.

A016302

The authorization request contains multiple 'prompt' parameters.

A016303

The value of 'prompt' contains an invalid element.

A016304

When 'none' is included, the 'prompt' request parameter must not include any other value.

A017301

The value of 'max_age' in the request object is not a number.

A017302

The authorization request contains multiple 'max_age' parameters.

A017303

The value of 'max_age' failed to be parsed as a number.

A017304

The value of 'max_age' is not an integer.

A017305

The value of 'max_age' is out of the range of 'int'.

A018101

Failed to get the list of supported UI locales of the service from 'ui_locale' table.

A018301

The value of 'ui_locales' in the request object is not a string.

A018302

The authorization request contains multiple 'ui_locales' parameters.

A019101

Failed to insert a new record into the 'authorization_ticket' table.

A020101

Failed to get the list of supported claim locales of the service from 'claim_locale' table.

A020301

The value of 'claims_locales' in the request object is not a string.

A020302

The authorization request contains multiple 'claims_locales' parameters.

A021101

Failed to get the list of the default ACRs of the client from 'default_acr' table.

A021102

Failed to get the list of supported ACRs of the service from 'acr' table.

A021301

The value of 'acr_values' in the request object is not a string.

A021302

The authorization request contains multiple 'acr_values' parameters.

A021303

ACR values cannot be specified by any means ('claim', 'acr_values' or 'default_acr_values') because this service supports no ACR value.

A021304

The ACR value '{ACR}' is not supported by this service.

A022301

The value of 'claims' in the request object is not a JSON object.

A022302

The authorization request contains multiple 'claims' parameters.

A022303

The value of 'claims' parameter in the authorization request is not a JSON object.

A022304

The value of 'userinfo' in 'claims' is not a JSON object.

A022305

The value of 'id_token' in 'claims' is not a JSON object.

A023301

The value of '{Property Name}' in 'claims' is not a JSON object.

A023302

The value of 'essential' of '{Property Name}' in 'claims' is not a boolean value.

A023303

The value of 'value' of '{Property Name}' in 'claims' cannot be cast to {Type}.

A023304

The value of 'values' of '{Property Name}' in 'claims' is not an array.

A023305

The value of 'values' of '{Property Name}' in 'claims' contains an element which cannot be cast to {Type}.

A024301

The claim '{Claim Name}' for '{Context}' cannot be requested by 'claims' parameter when the value of 'prompt' is 'none'.

A024302

The scope '{Scope Name}' results in requesting some claims but it is not allowed when the value of 'prompt' is 'none'.

A025101

Failed to create a client of the service (API Key = {Service's API Key}).

A026001

The client (ID = {Client ID}) was deleted successfully.

A026101

Failed to delete the client (ID = {Client ID}).

A026201

The client (ID = {Client ID}) does not exist.

A026202

The client (ID = {Client ID}) does not belong to the service.

A026203

The client ({Client Identifier}) has already been deleted.

A026204

The client ({Client Identifier}) is locked.

A027201

The client (ID = {Client ID}) does not exist.

A027202

The client (ID = {Client ID}) does not belong to the service.

A027203

The client ({Client Identifier}) has been deleted.

A027204

The client ({Client Identifier}) is locked.

A028201

Parameter 'start' failed to be parsed as int.

A028202

Parameter 'start' must not be negative.

A028203

Parameter 'end' failed to be parsed as int.

A028204

Parameter 'end' must not be negative.

A029101

Failed to update the client (ID = {Client ID}).

A029201

The client (ID = {Client ID}) does not exist.

A029202

The client (ID = {Client ID}) does not belong to the service.

A029203

The client ({Client Identifier}) has been deleted.

A029204

The client ({Client Identifier}) is locked.

A030201

The client (ID = {Client ID}) does not exist.

A030202

The client (ID = {Client ID}) has been deleted.

A030203

The client (ID = {Client ID}) is locked.

A030601

Cannot update the client because the client ID alias is already in use. Client ID aliases must be unique in the same service.

A031201

{API Path}, '{Value}' is not supported as a value for '{Key}'.

A031202

{API Path}, '{Key}' is unspecified, empty or invalid.

A031203

{API Path}, '{Key}' must consist of only printable ASCII letters.

A031204

{API Path}, The length of '{Key}' must not exceed {Number} letters.

A031205

{API Path}, The element at the index '{Number}' of '{Key}' is null.

A031206

{API Path}, The element at the index '{Number}' of '{Key}' contains non-ASCII letters.

A031207

{API Path}, The length of the element at the index '{Number}' of '{Key}' must not exceed {Number} letters.

A031208

{API Path}, The element at the index '{Number}' of '{Key}' is not a well-formed URI.

A031209

{API Path}, The element at the index '{Number}' of '{Key}' is not an absolute URI.

A031210

{API Path}, The element at the index '{Number}' of '{Key}' has a fragment component.

A031211

{API Path}, The element at the index '{Number}' of '{Key}' is a duplicate.

A031212

{API Path}, The value of '{Key}' failed to be parsed as a JWK Set.

A031213

{API Path}, '{Key}' must not be negative.

A031214

{API Path}, '{Key}' is unspecified or invalid.

A031215

{API Path}, The JWK Set specified by '{Key}' is too big.

A031216

{API Path}, The JWK Set specified by '{Key}' contains non-ASCII letters.

A031217

{API Path}, The '{Key}' URI has a fragment component.

A031218

{API Path}, The '{Key}' URI has a query component.

A031219

{API Path}, The scheme of the '{Key}' URI is not https.

A031220

{API Path}, The number of entries for '{Key}' must not exceed {Number}.

A031221

{API Path}, The value ({Number}) of '{Key}' is not in the range between {Number} and {Number}.

