NAV Navbar
curl java ruby c#
  • Basics
  • Data Types
  • Service Management
  • Client Management
  • Authorization Endpoint
  • Token Endpoint
  • Introspection Endpoint
  • Revocation Endpoint
  • Userinfo Endpoint
  • JWK Set Endpoint
  • Discovery Endpoint
  • CIBA
  • Device Flow
  • Token Operations
  • Jose Object
  • Result Codes
  • Basics

    Host

    The hosts which provide Authlete APIs are as follows.

    Server Type URL
    Shared Server https://api.authlete.com
    Dedicated Server Decided after consultation.

    Request

    The basic settings that are required for requests to Authlete APIs are as follows.

    Basic Authentication

    All Authlete Web APIs require Basic Authentication. APIs to manage services (/service/*) require the pair of API key & API secret of a service owner. Other APIs require that of a service. If Authorization header is missing, a response with HTTP status of "401 Unauthorized" is returned.

    TLS

    All Authlete Web APIs require TLS (Transport Layer Security). If TLS is not used, a response with HTTP status of "400 Bad Request" is returned.

    Response

    Some reseponses from Authlete have the following parameters.

    Name Type Description
    resultCode string The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.
    resultMessage string A short message which explains the result of the API call.

    These parameters will be useful especially when you try to identify the cause of error. See Result Codes for more details.

    Also, the table below shows major error responses.

    Response Description
    400 Bad Request All APIs may return a response with HTTP status of 400 Bad Request due to one of the reasons listed below.
    • TLS is not used.
    • The content of Authorization header is malformed.
    401 Unauthorized All APIs may return a response with HTTP status of "401 Unauthorized" due to the following reason.
    • Authorization header is missing.
    403 Forbidden All APIs may return a response with HTTP status of "403 Forbidden" due to one of the reasons listed below.
    • The pair of API key & API secret specified in Authorization header is invalid.
    • The service owner or the service is locked.

    Data Types

    This section describes the details of data types.

    Access Token

    The table below lists top-level properties of the JSON object which represents an access token.

    Name Type Description
    accessTokenHash string

    The hash of the access token.

    accessTokenExpiresAt i64

    The timestamp at which the access token will expire.

    refreshTokenHash string

    The hash of the refresh token.

    refreshTokenExpiresAt i64

    The timestamp at which the refresh token will expire.

    createdAt i64

    The timestamp at which the access token was first created.

    lastRefreshedAt i64

    The timestamp at which the access token was last refreshed using the refresh token.

    clientId i64

    The ID of the client associated with the access token.

    subject string

    The subject (= unique user ID) associated with the access token.

    grantType string

    The grant type of the access token when the access token was created.

    scopes string array

    The scopes associated with the access token.

    properties Property array

    The properties associated with the access token.

    Application Type

    The listed below are Authlete's constant values that correspond to the values of application_type property described in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    • WEB
    • NATIVE

    OpenID Connect Dynamic Client Registration 1.0 imposes additional requirements on redirect URIs base on the application type. The following description about application_type is an excerpt from the specification.

    OPTIONAL. Kind of the application. The default, if omitted, is web. The defined values are native or web. Web Clients using the OAuth Implicit Grant Type MUST only register URLs using the https scheme as redirect_uris; they MUST NOT use localhost as the hostname. Native Clients MUST only register redirect_uris using custom URI schemes or URLs using the http: scheme with localhost as the hostname. Authorization Servers MAY place additional constraints on Native Clients. Authorization Servers MAY reject Redirection URI values using the http scheme, other than the localhost case for Native Clients. The Authorization Server MUST verify that all the registered redirect_uris conform to these constraints. This prevents sharing a Client ID across different types of Clients.

    The description above says "The default, if omitted, is web." However, Authlete allows the applicationType property of Client to be null. It is because Authlete does not think it is appropriate to force all OAuth 2.0 clients to comply with the new requirements.

    Claim Type

    The listed below are Authlete's constant values that correspond to the claim types described in OpenID Connect Core 1.0, 5.6. Claim Types. The supportedClaimTypes property of Service is a string array containing values listed below.

    • NORMAL
    • AGGREGATED
    • DISTRIBUTED

    Note that, however, currently Authlete does not provide any API to help implementations for AGGREGATED and DISTRIBUTED.

    Client Authentication Method

    The table below lists Authlete's constant values that correspond to the client authentication methods at the token endpoint described in OpenID Connect Core 1.0, 9. Client Authentication.

    Value Description
    NONE

    This value corresponds to "none" described in OpenID Connect Core 1.0, 9. Client Authentication.

    CLIENT_SECRET_BASIC

    This value corresponds to "client_secret_basic" described in OpenID Connect Core 1.0, 9. Client Authentication. This is the Basic Authentication based method described in RFC 6749, 2.3. Client Authentication, which authorization servers must support.

    CLIENT_SECRET_POST

    This value corresponds to "client_secret_post" described in OpenID Connect Core 1.0, 9. Client Authentication. This is the method using the request body, which is described in RFC 6749, 2.3. Client Authentication.

    CLIENT_SECRET_JWT

    This value corresponds to "client_secret_jwt" described in OpenID Connect Core 1.0, 9. Client Authentication.

    PRIVATE_KEY_JWT

    This value corresponds to "private_key_jwt" described in OpenID Connect Core 1.0, 9. Client Authentication.

    TLS_CLIENT_AUTH

    Clients authenticate with the Authorization Server using X.509 certificates as defined in "Mutual TLS Profiles for OAuth Clients".

    SELF_SIGNED_TLS_CLIENT_AUTH

    Clients authenticate with the Authorization Server using self-signed certificates as defined in "Mutual TLS Profiles for OAuth Clients".