A031222

{API Path}, '{Algorithm}' is given as the value of '{Key}', but the algorithm is not asymmetric.

A031223

{API Path}, The value of '{Key}' is not a valid X.500 distinguished name.

A031224

{API Path}, The '{Field Name}' of the element at the index '%d' of '{Index}' is a duplicate.

A031225

{API Path}, The '{Field Name}' of the element at the index '%d' of '{Index}' is null or empty.

A031226

{API Path}, The '{Field Name}' of the element at the index '%d' of '{Index}' contains non-ASCII letters.

A031227

{API Path}, The length of '{Field Name}' of the element at the index '%d' of '{Index}' must not exceed %d letters.

A031228

{API Path}, The '{Field Name}' of the element at the index '{Index}' of '{Property Name}' is null.

A031229

{API Path}, The scheme part of the '{Field Name}' of the element at the index '{Index}' of '{Property Name}' is not https.

A032201

{API Path}, The tag of the tagged-value at the index '{Number}' of '{Key}' is empty.

A032202

{API Path}, The value of the tagged-value at the index '{Number}' of '{Key}' is empty.

A032203

{API Path}, The tag of the tagged-value at the index '{Number}' of '{Key}' is a duplicate.

A032204

{API Path}, The value of the tagged-value at the index '{Number}' of '{Key}' is not a well-formed URI.

A032205

{API Path}, The length of the tag of the tagged-value at the index '{Number}' of '{Key}' exceeds the maximum length ({Number}).

A032206

{API Path}, The tag of the tagged-value at the index '{Number}' of '{Key}' contains non-ASCII letters.

A032207

{API Path}, The length of the value of the tagged-value at the index '{Number}' of '{Key}' exceeds the maximum length ({Number}).

A032208

{API Path}, The value of the tagged-value at the index '{Number}' of '{Key}' contains non-ASCII letters.

A032209

{API Path}, The request is empty.

A032210

{API Path}, The scheme of Sector Identifier URI must be 'https'.

A032211

{API Path}, idTokenEncryptionAlg is null although idTokenEncryptionEnc is not null.

A032212

{API Path}, userInfoEncryptionAlg is null although userInfoEncryptionEnc is not null.

A032213

{API Path}, requestEncryptionAlg is null although requestEncryptionEnc is not null.

A032214

{API Path}, authorizationEncryptionAlg is null although authorizationEncryptionEnc is not null.

A032215

{API Path}, bcNotificationEndpoint must not be null when bcDeliveryMode is PING or PUSH.

A032216

{API Path}, Must not have multiple certificate subject types.

A032217

{API Path}, When using TLS_CLIENT_AUTH, a certificate subject type must be set.

A032218

{API Path}, The client's subject DN is not in the correct format.

A033101

Failed to create a service of the service owner (API Key = {Service Owner's API Key}).

A034001

The service (API Key = {Service's API Key}) was deleted successfully.

A034101

Failed to delete the service (API Key = {Service's API Key}).

A034201

The service (API Key = {Service's API Key}) does not exist.

A034202

The service (API Key = {Service's API Key}) does not belong to the service owner.

A034203

The service (API Key = {Service's API Key}) has already been deleted.

A034204

The service (API Key = {Service's API Key}) is locked.

A035201

The service (API Key = {Service's API Key}) does not exist.

A035202

The service (API Key = {Service's API Key}) does not belong to the service owner.

A035203

The service (API Key = {Service's API Key}) has been deleted.

A035204

The service (API Key = {Service's API Key}) is locked.

A036201

Parameter 'start' failed to be parsed as int.

A036202

Parameter 'start' must not be negative.

A036203

Parameter 'end' failed to be parsed as int.

A036204

Parameter 'end' must not be negative.

A037101

Failed to update the service (API Key = {Service's API Key}).

A037201

The service (API Key = {Service's API Key}) does not exist.

A037202

The service (API Key = {Service's API Key}) does not belong to the service owner.

A037203

The service (API Key = {Service's API Key}) has been deleted.

A037204

The service (API Key = {Service's API Key}) is locked.

A038201

The service (API Key = {Service's API Key}) does not exist.

A038202

The service (API Key = {Service's API Key}) has been deleted.

A038203

The service (API Key = {Service's API Key}) is locked.

A039201

{API Path}, The request is empty.

A039202

{API Path}, 'supportedResponseTypes' must be specified.

A039203

{API Path}, The scope name of the element at the index '{Number}' of 'supportedScopes' is a duplicate.

A039204

{API Path}, The scope name of the element at the index '{Number}' of 'supportedScopes' is not specified.

A039205

{API Path}, The scope name of the element at the index '{Number}' of 'supportedScopes' exceeds the maximum length ({Number}).

A039206

{API Path}, The scope name of the element at the index '{Number}' of 'supportedScopes' contains a bad letter at the index '{Number}'.

A039207

{API Path}, The scope description of the element at the index '{Number}' of 'supportedScopes' exceeds the maximum length ({Number}).

A039208

{API Path}, The scope name ('{Scope Name}') of the element at the index '{Number}' of 'supportedScopes' is reserved.

A039209

{API Path}, The SNS of the element at the index '{Number}' of '{Key}' is a duplicate.

A039210

{API Path}, The SNS of the element at the index '{Number}' of '{Key}' is not supported.

A039211

{API Path}, The API key of the element at the index '{Number}' of '{Key}' is not specified.

A039212

{API Path}, The API key of the element at the index '{Number}' of '{Key}' exceeds the maximum length ({Number}).

A039213

{API Path}, The API key of the element at the index '{Number}' of '{Key}' contains a non-ASCII letter.

A039214

{API Path}, The API secret of the element at the index '{Number}' of '{Key}' exceeds the maximum length ({Number}).

A039215

{API Path}, The API secret of the element at the index '{Number}' of '{Key}' contains a non-ASCII letter.

A039216

{API Path}, descriptions[{Index}] of the scope '{Scope Name}' (supportedScopes[{Index}]) is empty.

A039217

{API Path}, descriptions[{Index}].tag of the scope '{Scope Name}' (supportedScopes[{Index}]) is empty.

A039218

{API Path}, The value '{Value}' of descriptions[{Index}].tag of the scope '{Scope Name}' (supportedScopes[{Index}]) is a duplicate.

A039219

{API Path}, The length of descriptions[{Index}].tag of the scope '{Scope Name}' (supportedScopes[{Index}]) exceeds the maximum length ({Number}).

A039220

{API Path}, descriptions[{Index}].tag of the scope '{Scope Name}' (supportedScopes[{Index}]) contains a non-ASCII letter.

A039221

{API Path}, descriptions[{Index}].value of the scope '{Scope Name}' (supportedScopes[{Index}]) is empty.

A039222

{API Path}, The length of descriptions[{Index}].value of the scope '{Scope Name}' (supportedScopes[{Index}]) exceeds the maximum length ({Number}).

A039223

{API Path}, attributes[{Index}] of the scope '{Scope Name}' (supportedScopes[{Index}]) is empty.

A039224

{API Path}, attributes[{Index}].key of the scope '{Scope Name}' (supportedScopes[{Index}]) is empty.

A039225

{API Path}, The length of attributes[{Index}].key of the scope '{Scope Name}' (supportedScopes[{Index}]) exceeds the maximum length ({Number}).

A039226

{API Path}, attributes[{Index}].key of the scope '{Scope Name}' (supportedScopes[{Index}]) contains a non-ASCII letter.

A039227

{API Path}, attributes[{Index}].value of the scope '{Scope Name}' (supportedScopes[{Index}]) is empty.

A039228

{API Path}, The length of attributes[{Index}].value of the scope '{Scope Name}' (supportedScopes[{Index}]) exceeds the maximum length ({Number}).

A039229

{API Path}, The value '{Value}' of attributes[{Index}].key of the scope '{Scope Name}' (supportedScopes[{Index}]) is a duplicate.

A039230

{API Path}, The value '{Value}' (trustedRootCertificates[{Index}]) is not a valid X509 certificate in PEM format.

A040001

The authorization request was processed successfully.

A041201

The value of 'ticket' in the /api/auth/authorization/issue request is null or empty.

A041202

There is no entity having the ticket specified in the /api/auth/authorization/issue request (ticket = {Ticket}).

A041203

The ticket in the /api/auth/authorization/issue request does not belong to the service.

A041301

The ticket in the /api/auth/authorization/issue request has expired.

A042201

The value of 'subject' in the /api/auth/authorization/issue request is null or empty.

A042202

The length of 'subject' in the /api/auth/authorization/issue request exceeds the maximum length ({Number}).

A042203

The 'subject' in the /api/auth/authorization/issue request contains non-ASCII letters.

A043201

The length of 'acr' in the /api/auth/authorization/issue request exceeds the maximum length ({Number}).

A044201

The value of 'claims' in the /api/auth/authorization/issue request failed to be parsed as a JSON object.

A045101

Failed to issue a code and/or token(s) from /api/auth/authorization/issue endpoint.

A045102

The hash algorithm '{Algorithm}' is not supported.

A045201

The total size of 'properties' is too big.

A045202

Failed to generate a JWT-based access token: {Error Message}

A045301

The client application (ID = {Client ID}) has been deleted, so '{Claim Name}' for the ID token cannot be calculated.

A045302

The algorithm to sign ID tokens must not be 'none' if the client application (ID = {Client ID}) wants to get ID tokens.

A045303

The client application (ID = {Client ID}) has been deleted, so the ID token cannot be serialized.

A046101

Failed to sign the ID token with the algorithm '{Algorithm}'.

A046102

The algorithm ('{Algorithm}') to sign the ID token is not supported.

A046103

Failed to put the JWK Set of the client application (ID = {Client ID}) into 'client_jwks' table.

A046104

The key type '{Key Type}' cannot have a public key.

A046105

Failed to convert a JWK to a PublicKey.

A046106

The key type '{Key Type}' cannot have a private key.

A046107

Failed to convert a JWK to a PrivateKey.

A046108

Failed to encrypt the ID token with alg='{Algorithm}' and enc='{Algorithm}'.

A046109

The algorithm ('{Algorithm}') to encrypt the ID token is not supported.

A046110

Failed to create an encrypter to encrypt the ID token due to the unexpected key length. (client_id={Client ID}, alg={Algorithm}, enc={Algorithm}, expected key length={Number})

A046111

Failed to create an encrypter to encrypt the ID token. (client_id={Client ID}, alg={Algorithm}, enc={Algorithm})

A046112

The JWK Set of the service is marked as hosted but not found in 'service_jwks' table.

A046113

The length of the secret key to sign the ID token with the algorithm ('{Algorithm}') is shorter than the minimum 256-bit requirement.

A046114

The elliptic curve of the private key is not supported: algorithm = {Algorithm}

A046201

The ID token cannot be signed because this service has not registered its JWK Set although asymmetric algorithm ('{Algorithm}') is required for signing.

A046202

The ID token cannot be signed because this service has not registered its JWK Set although asymmetric algorithm ('{Algorithm}') is required for signing.

A046203

The registered JWK Set of this service does not contain the private key to sign the ID token. (alg={Algorithm}, kid={Key ID})

A046204

The registered JWK Set of this service contains multiple candidate private keys to sign the ID token. (alg={Algorithm}, kid={Key ID})

A046301

The algorithm to sign ID tokens must not be 'none' if the client application (ID = {Client ID}) wants to get ID tokens.