    The supportedTokenAuthMethods property of Service is a string array containing values listed above.

    Client Extension

    There are some attributes that belong to a client application but should not be changed by the developer of the client application. Basically, this class holds such attributes.

    For example, an authorization server may narrow the range of scopes (permissions) that a particular client application can request. In this case, it is meaningless if the developer of the client application can freely decide the set of requestable scopes. It is not the developer of the client application but the administrator of the authorization server that should be allowed to define the set of scopes that the client application can request. This data structure has properties listed in the following table.

    Name Type Description
    requestableScopes string array

    The set of scopes that the client application is allowed to request. This paramter will be one of the following.

    • null
    • an empty set
    • a set with at least one element

    When the value of this parameter is null, it means that the set of scopes that the client application is allowed to request is the set of the scopes that the service supports.

    When the value of this parameter is an empty set, it means that the client application is not allowed to request any scopes.

    When the value of this parameter is a set with at least one element, it means that the set is the set of scopes that the client application is allowed to request.

    requestableScopesEnabled boolean

    The flag to indicate whether "Requestable Scopes per Client" is enabled or not. If true, you can define the set of scopes which this client application can request. If false, this client application can request any scope which is supported by the authorization server.

    Client Type

    The listed below are Authlete's constant values that correspond to the client types described in RFC 6749, 2.1. Client Types. The clientType property of Client has either of the values listed below.

    • CONFIDENTIAL
    • PUBLIC

    Client

    The table below lists top-level properties of the JSON object which represents a client application.

    Name Type Description
    number i32

    The sequential number of the client application. The value of this property is assigned by Authlete. Even if the property has a value in a /client/create request or a /client/update request, it is ignored.

    serviceNumber i32

    The sequential number of the service of the client application. The value of this property is assigned by Authlete. Even if the property has a value in a /client/create request or a /client/update request, it is ignored.

    developer string

    The developer of the client application. It consists of at most 100 ASCII letters. This property must not be null.

    clientId i64

    The client ID. The value of this property is assigned by Authlete. Even if the property has a value in a /client/create request or a /client/update request, it is ignored.

    clientIdAlias string

    The alias of the client ID. Note that the client ID alias is recognized only when this client's clientIdAliasEnabled property is true AND the service's clientIdAliasEnabled property is also true.

    clientIdAliasEnabled boolean

    The flag to indicate whether the client ID alias is enabled or not. Note that Service object also has clientIdAliasEnabled property. If the service's clientIdAliasEnabled property is false, the client ID alias of this client is not recognized even if this client's clientIdAliasEnabled property is true.

    clientSecret string

    The client secret. A random 512-bit value encoded by base64url (86 letters). The value of this property is assigned by Authlete. Even if the property has a value in a /client/create request or a /client/update request, it is ignored.

    Note that Authlete issues a client secret even to a "public" client application, but the client application should not use the client secret unless it changes its client type to "confidential". That is, a public client application should behave as if it had not been issued a client secret. To be specific, a token request from a public client of Authlete should not come along with a client secret although RFC 6749, 3.2.1. Client Authentication says as follows.

    Confidential clients or other clients issued client credentials MUST authenticate with the authorization server as described in Section 2.3 when making requests to the token endpoint.

    clientType string

    The client type, either CONFIDENTIAL or PUBLIC. See RFC 6749, 2.1. Client Types for details.

    If clientType in a /client/create request or a /client/update request is null, PUBLIC is used.

    redirectUris URL array

    Redirect URIs that the client application uses to receive a response from the authorization endpoint. Requirements for a redirect URI are as follows.

    Requirements by RFC 6749
    (From RFC 6749, 3.1.2. Redirection Endpoint)
    • Must be an absolute URI.
    • Must not have a fragment component.
    Requirements by OpenID Connect
    (From "OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata, application_type")
    • The scheme of the redirect URI used for Implicit Grant by a client application whose application type is "web" must be https. This is checked at runtime by Authlete.
    • The hostname of the redirect URI used for Implicit Grant by a client application whose application type is "web" must not be localhost. This is checked at runtime by Authlete.
    • The scheme of the redirect URI used by a client application whose application type is "native" must be either (1) a custom scheme or (2) http, which is allowed only when the hostname part is localhost. This is checked at runtime by Authlete.
    Requirements by Authlete
    • Must consist of printable ASCII letters only.
    • Must not exceed 200 letters.

    Note that Authlete allows the application type to be null. In other words, a client application does not have to choose "web" or "native" as its application type. If the application type is null, the requirements by OpenID Connect are not checked at runtime.

    An authorization request from a client application which has not registered any redirect URI fails unless at least all the following conditions are satisfied.

    • The client type of the client application is "confidential".
    • The value of response_type request parameter is code.
    • The authorization request has the redirect_uri request parameter.
    • The value of scope request parameter does not contain openid.

    RFC 6749 allows partial match of redirect URI under some conditions (see RFC 6749, 3.1.2.2. Registration Requirements for details), but OpenID Connect requires exact match.

    responseTypes string array

    A string array of response types which the client application declares that it will restrict itself to using. This property corresponds to response_types in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    If responseTypes in a /client/create request or a /client/update request is null, an array containing just CODE is used.

    grantTypes string array

    A string array of grant types which the client application declares that it will restrict itself to using. This property corresponds to grant_types in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    If grantTypes in a /client/create request or a /client/update request is null, an array containing just AUTHORIZATION_CODE is used.

    applicationType string

    The application type. WEB, NATIVE or null. The value of this property affects the validation steps for a redirect URI. See the description about redirectUris property above.