A046302

The algorithm ('{Algorithm}' for 'id_token_encrypted_response_alg') to encrypt the ID token is not supported.

A046303

The ID token cannot be encrypted because the client application (ID = {Client ID}) has registered neither 'jwks_uri' nor 'jwks'.

A046304

Failed to fetch the JWK Set of the client application (ID = {Client ID}) from the location pointed to by 'jwks_uri' ({URL}).

A046305

Failed to parse the JWK Set of the client application (ID = {Client ID}) fetched from the location pointed to by 'jwks_uri' ({URL}) as JWKSet.

A046306

The client application (ID = {Client ID}) was not found in the database, unexpectedly.

A046307

The client application (ID = {Client ID}) has not registered its JWK Set.

A046308

The JWK Set of the client application (ID = {Client ID}) was not found in the database, unexpectedly.

A046309

The registered JWK Set of the client application (ID = {Client ID}) does not contain the public key to encrypt the ID token. (alg={Algorithm}, kid={Key ID})

A046310

The JWK Set of the client application (ID = {Client ID}) pointed to by 'jwks_uri' ({URL}) does not contain the public key to encrypt the ID token. (alg={Algorithm}, kid={Key ID})

A046311

The registered JWK Set of the client application (ID = {Client ID}) contains multiple candidate public keys to encrypt the ID token. (alg={Algorithm}, kid={Key ID})

A046312

The JWK Set of the client application (ID = {Client ID}) pointed to by 'jwks_uri' ({URL}) contains multiple candidate public keys to encrypt the ID token. (alg={Algorithm}, kid={Key ID})

A046313

The algorithm to encrypt the ID token ('id_token_encrypted_response_alg') is symmetric ({Algorithm}), but the client type of the client (ID = {Client ID}) is not 'confidential'.

A046314

The algorithm ('{Algorithm}' for 'userinfo_token_encrypted_response_alg') to encrypt the ID token is not supported.

A047101

The grant type ({Grant Type}) is not supported. Consult the administrator of this authorization server.

A047201

The token request from the service does not contain 'parameters' parameter.

A047202

The format of the value of 'parameters' request parameter is wrong.

A047301

The token request does not contain any request parameters.

A047302

The grant type specified by the 'grant_type' request parameter is not included in the list of grant types that the client has declared it may use.

A048101

Failed to get the client information from the database.

A048102

Failed to get information about the authorization code.

A048103

Failed to get information about the refresh token.

A048104

Failed to get the client information by a client ID alias.

A048301

The token endpoint of this service requires 'client_id' parameter or Authorization header containing a client ID for Resource Owner Password Credentials flow.

A048302

The value of 'client_id' passed to the token endpoint is empty.

A048303

The token request contains multiple 'client_id' parameters.

A048304

No client has the client ID ({Client ID}).

A048305

The client (ID = {Client ID}) does not belong to this service.

A048306

The client (ID = {Client ID}) has been deleted.

A048307

The client (ID = {Client ID}) is locked.

A048312

The token request specifies the client ID by two different ways but the values are different.

A048314

Client Credentials flow requires 'client_id' request parameter or Authorization header that contains a client ID.

A048315

The token request does not contain 'code' parameter although 'grant_type' is 'authorization_code'.

A048316

The value of 'code' in the token request is empty.

A048317

The authorization code does not exist.

A048318

The token request does not contain 'refresh_token' parameter although 'grant_type' is 'refresh_token'.

A048319

The value of 'refresh_token' in the token request is empty.

A048320

The refresh token does not exist.

A048321

The client which the authorization code has been issued to does not exist any longer.

A048322

The client which the refresh token has been issued to does not exist any longer.

A048323

No client has the client ID (%s) or the client ID alias.

A048324

The client ID alias (%s) of the client is not enabled.

A048329

The client did not send an assertion.

A048330

The client sent multiple assertions.

A048332

The client's assertion was not properly formatted.

A048346

The client provided an invalid certificate for authentication.

A048351

The client did not provide a certificate to the token endpoint but is configured to use an MTLS-bound access token.

A048352

The client's subject DN is not in the correct format.

A048353

Couldn't build a certificate path from the trusted root certificates, but one is required.

A048354

Couldn't create a certificate validator.

A048355

The client's presented certificate did not validate against any of the trusted root certificates registered to the service.

A048356

The service requires validation of the certificate chain, but no trusted root certificates are configured.

A049301

The token request does not contain 'grant_type' parameter.

A049302

The value of 'grant_type' in the token request is empty.

A049303

The token request contains multiple 'grant_type' parameters.

A049304

The value of 'grant_type' in the token request is invalid.

A049305

This service does not support the grant_type '{Grant Type}'.

A049306

The 'implicit' grant_type is invalid for the token endpoint.

A050001

The token request (grant_type=authorization_code) was processed successfully.

A050101

Failed to insert a new access token into the database.

A050102

The value of code_challenge_method extracted from the database is not supported.

A050103

Failed to get information about the authorization code.

A050105

Failed to get the list of scope attributes from 'scope_attributes' table.

A050201

The total size of 'properties' is too big.

A050202

Failed to prepare a JWT-based access token: {Error Message}

A050301

The token request does not contain 'code' parameter although 'grant_type' is 'authorization_code'.

A050302

The value of 'code' in the token request is empty.

A050303

The token request contains multiple 'code' parameters.

A050304

The token request contains multiple 'redirect_uri' parameters.

A050305

No such authorization code.

A050306

The authorization code does not belong to this service.

A050307

The authorization code does not belong to the client.

A050308

The authorization code was created with a redirect URI specified explicitly, but the token request does not contain 'redirect_uri' parameter.

A050309

The redirect URI contained in the token request does not match the one which was specified when the authorization code was created.

A050310

The token request contains 'redirect_uri' although the authorization code was created without specifying any redirect URI explicitly.

A050311

The authorization code has already expired.

A050312

The token request does not contain 'code_verifier' although the authorization code was created with 'code_challenge'.

A050313

The value of 'code_verifier' in the token request is empty.

A050314

The token request contains multiple 'code_verifier' parameters.

A050315

The code challenge value computed with 'code_verifier' is different from 'code_challenge' contained in the authorization request.

A051001

Authlete has successfully issued a ticket to the service (API Key = {Service's API Key}) for the token request from the client (ID = {Client ID}). [grant_type=password]

A051101

Failed to insert a new record into the 'token_ticket' table.

A051102

Failed to get the list of registered scopes from 'scope' table.

A051103

Failed to get the list of scope attributes from 'scope_attributes' table.

A051301

The token request does not contain 'username' parameter although 'grant_type' is 'password'.

A051302

The value of 'username' in the token request is empty.

A051303

The token request contains multiple 'username' parameters.

A051304

The token request does not contain 'password' parameter although 'grant_type' is 'password'.

A051305

The value of 'password' in the token request is empty.

A051306

The token request contains multiple 'password' parameters.

A051307

The token request contains multiple 'scope' parameters.

A052001

The token request (grant_type=client_credentials) was processed successfully.

A052101

Failed to get the list of registered scopes from 'scope' table.

A052102

Failed to insert a new access token into the database.

A052103

Failed to get the list of scope attributes from 'scope_attributes' table.

A052201

The total size of 'properties' is too big.

A052202

Failed to prepare a JWT-based access token: {Error Message}

A052301

Public clients are not allowed to use 'grant_type=client_credentials'.

A052302

The token request contains multiple 'scope' parameters.

A053001

The token request (grant_type=refresh_token) was processed successfully.

A053101

Failed to update the access token entity in the database.

A053102

Failed to get information about the refresh token.

A053104

Failed to get the list of scope attributes from 'scope_attributes' table.

A053201

The total size of 'properties' is too big.

A053202

Failed to prepare a JWT-based access token: {Error Message}

A053301

The token request does not contain 'refresh_token' parameter although 'grant_type' is 'refresh_token'.

A053302

The value of 'refresh_token' in the token request is empty.

A053303

The token request contains multiple 'refresh_token' parameters.

A053304

The token request contains multiple 'scope' parameters.

A053305

The refresh token passed to the token endpoint does not exist.

A053306

The refresh token does not belong to this service.

A053307

The refresh token does not belong to the client.

A053308

The refresh token has already expired.

A053309

The value of 'scope' in the token request contains a scope which is not covered by the old access token.

A053310

Failed to refresh the access token because the database record for the refresh token was not found.

A054001

The token request (grant_type=password) was processed successfully.

A055201

The value of 'ticket' in the /api/auth/token/issue request is null or empty.

A055202

There is no entity having the ticket specified in the /api/auth/token/issue request.

A055203

The ticket in the /api/auth/token/issue request does not belong to the service.

A055301

The ticket in the /api/auth/token/issue request has expired.

A056001

The access token is valid.

A057101

Failed to get information about the access token from the database.

A057301

The request does not contain a valid access token.

A057302

The access token does not exist.

A057303

The access token does not belong to the service.

A057304

Failed to extract the value of the 'jti' claim from the access token.

A057305

The value of the 'jti' claim in the access token is null or empty.

A057306

When the format of an access token is JWT, it must be a JWS signed with an asymmetric algorithm without encryption.

A058101

Failed to delete the consumed ticket ({Ticket}).

A059201

The value of 'ticket' in the /api/auth/authorization/fail request is null or empty.

A059202

There is no entity having the ticket specified in the /api/auth/authorization/fail request.

A059203

The ticket in the /api/auth/authorization/fail request does not belong to the service.

A059301

The ticket in the /api/auth/authorization/fail request has expired.

A060201

The /api/auth/authorization/fail request does not contain 'reason' parameter.

A060301

The authorization request contains prompt=none, but no end-user has logged in this service.

A060302

This service cannot handle 'max_age' parameter properly when the authorization request contains prompt=none.

A060303

The authorization request contains prompt=none, but the maximum authentication age has passed.

A060304

The authorization request contains prompt=none and specifies 'sub' claim, but the current end-user is different from the subject.

A060305

The authorization request contains prompt=none and requests 'acr' as essential, but the authentication performed for the end-user satisfies none of the requested ACRs.

A060306

The end-user denied the authorization request.

A060307

The authorization request failed due to an unknown reason.

A060308

The authorization request failed due to a server error.

A060309

The authorization request failed because the end-user was not authenticated or did not exist.

A060310

The authorization server cannot obtain an account selection choice made by the end-user.

A060311

The authorization server cannot obtain consent from the end-user.

A060312

The authorization server needs interaction with the end-user.

A061101

Failed to issue an access token from /api/auth/token/issue endpoint.

A061102

Failed to get the list of scope attributes from 'scope_attributes' table.

A061201

The total size of 'properties' is too big.

A061202

Failed to prepare a JWT-based access token: {Error Message}

A062101

Failed to delete the consumed ticket ({Ticket}).

A063201

The value of 'ticket' in the /api/auth/token/fail request is null or empty.

A063202

There is no entity having the ticket specified in the /api/auth/token/fail request.

A063203

The ticket in the /api/auth/token/fail request does not belong to the service.

A063301

The ticket in the /api/auth/token/fail request has expired.

A064301

No scopes are associated with the access token.

A064302

The access token does not cover the required scope '{Scope Name}'.

A065301

The access token has expired but it can be refreshed using the corresponding refresh token.

A065302

Both the access token and the refresh token have expired.

A065303

The access token has expired.

A065304

The client failed to present a certificate and the access token is MTLS bound.