    This property corresponds to application_type in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    contacts string array

    An array of email addresses of people responsible for the client application. Each element must consist of printable ASCII letters only and its length must not exceed 100.

    This property corresponds to contacts in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    clientName string

    The name of the client application. At most 100 unicode letters.

    If clientName in a /client/create request or a /client/update request is null, the client ID is used.

    This property corresponds to client_name in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    clientNames Tagged Value array

    Client names with language tags. If the client application has different names for different languages, this property can be used to register the names.

    logoUri URL

    The URL pointing to the logo image of the client application. The URL must consist of printable ASCII letters only and its length must not exceed 200.

    This property corresponds to logo_uri in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    logoUris Tagged Value array

    Logo image URLs with language tags. If the client application has different logo images for different languages, this property can be used to register URLs of the images.

    clientUri URL

    The URL pointing to the home page of the client application. The URL must consist of printable ASCII letters only and its length must not exceed 200.

    This property corresponds to client_uri in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    clientUris Tagged Value array

    Home page URLs with language tags. If the client application has different home pages for different languages, this property can be used to register the URLs.

    policyUri URL

    The URL pointing to the page which describes the policy as to how end-users' profile data are used. The URL must consist of printable ASCII letters only and its length must not exceed 200.

    This property corresponds to policy_uri in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    policyUris Tagged Value array

    URLs of policy pages with language tags. If the client application has different policy pages for different languages, this property can be used to register the URLs.

    tosUri URL

    The URL pointing to the "Terms Of Service" page. The URL must consist of printable ASCII letters only and its length must not exceed 200.

    This property corresponds to tos_uri in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    tosUris Tagged Value array

    URLs of "Terms Of Service" pages with language tags. If the client application has different "Terms Of Service" pages for different languages, this property can be used to register the URLs.

    jwksUri URL

    The URL pointing to the JWK Set of the client application. The URL must consist of printable ASCII letters only and its length must not exceed 200. The content pointed to by the URL must be JSON which complies with the format described in "JSON Web Key (JWK), 5. JSON Web Key Set (JWK Set) Format". Of course, the JWK Set must not include private keys of the client application.

    If the client application requests encryption for ID tokens (from the authorization/token/userinfo endpoints) and/or signs request objects, it must make available its JWK Set containing public keys for the encryption and/or the signature at the URL of jwksUri. The service (Authlete) fetches the JWK Set from the URL as necessary.

    OpenID Connect Dynamic Client Registration 1.0 says that jwks must not be used when the client can use jwks_uri, but Authlete allows both properties to be registered at the same time. However, Authlete does not use the content of jwks when jwksUri is registered.

    This property corresponds to jwks_uri in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    jwks string

    The content of the JWK Set of the client application. The format is described in "JSON Web Key (JWK), 5. JSON Web Key Set (JWK Set) Format". Of course, the JWK Set must not include private keys of the client application.

    OpenID Connect Dynamic Client Registration 1.0 says that jwks must not be used when the client can use jwks_uri, but Authlete allows both properties to be registered at the same time. However, Authlete does not use the content of jwks when jwksUri is registered.

    This property corresponds to jwks in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    sectorIdentifier URL

    The sector identifier which is a URL starting with https. The URL must consist of printable ASCII letters only and its length must not exceed 200.This URL is used by the service to calculate pairwise subject values. See OpenID Connect Core 1.0, 8.1. Pairwise Identifier Algorithm. Note that, however, Authlete does not support pairwise yet.

    This property corresponds to sector_identifier_uri in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    subjectType string

    The subject type that the client application requests. Either PUBLIC or PAIRWISE. the default value is PUBLIC. Details about the subject type are described in OpenID Connect Core 1.0, 8. Subjct Identifier Types.

    Because Authlete's implementation for PAIRWISE is not finished yet, even if subjectType configuration parameter of the client application is PAIRWISE, Authlete behaves as if it were PUBLIC.

    This property corresponds to subject_type in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    idTokenSignAlg string

    The value of alg header parameter of JWS that the client application requires the service to use for signing an ID token. One of the values listed in JWS Algorithm. The default value is RS256.

    NONE may be specified, but in that case, the client application cannot obtain an ID token from the service. That is, an authorization request requesting an ID token fails.

    This property corresponds to id_token_signed_response_alg in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    idTokenEncryptionAlg string

    The value of alg header parameter of JWE that the client application requires the service to use for encrypting an ID token. One of the supported values listed in JWE Algorithm. The default value is null, meaning that an ID token is not encrypted. When idTokenEncryptionEnc is not null, this property must not be null.

    If the value of this property indicates an asymmetric encryption algorithm, the client application must make available its JWK Set which contains a public key for encryption at the URL referred to by its jwksUri configuration property.

    This property corresponds to id_token_encrypted_response_alg in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    idTokenEncryptionEnc string

    The value of enc header parameter of JWE that the client application requires the service to use for encrypting an ID token. One of the values listed in JWE Encryption Algorithm. The default value is (1) A128CBC_HS256 when idTokenEncryptionAlg is not null, or (2) null when idTokenEncryptionAlg is null.

    This property corresponds to id_token_encrypted_response_enc in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    userInfoSignAlg string

    The value of alg header parameter of JWS that the client application requires the service to use for signing the JWT returned from the user info endpoint. One of the values listed in JWS Algorithm. The default value is null, meaning that the data from the user info endpoint is not signed.

    If both userInfoSignAlg and userInfoEncryptionAlg are null, the format of the response from the user info endpoint is a plain JSON (not JWT). Note that null and NONE are different for this property.