A065305

The client's certificate does not match the thumbprint of the access token.

A065306

Failed to calculate the thumbprint of the client certificate.

A065307

Failed to parse the client certificate because it is malformed.

A066301

The access token is not associated with any subject.

A066302

The subject associated with the access token is different from the subject required to access the protected resource.

A067201

The /api/auth/token/fail request does not contain 'reason' parameter.

A067301

The credentials (username & password) passed to the token endpoint are invalid.

A067302

The token request failed due to an unknown reason.

A068101

Failed to get the list of claims supported by the service.

A069301

The value of 'login_hint' in the request object is not a string.

A069302

The authorization request contains multiple 'login_hint' parameters.

A077301

'prompt=none' is not supported.

A077302

The direct authorization endpoint is not enabled in this service (API Key = {API Key}).

A081101

Failed to issue an access token from /api/auth/token/direct endpoint.

A081102

Failed to get the list of scope attributes from 'scope_attributes' table.

A081201

Failed to prepare a JWT-based access token: {Error Message}

A081301

The credentials (username & password) passed to the token endpoint are invalid.

A082201

The authentication callback endpoint of the service ({Service's API Key}) is not registered.

A082202

The authentication callback failed (Service = {Service's API Key}, Client = {Client ID}): {Error Message}

A082203

'subject' in the response from the authentication callback endpoint of the service ({Service's API Key}) is empty.

A082204

The length ({Number}) of 'subject' in the response from the authentication callback endpoint of the service ({Service's API Key}) exceeds the maximum size ({Number}).

A082205

'subject' in the response from the authentication callback endpoint of the service ({Service's API Key}) contains non-ASCII letters.

A082206

'claims' in the response from the authentication callback endpoint of the service ({Service's API Key}) failed to be parsed as JSON.

A088101

Failed to get information about the access token from the database.

A088301

The request does not contain a valid access token.

A088302

The access token does not exist.

A088303

The access token does not belong to the service.

A088304

Failed to extract the value of the 'jti' claim from the access token.

A088305

The value of the 'jti' claim in the access token is null or empty.

A088306

When the format of an access token is JWT, it must be a JWS signed with an asymmetric algorithm without encryption.

A088307

The access token is invalid.

A089301

The access token has expired and does not have an associated refresh token.

A089302

Both the access token and the associated refresh token have expired.

A089303

The access token has expired, but it can be refreshed by using the associated refresh token.

A089304

The userinfo endpoint requires 'openid' scope, but the access token does not cover the scope.

A089305

The userinfo endpoint requires an access token to be associated with a subject.

A089306

An access token issued through the grant type of 'Resource Owner Password Credentials' is not allowed to access the userinfo endpoint.

A089307

The access token is bound to a client certificate, but the userinfo request includes no client certificate.

A089308

Failed to parse the client certificate because it is malformed.

A089309

Failed to calculate the thumbprint of the client certificate.

A089310

The thumbprint of the client certificate used in the userinfo request does not match the thumbprint of the client certificate to which the access token is bound.

A090101

Failed to get the list of claims supported by the service.

A091001

The access token presented at the userinfo endpoint is valid.

A092101

Failed to get information about the access token from the database.

A092301

The request does not contain a valid access token.

A092302

The access token does not exist.

A092303

The access token does not belong to the service.

A093301

The access token has expired and does not have an associated refresh token.

A093302

Both the access token and the associated refresh token have expired.

A093303

The access token has expired, but it can be refreshed by using the associated refresh token.

A093304

The userinfo endpoint requires 'openid' scope, but the access token does not cover the scope.

A093305

The userinfo endpoint requires an access token to be associated with a subject.

A093306

An access token issued through the grant type of 'Resource Owner Password Credentials' is not allowed to access the userinfo endpoint.

A094201

The value of 'claims' in the /api/auth/userinfo/issue request failed to be parsed as a JSON object.

A095301

The client application (ID = {Client ID}) has been deleted, so the user information cannot be serialized.

A096001

User information was obtained successfully.

A097101

Failed to get information about the client from the database.

A097301

The client application associated with the presented access token does not exist any longer.

A097302

The client application associated with the presented access token has been deleted.

A097303

The client application associated with the presented access token is locked.

A098101

Failed to get information about the client from the database.

A098301

The client application associated with the presented access token does not exist any longer.

A098302

The client application associated with the presented access token has been deleted.

A098303

The client application associated with the presented access token is locked.

A099001

The developer authentication request was processed successfully. (authenticated={Boolean})

A099101

Failed to get information about the service.

A099201

The service has already been deleted.

A099202

The service is locked.

A101201

The developer authentication callback endpoint of the service ({Service's API Key}) is not registered.

A101202

The developer authentication callback failed (Service = {Service's API Key}): {Error Message}

A101203

'subject' in the response from the developer authentication callback endpoint of the service ({Service's API Key}) is empty.

A101204

The length ({Number}) of 'subject' in the response from the developer authentication callback endpoint of the service ({Service's API Key}) exceeds the maximum size ({Number}).

A101205

'subject' in the response from the developer authentication callback endpoint of the service ({Service's API Key}) contains non-ASCII letters.

A101206

The length ({Number}) of 'displayName' in the response from the developer authentication callback endpoint of the service ({Service's API Key}) exceeds the maximum size ({Number}).

A104201

The 'grantType' parameter is empty.

A104202

REFRESH_TOKEN is not allowed as a value for the 'grantType' parameter.

A104203

The specified grant type ({Grant Type}) is not supported by this service ({Service's API Key}).

A105201

The 'subject' parameter is empty.

A105202

The length of 'subject' in the /api/auth/token/create request exceeds the maximum length ({Number}).

A105203

The 'subject' in the /api/auth/token/create request contains non-ASCII letters.

A106101

Failed to get supported custom scopes of the service ({Service's API Key}) from the database.

A106102

Failed to get the list of scope attributes from 'scope_attributes' table.

A106201

Unsupported scope: {Scope Name}

A107101

Failed to get information about the client (ID = {Client ID}).

A107201

No client has the client ID ({Client ID}).

A107202

The client identified by the client ID ({Client ID}) does not belong to the service.

A107203

The client identified by the client ID ({Client ID}) is locked.

A108101

Failed to insert a new access token into the database.

A108201

The total size of 'properties' is too big.

A108202

The 'refreshToken' parameter cannot be specified since the service does not support the refresh token flow.

A108203

The 'refreshToken' parameter cannot be specified when 'grant_type' is 'implicit'.

A108204

The 'refreshToken' parameter cannot be specified when 'grant_type' is 'client_credentials'.

A109001

An access token was created successfully: {Grant Type}, client = {Client ID}

A110101

Failed to get the JWK Set record of the service ({Service's API Key}).

A111201

The value of 'subject' in the /api/auth/token/issue request is null or empty.

A111202

The length ({Number}) of 'subject' in the /api/auth/token/issue request exceeds the maximum size ({Number}).

A111203

'subject' in the /api/auth/token/issue request contains non-ASCII letters.

A113001

The token has been revoked successfully.

A113201

The revocation request from the service does not contain 'parameters' parameter.

A113202

The format of the value of 'parameters' request parameter is wrong.

A113301

The revocation request does not contain any request parameters.

A114101

Failed to get the client information from the database (ID = {Client ID}).

A114102

Failed to get the client information by a client ID alias.

A114301

The revocation endpoint of this service requires 'client_id' parameter.

A114302

The value of 'client_id' passed to the revocation endpoint is empty.

A114303

The revocation request contains multiple 'client_id' parameters.

A114304

No client has the client ID ({Client ID}).

A114305

The client (ID = {Client ID}) does not belong to this service.

A114306

The client (ID = {Client ID}) has been deleted.

A114307

The client (ID = {Client ID}) is locked.

A114308

The revocation request does not contain 'client_secret' although the client type is 'confidential'.

A114309

The value of 'client_secret' in the revocation request is empty.

A114310

The revocation request contains multiple 'client_secret' parameters.

A114311

The client credentials contained in the revocation request are invalid.

A114312

The revocation request specifies the client ID by two different ways but the values are different.

A114313

The revocation request specifies the client secret by two different ways but the values are different.

A114314

No client has the client ID (%s) or the client ID alias.

A114315

The client ID alias (%s) of the client is not enabled.

A115301

The revocation request does not contain 'token' parameter.

A115302

The value of 'token' in the revocation request is empty.

A115303

The revocation request contains multiple 'token' parameters.

A116101

Failed to look up an access token.

A116102

Failed to look up a refresh token.

A116103

Failed to revoke the token.

A116104

Failed to get information about the client application that is associated with the token.

A116301

The presented token has not been issued to the client application (ID = {Client ID}).

A116302

The revocation request does not contain 'client_secret' although the client type of the client application that is associated with the token is 'confidential'.

A116303

The client application associated with the token does not belong to the service.

A116304

The client application associated with the token is locked.

A117301

The direct token endpoint is not enabled in this service ({Service's API Key}).

A117302

HTTP method for a token request must be POST.

A118301

The direct revocation endpoint is not enabled in this service ({Service's API Key}).

A119301

The direct jwks endpoint is not enabled in this service ({Service's API Key}).

A120201

The service owner (API Key = {Service Owner's API Key}) does not exist.

A122601

The service owner (API key = {Service Owner's API Key}) cannot create a new service because the current number of services has reached the maximum number ({Number}) of the plan ({Plan Name}).

A123601

Cannot create a new client because the current number of clients has reached the maximum number ({Number}) of clients per developer.

A123602

Cannot create a new client because the current number of clients has reached the maximum number ({Number}) of the plan ({Plan Name}). Consult the manager of this service.

A123603

Cannot create a new client because the client ID alias is already in use. Client ID aliases must be unique in the same service.

A124301

The authorization request does not contain 'code_challenge' parameter. See RFC 7636 for details.

A124302

The value of 'code_challenge' parameter in the authorization request is empty. See RFC 7636 for details.

A124303

The authorization request contains multiple 'code_challenge' parameters.

A124304

The value of 'code_challenge' does not comply with RFC 7636.

A124305

The authorization request contains multiple 'code_challenge_method' parameters.

A124306

The value of 'code_challenge_method' is not supported.

A124307

'code_challenge_method=S256' must be explicitly included in the request.

A124308

The value of the 'code_challenge_method' request parameter must be 'S256'.

A125101

Failed to correct the configuration information of the service.

A127001

The client (ID = {Client ID}) does not have extension data and so does not have requestable scopes.

A127002

Cleared requestable scopes of the client (ID = {Client ID}) successfully.

A127003

Requestable scopes of the client (ID = {Client ID}) have already been cleared.

A127101

Failed to clear requestable scopes of the client (ID = {Client ID}).

A128101

Failed to update requestable scopes of the client (ID = {Client ID}).

A128201

Failed to parse the request body as a JSON object.

A128202

The value of 'requestableScopes' in the request body is not an array.

A128203

The array of 'requestableScopes' contains a non-string element.

A133101

Failed to get the list of pre-defined scopes of the service ({Service's API Key}) from the 'scope' table.

A133102

Failed to get the list of scope attributes from 'scope_attributes' table.

A134101

Failed to get the information about the access token passed to the /api/auth/token/update API.

A134102

Failed to clear an access token cache.

A134103

Failed to clear a refresh token cache.

A134104

Failed to get the information about the service from the database.

A134105

Failed to get the information about the client from the database.