    This property corresponds to userinfo_signed_response_alg in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    userInfoEncryptionAlg string

    The value of alg header parameter of JWE that the client application requires the service to use for encrypting the JWT returned from the user info endpoint. One of the supported values listed in JWE Algorithm. The default value is null, meaning that the data from the user info endpoint is not encrypted. When userInfoEncryptionEnc is not null, this property must not be null.

    If the value of this property indicates an asymmetric encryption algorithm, the client application must make available its JWK Set which contains a public key for encryption at the URL referred to by its jwksUri configuration property.

    If both userInfoSignAlg and userInfoEncryptionAlg are null, the format of the response from the user info endpoint is a plain JSON (not JWT).

    This property corresponds to userinfo_encrypted_response_alg in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    userInfoEncryptionEnc string

    The value of enc header parameter of JWE that the client application requires the service to use for encrypting the JWT returned from the user info endpoint. One of the values listed in JWE Encryption Algorithm. The default value is (1) A128CBC_HS256 when userInfoEncryptionAlg is not null, or (2) null when userInfoEncryptionAlg is null.

    This property corresponds to userinfo_encrypted_response_enc in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    requestSignAlg string

    The value of alg header parameter of JWS that the client application uses for signing a request object. One of the values listed in JWS Algorithm. The default value is null, meaning that the client application may use any algorithm (among those supported by the service) to sign a request object (including none).

    If the value of this property is not null, request objects sent from the client application must be signed using the algorithm. Request objects signed by other algorithms are rejected. Note that null and NONE are different for this property.

    If the value of this property indicates an asymmetric signing algorithm, the client application must make available its JWK Set which contains a public key for the service to verify the signature of the request object at the URL referred to by its jwksUri configuration property.

    This property corresponds to request_object_signing_alg in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    requestEncryptionAlg string

    The value of alg header parameter of JWE that the client application uses for encrypting a request object. One of the supported values listed in JWE Algorithm. The default value is null. When requestEncryptionEnc is not null, this property must not be null.

    Regardless of whether the value of this property is null or not, the client application may and may not encrypt a request object. Furthermore, the client application may use other supported encryption algorithms.

    This property corresponds to request_object_encryption_alg in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    requestEncryptionEnc string

    The value of enc header parameter of JWE that the client application uses for encrypting a request object. One of the values listed in JWE Encryption Algorithm. The default value is (1) A128CBC_HS256 when requestEncryptionAlg is not null, or (2) null when requestEncryptionAlg is null.

    This property corresponds to request_object_encryption_enc in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    tokenAuthMethod string

    The client authentication method that the client application declares that it uses at the token endpoint. One of the values listed in Client Authentication Method. The default value is CLIENT_SECRET_BASIC (if Authlete version < 2.0) or NONE (if Authlete version ≥ 2.0).

    This property corresponds to token_endpoint_auth_method in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    tokenAuthSignAlg string

    The value of alg header parameter of JWS which is used for client authentication at the token endpoint. One of the values listed in JWS Algorithm except NONE. The default value is null, meaning that the client may sign using any algorithm which is supported by the service. If the value of this property is not null, the client application must use the algorithm.

    This property is used only for the two JWT-based client authentication, namely, PRIVATE_KEY_JWT and CLIENT_SECRET_JWT (see Cient Authentication Method). Note that, however, currently Authlete does not provide any API to help implementations for PRIVATE_KEY_JWT and CLIENT_SECRET_JWT.

    This property corresponds to token_endpoint_auth_signing_alg in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    defaultMaxAge i32

    The default maximum authentication age in seconds. This value is used when an authorization request from the client application does not have max_age request parameter.

    This property corresponds to default_max_age in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    defaultAcrs string array

    The default ACRs (Authentication Context Class References). This value is used when an authorization request from the client application has neither acr_values request parameter nor acr claim in claims request parameter.

    Each element must consist of printable ASCII letters only and its length must not exceed 200.

    authTimeRequired boolean

    true if the client application requires the auth_time claim to be in an ID token. Regardless of the value of this property, Authlete embeds the auth_time claim when authTime parameter in the /auth/authorization/issue request is not 0 and does not do it when authTime is 0.

    This property corresponds to require_auth_time in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    loginUri URL

    The URL which a third party can use to initiate a login by the client application. The URL must start with https and consist of ASCII letters only. Its length must not exceed 200.

    This property corresponds to initiate_login_uri in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

    requestUris URL array

    An array of URLs each of which points to a request object. Each URL must consist of printable ASCII letters only and its length must not exceed 200.

    Authlete requires that URLs used as values for request_uri request parameter be pre-registered. This requestUris property is used for the pre-registration. See OpenID Connect Core 1.0, 6.2. Passing a Request Object by Reference for details.

    description string

    The description about the client application. At most 200 letters in unicode.

    descriptions Tagged Value array

    Descriptions about the client application with language tags. If the client application has different descriptions for different languages, this property can be used to register the descriptions.

    createdAt i64

    The time at which this client was created. The value is represented as milliseconds since the UNIX epoch (1970-01-01).

    modifiedAt i64

    The time at which this client was last modified. The value is represented as milliseconds since the UNIX epoch (1970-01-01).

    extension ClientExtension

    The extended information about this client.

    tlsClientAuthSubjectDn string

    The string representation of the expected subject distinguished name of the certificate this client will use in mutual TLS authentication.

    See tls_client_auth_subject_dn in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.

    tlsClientAuthSanDns string

    The string representation of the expected DNS subject alternative name of the certificate this client will use in mutual TLS authentication.

    See tls_client_auth_san_dns in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.

    tlsClientAuthSanUri URL

    The string representation of the expected URI subject alternative name of the certificate this client will use in mutual TLS authentication.

    See tls_client_auth_san_uri in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.

    tlsClientAuthSanIp string

    The string representation of the expected IP address subject alternative name of the certificate this client will use in mutual TLS authentication.

    See tls_client_auth_san_ip in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.

    tlsClientAuthSanEmail string

    The string representation of the expected email address subject alternative name of the certificate this client will use in mutual TLS authentication.

    See tls_client_auth_san_email in "2.3. Dynamic Client Registration" in "Mutual TLS Profiles for OAuth Clients" for details.

    tlsClientCertificateBoundAccessTokens boolean

    The flag which indicates whether this client use TLS client certificate bound access tokens.

    selfSignedCertificateKeyId string

    The key ID of a JWK containing a self-signed certificate of this client.

    softwareId string

    The unique identifier string assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered.

    This property corresponds to the software_id metadata defined in 2. Client Metadata of RFC 7591 (OAuth 2.0 Dynamic Client Registration Protocol).

    softwareVersion string

    The version identifier string for the client software identified by the software ID.

    This property corresponds to the software_version metadata defined in 2. Client Metadata of RFC 7591 (OAuth 2.0 Dynamic Client Registration Protocol).

    authorizationSignAlg string

    The JWS alg algorithm for signing authorization responses. One of the values listed in JWS Algorithm. The default value is null.

    This property corresponds to authorization_signed_response_alg in 5. Client Metadata of Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM).

    authorizationEncryptionAlg string

    The JWE alg algorithm for encrypting authorization responses. One of the values listed in JWE Algorithm. The default value is null. When authorizationEncryptionEnc is not null, this property must not be null.

    This property corresponds to authorization_encrypted_response_alg in 5. Client Metadata of Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM).

    authorizationEncryptionEnc string

    The JWE enc algorithm for encrypting authorization responses. The default value is null.

    This property corresponds to authorization_encrypted_response_enc in 5. Client Metadata of Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM).

    bcDeliveryMode string

    The backchannel token delivery mode.

    This property corresponds to the backchannel_token_delivery_mode metadata. One of the values listed in Delivery Mode. The backchannel token delivery mode is defined in the specification of the CIBA (Client Initiated Backchannel Authentication).

    bcNotificationEndpoint string

    The backchannel client notification endpoint.

    This property corresponds to the backchannel_client_notification_endpoint metadata. The backchannel token delivery mode is defined in the specification of the CIBA (Client Initiated Backchannel Authentication).

    bcRequestSignAlg string

    The signature algorithm of the request to the backchannel authentication endpoint. One of the asymmetric algorithm values listed in JWS Algorithm. The default value is null.

    This property corresponds to the backchannel_authentication_request_signing_alg metadata. The backchannel token delivery mode is defined in the specification of the CIBA (Client Initiated Backchannel Authentication).

    bcUserCodeRequired boolean

    The boolean flag which indicates whether a user code is required when this client makes a backchannel authentication request.

    This property corresponds to the backchannel_user_code_parameter metadata.

    dynamicallyRegistered boolean

    The flag which indicates whether this client has been registered dynamically.

    registrationAccessTokenHash string

    The hash of the registration access token for this client.

    Display

    The listed below are Authlete's constant values that correspond to the display values described in "OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, display". The supportedDisplays property of Service is a string array containing values listed below.

    • PAGE
    • POPUP
    • TOUCH
    • WAP

    Prompt

    The listed below are Authlete's constant values that correspond to the prompt values described in "OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, prompt".

    • NONE
    • LOGIN
    • CONSENT
    • SELECT_ACCOUNT

    Grant Type

    The table below lists Authlete's constant values that correspond to the values of grant_type request parameter for OAuth 2.0 token endpoint. Among the values listed here, however, implicit cannot be used as a value for grant_type request parameter. It exists only as a value of supportedGrantTypes property of Service and grantTypes property of Client.

    Value Description
    AUTHORIZATION_CODE

    This corresponds to "authorization_code" defined in RFC 6749, 4.1.3. Access Token Request for Authorization Code Grant.

    IMPLICIT

    This corresponds to "implicit" defined in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata for Implicit Grant.

    PASSWORD

    This corresponds to "password" defined in RFC 6749, 4.3.2. Access Token Request for Resource Owner Password Credentials Grant.

    CLIENT_CREDENTIALS

    This corresponds to "client_credentials" defined in RFC 6749, 4.4.2. Access Token Request for Client Credentials Grant.

    REFRESH_TOKEN

    This corresponds to "refresh_token" defined in RFC 6749, 6. Refreshing an Access Token.

    JWE Algorithm

    The listed below are Authlete's constant values that correspond to the values of "alg" header parameter of JSON Web Encryption (JWE), which are described in JSON Web Algorithms (JWA), 4.1. "alg" (Algorithm) Header Parameter Values for JWE.

    • RSA1_5
    • RSA_OAEP
    • RSA_OAEP_256
    • A128KW
    • A192KW
    • A256KW
    • DIR
    • ECDH_ES
    • ECDH_ES_A128KW
    • ECDH_ES_A192KW
    • ECDH_ES_A256KW
    • A128GCMKW
    • A192GCMKW
    • A256GCMKW
    • PBES2_HS256_A128KW
    • PBES2_HS384_A192KW
    • PBES2_HS512_A256KW

    JWE Encryption Algorithm

    The listed below are Authlete's constant values that correspond to the values of "enc" header parameter of JSON Web Encryption (JWE), which are described in JSON Web Algorithms (JWA), 5.1. "enc" (Encryption Algorithm) Header Parameter Values for JWE.