A134106

Failed to get the extension data of the client from the database.

A134107

The client associated with the access token no longer exists: ID = {Client ID}

A134109

Failed to get the information about the supported scopes.

A134110

Failed to get the list of scope attributes from 'scope_attributes' table.

A134201

The /api/auth/token/update API call must contain either the 'accessToken' or 'accessTokenHash' parameter.

A134202

The access token identified by the 'accessToken' request parameter does not exist.

A134203

The access token identified by the 'accessToken' request parameter does not belong to the service.

A134204

The service that the access token belongs to no longer exists: Service = {Service's API Key}

A135001

Updated the access token successfully.

A135101

Failed to update the database record of the access token.

A136102

Failed to get the list of clients from the database.

A136201

Parameter 'start' failed to be parsed as int.

A136202

Parameter 'start' must not be negative.

A136203

Parameter 'end' failed to be parsed as int.

A136204

Parameter 'end' must not be negative.

A136205

The input JSON to /api/client/authorization/client/get/list API is wrong.

A136206

The request parameter 'subject' must be specified.

A137001

Deleted {Number} access token(s) issued to the client (ID = {Client ID}) of the service (API Key = {Service's API Key}).

A137102

Failed to delete access tokens issued to the client (ID = {Client ID}).

A137201

The input JSON to /api/client/authorization/client/delete/{clientId} API is wrong.

A137202

The request parameter 'subject' must be specified.

A138001

Updated {Number} access token(s) issued to the client (ID = {Client ID}) of the service (API Key = {Service's API Key}).

A138102

Failed to update access tokens issued to the client (ID = {Client ID}).

A138201

The request parameter 'subject' must be specified.

A139001

There is no information about scopes granted to the combination of the client (ID = {Client ID}) and the subject ({Subject}).

A139002

Successfully obtained the information about scopes granted to the combination of the client (ID = {Client ID}) and the subject ({Subject}).

A139101

Failed to get information about scopes granted to the combination of the client (ID = {Client ID}) and the subject ({Subject}).

A139201

The input JSON to /api/client/granted_scopes/get/{clientId} API is wrong.

A139202

The request parameter 'subject' must be specified.

A140001

There was no information about scopes granted to the combination of the client (ID = {Client ID}) and the subject ({Subject}).

A140002

Successfully deleted the information about scopes granted to the combination of the client (ID = {Client ID}) and the subject ({Subject}).

A140101

Failed to delete information about scopes granted to the combination of the client (ID = {Client ID}) and the subject ({Subject}).

A140201

The input JSON to /api/client/granted_scopes/delete/{clientId} API is wrong.

A140202

The request parameter 'subject' must be specified.

A144101

Failed to get the information about the access token associated with the value of the 'accessToken' parameter.

A144102

Failed to get the information about the access token associated with the value of the 'refreshToken' parameter.

A144103

Failed to insert a new access token into the database.

A144201

Cannot create an access token because the specified access token value is already in use.

A144202

Cannot create an access token because the specified refresh token value is already in use.

A145001

Introspection was performed successfully (type={{access_token|refresh_token|null}}, active={{true|false}}).

A145201

The standard introspection request from the service does not contain 'parameters' parameter.

A145202

The format of the value of 'parameters' request parameter is wrong.

A145301

The standard introspection request does not contain any request parameters.

A145302

The 'token' request parameter is missing.

A145401

The response from /api/auth/introspection/standard: %s

A146101

Failed to look up an access token.

A146102

Failed to look up a refresh token.

A147301

The direct introspection endpoint is not enabled.

A148001

Successfully refreshed the client secret of the client (ID = {Client ID}).

A148101

Failed to refresh the client secret of the client (identifier = {Client Identifier}).

A148201

No client has the client identifier ({Client Identifier}).

A149001

Successfully updated the client secret of the client (ID = {Client ID}).

A149101

Failed to update the client secret of the client (identifier = {Client Identifier}).

A149201

No client has the client identifier ({Client Identifier}).

A149601

The format of the value of the 'clientSecret' request parameter is wrong: {Error Message}

A150101

Failed to get the list of registered redirect URIs from 'redirect_uri' table.

A150301

A request object is required.

A150302

The request object passed by 'request' parameter is not signed.

A150303

The authorization request contains multiple '{Parameter Name}' parameters.

A150304

The parameter '{Parameter Name}' exists in the request parameters but is not contained in the request object passed by 'request' parameter.

A150305

The parameter '{Parameter Name}' exists in both the request parameters and the request object passed by 'request' parameter but their values are different.

A150306

The value of the signing algorithm for the request object ({Algorithm}) is not allowed.

A150307

'redirect_uri' parameter must be contained in the authorization request.

A150308

The value of 'redirect_uri' in the request object is not a string.

A150309

The authorization request contains multiple 'redirect_uri' parameters.

A150310

The client has not registered any redirect URI.

A150311

The value of 'redirect_uri' ({Redirect URI}) is not registered.

A150312

The value of 'response_type' ({Response Type}) is not allowed.

A150313

The 'state' request parameter is not contained in the request.

A150314

The 'nonce' request parameter is not contained in the request.

A150315

The 'code_challenge' parameter is not contained in the request.

A150316

The value of 'code_challenge_method' parameter ({Parameter Name}) is not allowed.

A150317

The 'acr' claim is not contained in the request.

A150318

The value of the 'essential' of the 'acr' claim must be 'true'.

A150319

An 'exp' claim is required but not contained in the request object passed by 'request' parameter.

A150320

An 'exp' claim is contained in the request object passed by 'request' parameter but its value is not a number.

A150321

The time in the 'exp' claim in the request object passed by 'request' parameter is in the past.

A150322

The value of the signing algorithm ({Algorithm}) for the authorization response is not allowed.