    • A128CBC_HS256
    • A192CBC_HS384
    • A256CBC_HS512
    • A128GCM
    • A192GCM
    • A256GCM

    JWS Algorithm

    The listed below are Authlete's constant values that correspond to the values of "alg" header parameter of JSON Web Signature (JWS), which are described in JSON Web Algorithms (JWA), 3.1. "alg" (Algorithm) Header Parameter Values for JWS.

    • NONE
    • HS256
    • HS384
    • HS512
    • RS256
    • RS384
    • RS512
    • ES256
    • ES384
    • ES512
    • PS256
    • PS384
    • PS512

    Pair

    A pair of a string key and a string value.

    Name Type Description
    key string

    The key part.

    value string

    The value part.

    Property

    Property that consists of a string key and a string value.

    This data type is used mainly to represent an extra property that is associated with an access token. Some Authlete APIs (such as /api/auth/token API) accept an array of properties via properties request parameter and associate the properties with an access token.

    Name Type Description
    key string

    The key part.

    value string

    The value part.

    hidden boolean

    The flag to indicate whether this property hidden from or visible to client applications.

    If true, this property is hidden from client applications. Otherwise, this property is visible to client applications.

    Response Type

    The table below lists Authlete's valid constant values that correspond to response_type request parameter for OAuth 2.0 authorization endpoint. RFC 6749 defines two values, "code" and "token". Other values listed here are added by OAuth 2.0 Multiple Response Type Encding Practices, which is a part of Open ID Connect specification.

    The supportedResponseTypes property of Service and the responseTypes property of Client are a string array containing values listed below.

    Value Description
    NONE

    This corresponds to "none" defined in OAuth 2.0 Multiple Response Type Encoding Practices, 4. None Response Type.

    CODE

    This corresponds to "code" defined in RFC 6749, 4.1.1. Authorization Request for Authorization Code Grant.

    TOKEN

    This corresponds to "token" defined in RFC 6749, 4.2.1. Authorization Request for Implicit Grant.

    ID_TOKEN

    This corresponds to "id_token" defined in OAuth 2.0 Multiple Response Type Encoding Practices, 3. ID Token Response Type.

    CODE_TOKEN

    This corresponds to "code token" defined in OAuth 2.0 Multiple Response Type Encoding Practices, 5. Definitions of Multiple-Valued Response Type Combinations.

    CODE_ID_TOKEN

    This corresponds to "code id_token" defined in OAuth 2.0 Multiple Response Type Encoding Practices, 5. Definitions of Multiple-Valued Response Type Combinations.

    ID_TOKEN_TOKEN

    This corresponds to "id_token token" defined in OAuth 2.0 Multiple Response Type Encoding Practices, 5. Definitions of Multiple-Valued Response Type Combinations.

    CODE_ID_TOKEN_TOKEN

    This corresponds to "code id_token token" defined in OAuth 2.0 Multiple Response Type Encoding Practices, 5. Definitions of Multiple-Valued Response Type Combinations.

    Scope

    This is a data structure for a scope which is described in RFC 6749, Access Token Scope. The data structure has properties listed in the following table.

    Name Type Description
    name string

    The name of the scope. Letters that can be used for a scope name are %x21, %x23-5B and %x5D-7E. Put simply, they are printable ASCII letters excluding "space (%x20)", "double quotation mark (%x22)" and "backslash (%x5C)". Its length must not exceed 200.

    defaultEntry boolean

    true to mark the scope as default. Scopes marked as default are regarded as requested when an authorization request from a client application does not contain scope request parameter.

    description string

    OPTIONAL. The description of the scope. It is a unicode string. Its length must not exceed 200.

    attributes Pair array

    OPTIONAL. The attributes of the scope.

    Service

    The table below lists top-level properties of the JSON object which represents a service.

    Name Type Description
    number i32

    The sequential number of the service. The value of this property is assigned by Authlete. Even if the property has a value in a /service/create request or a /service/update request, it is ignored.

    serviceOwnerNumber i32

    The sequential number of the service owner of the service. The value of this property is assigned by Authlete. Even if the property has a value in a /service/create request or a /service/update request, it is ignored.

    serviceName string

    The name of the service. It consists of at most 100 unicode letters. This property may be null.

    apiKey i64

    The API key. The value of this property is assigned by Authlete. Even if the property has a value in a /service/create request or a /service/update request, it is ignored.

    apiSecret string

    The API secret. A random 256-bit value encoded by base64url (43 letters). The value of this property is assigned by Authlete. Even if the property has a value in a /service/create request or a /service/update request, it is ignored.

    issuer URL

    The issuer identifier of the service. A URL that starts with https:// and has no query or fragment component. For example, https://example.com. Authlete requires that the URL consist of only ASCII letters and its length not exceed 200. This property may be null.

    The value of this property is used as iss claim in an ID token and issuer property in the OpenID Provider Metadata.

    authorizationEndpoint URL

    The authorization endpoint of the service. A URL that starts with https:// and has no fragment component. For example, https://example.com/auth/authorization. Authlete requires that the URL consist of only ASCII letters and its length not exceed 200. This property may be null.

    The value of this property is used as authorization_endpoint property in the OpenID Provider Metadata.

    tokenEndpoint URL

    The token endpoint of the service. A URL that starts with https:// and has not fragment component. For example, https://example.com/auth/token. Authlete requires that the URL consist of only ASCII letters and its length not exceed 200. This property may be null if and only if the service supports only Implicit Grant (= supports response_type=token only).

    The value of this property is used as token_endpoint property in the OpenID Provider Metadata.

    revocationEndpoint URL

    The revocation endpoint of the service. A URL that starts with https://. For example, https://example.com/auth/revocation. Authlete requires that the URL consist of only ASCII letters and its length not exceed 200. This property may be null if the service does not support the revocation endpoint.

    userInfoEndpoint URL

    The user info endpoint of the service. A URL that starts with https://. For example, https://example.com/auth/userinfo. Authlete requires that the URL consist of only ASCII letters and its length not exceed 200. This property may be null if the service does not support the user info endpoint.

    The value of this property is used as userinfo_endpoint property in the OpenID Provider Metadata.

    jwksUri URL

    The URL of the service's JSON Web Key Set document. For example, http://example.com/auth/jwks. Authlete requires that the URL consist of only ASCII letters and its length not exceed 200. This property may be null if and only if the service does not support asymmetric signatures for ID tokens and asymmetric encryption for request objects.

    Client applications accesses this URL (1) to get the public key of the service to validate the signature of an ID token issued by the service and (2) to get the public key of the service to encrypt an request object of the client application. See OpenID Connect Core 1.0, 10. Signatures and Encryption for details.

    The value of this property is used as jwks_uri property in the OpenID Provider Metadata.

    jwks string

    The content of the service's JSON Web Key Set document. If this property is not null in a /service/create request or a /service/update, Authlete hosts the content in the database. This property must not be null and must contain pairs of public/private keys if the service wants to support asymmetric signatures for ID tokens and asymmetric encryption for request objects. See OpenID Connect Core 1.0, 10. Signatures and Encryption for details.

    registrationEndpoint URL

    The registration endpoint of the service. A URL that starts with https://. For example, https://example.com/auth/registration. Authlete requires that the URL consist of only ASCII letters and its length not exceed 200.

    The value of this property is used as registration_endpoint property in the OpenID Provider Metadata.

    registrationManagementEndpoint URL

    The URI of the registration management endpoint. If dynamic client registration is supported, and this is set, this URI will be used as the basis of the client's management endpoint by appending /clientid/ to it as a path element. If this is unset, the value of registrationEndpoint will be used as the URI base instead.

    supportedScopes Scope array

    Scopes supported by the service. Authlete strongly recommends that the service register at least the following scopes.

    Name Description
    openid

    A permission to get an ID token of an end-user.

    The openid scope appears in "OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, scope". Without this scope, Authlete does not allow response_type request parameter to have values other than code and token.

    profile

    A permission to get information about name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender birthdate, zoneinfo, locale and updated_at from the user info endpoint.

    See OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values for details.

    email

    A permission to get information about email and email_verified from the user info endpoint.

    See OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values for details.

    address

    A permission to get information about address from the user info endpoint.

    See OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values and 5.1.1. Address Claim for details.

    phone

    A permission to get information about phone_number and phone_number_verified from the user info endpoint.

    See OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values for details.

    offline_access

    A permission to get information from the user info endpoint even when the end-user is not present.

    See OpenID Connect Core 1.0, 11. Offline Access for details.

    The value of this property is used as scopes_supported property in the OpenID Provider Metadata.

    supportedResponseTypes string array

    Values of response_type request parameter that the service supports. Valid values are listed in Response Type.

    The value of this property is used as response_types_supported property in the OpenID Provider Metadata.

    supportedGrantTypes string array

    Values of grant_type request parameter that the service supports. Valid values are listed in Grant Type.

    The value of this property is used as grant_types_supported property in the OpenID Provider Metadata.

    supportedAcrs string array

    Values of Authentication Context Class References that the service supports.

    The value of this property is used as acr_values_supported property in the OpenID Provider Metadata.

    supportedTokenAuthMethods string array

    Client authentication methods supported by the token endpoint of the service. Valid values are listed in Client Authentication Method. Note that, however, currently Authlete does not provide any API to help implementations for CLIENT_SECRET_JWT and PRIVATE_KEY_JWT.

    The value of this property is used as token_endpoint_auth_methods_supports property in the OpenID Provider Metadata.

    supportedDisplays string array

    Values of display request parameter that service supports. Valid values are listed in Display.

    The value of this property is used as display_values_supported property in the OpenID Provider Metadata.

    supportedClaimTypes string array

    Claim types supported by the service. Valid values are listed in Claim Type. Note that, however, currently Authlete does not provide any API to help implementations for AGGREGATED and DISTRIBUTED.

    The value of this property is used as claim_types_supported property in the OpenID Provider Metadata.

    supportedClaims string array

    Claim names that the service supports. The standard claim names listed in OpenID Connect Core 1.0, 5.1. Standard Claim should be supported. The following is the list of standard claims.

    1. sub
    2. name
    3. given_name
    4. family_name
    5. middle_name
    6. nickname
    7. preferred_username
    8. profile
    9. picture
    10. website
    11. email
    12. email_verified
    13. gender
    14. birthdate
    15. zoneinfo
    16. locale
    17. phone_number
    18. phone_number_verified
    19. address
    20. updated_at

    The value of this property is used as claims_supported property in the OpenID Provider Metadata.

    The service may support its original claim names. See OpenID Connect Core 1.0, 5.1.2. Additional Claims. Note that Authlete requires that original claim names consist of only ASCII letters and its length not exceed 200.

    serviceDocumentation URL

    The URL of a page where documents for developers can be found.

    The value of this property is used as service_documentation property in the OpenID Provider Metadata.

    supportedClaimLocales string array

    Claim locales that the service supports. Each element is a language tag defined in RFC 5646. For example, "en-US" and "ja-JP". Authlete requires that each language tag consist of only ASCII letters and its length not exceed 30. See OpenID Connect Core 1.0, 5.2. Languages and Scripts for details.

    The value of this property is used as claims_locales_supported property in the OpenID Provider Metadata.

    supportedUiLocales string array

    UI locales that the service supports. Each element is a language tag defined in RFC 5646. For example, "en-US" and "ja-JP". Authlete requires that each language tag consist of only ASCII letters and its length not exceed 30.

    The value of this property is used as ui_locales_supported property in the OpenID Provider Metadata.

    policyUri URL

    The URL of the "Policy" of the service. Authlete requires that the URL consist of only ASCII letters and its length not exceed 200.

    The value of this property is used as op_policy_uri property in the OpenID Provider Metadata.

    tosUri URL

    The URL of the "Terms Of Service" of the service. Authlete requires that the URL consist of only ASCII letters and its length not exceed 200.

    The value of this property is used as op_tos_uri property in the OpenID Provider Metadata.

    authenticationCallbackEndpoint URL

    A Web API endpoint for user authentication which is to be prepared on the service side. It must consist of only ASCII characters and its length must not exceed 200.

    The endpoint must be implemented if you do not implement the UI at the authorization endpoint but use the one provided by Authlete. The user authentication at the authorization endpoint provided by Authlete is performed by making a POST request to this endpoint.

    See 'Authentication Callback' for details.

    authenticationCallbackApiKey string

    API key for Basic authentication at the authentication callback endpoint. It must consist of only ASCII characters and its length must not exceed 100.

    If the value is not empty, Authlete generates Authorization header for Basic authentication when making a request to the authentication callback endpoint.

    authenticationCallbackApiSecret string

    API secret for Basic authentication at the authentication callback endpoint. It must consist of only ASCII characters and its length must not exceed 100.

    supportedSnses string

    SNSes you want to support 'social login' in the UI at the authorization endpoint provided by Authlete. You need to register a client application in each SNS that is set to this parameter and set Authlete server's /api/sns/redirection as the redirection endpoint of the client application.

    snsCredentials string

    SNS credentials which Authlete uses to make requests to SNSes. The format is JSON.

    createdAt i64

    The time at which this service was created. The value is represented as milliseconds since the UNIX epoch (1970-01-01).

    modifiedAt i64

    The time at which this service was last modified. The value is represented as milliseconds since the UNIX epoch (1970-01-01).

    developerAuthenticationCallbackEndpoint URL

    A Web API endpoint for developer authentication which is to be prepared on the server side. It must consist of only ASCII characters and its length must not exceed 200.

    The endpoint must be implemented if you use Developer Console. The developer authentication at the login page of Developer Console is performed by making a POST request to this endpoint.

    developerAuthenticationCallbackApiKey string

    API key for Basic authentication at the developer authentication callback endpoint. It must consist of only ASCII characters and its length must not exceed 100.

    If the value is not empty, Authlete generates Authorization header for Basic authentication when making a request to the developer authentication callback endpoint.

    developerAuthenticationCallbackApiSecret string

    API secret for Basic authentication at the developer authentication callback endpoint. It must consist of only ASCII characters and its length must not exceed 100.

    supportedDeveloperSnses string

    SNSes you want to support 'social login' in the login page of Developer Console provided by Authlete. You need to register a client application in each SNS checked here and set Authlete server's /api/developer/sns/redirection as the redirection endpoint of the client application.

    developerSnsCredentials string

    SNS credentials which Authlete uses to make requests to SNSes. The format is JSON.

    clientsPerDeveloper i32

    The maximum number of client applications that a developer is allowed to create. 0 means no limit.

    directAuthorizationEndpointEnabled boolean

    The flag to indicate whether the direct authorization endpoint is enabled or not.

    If true, the default implementation of the authorization endpoint of this service works. The URL of the endpoint is https://api.authlete.com/api/auth/authorization/direct/service-api-key.

    If false, the endpoint returns 404 Not Found. In this case, you have to implement the authorization endpoint by yourself using Authlete's Web APIs such as /api/auth/authorization, /api/auth/authorization/issue and /api/auth/authorization/fail.

    directTokenEndpointEnabled boolean

    The flag to indicate whether the direct token endpoint is enabled or not.

    If true, the default implementation of the token endpoint of this service works. The URL of the endpoint is https://api.authlete.com/api/auth/token/direct/service-api-key.

    If false, the endpoint returns 404 Not Found. In this case, you have to implement the token endpoint by yourself using Authlete's Web APIs such as /api/auth/token, /api/auth/token/issue and /api/auth/token/fail.

    directRevocationEndpointEnabled boolean

    The flag to indicate whether the direct revocation endpoint is enabled or not.

    If true, the default implementation of the revocation endpoint (RFC 7009) of this service works. The URL of the endpoint is https://api.authlete.com/api/auth/revocation/direct/service-api-key.

    If false, the endpoint returns 404 Not Found. In this case, if you want to provide a revocation endpoint to client applications, you have to implement the endpoint by yourself using Authlete's /api/auth/revocation API.

    directUserInfoEndpointEnabled boolean

    The flag to indicate whether the direct userinfo endpoint is enabled or not.

    If true, the default implementation of the userinfo endpoint of this service works. The URL of the endpoint is https://api.authlete.com/api/auth/userinfo/direct/service-api-key.

    If false, the endpoint returns 404 Not Found. In this case, if you want to provide a userinfo endpoint to client applications, you have to implement the endpoint by yourself using Authlete's /api/auth/userinfo API.

    This feature is not implemented yet.

    directJwksEndpointEnabled boolean

    The flag to indicate whether the direct jwks endpoint is enabled or not.

    If true, the default implementation of the jwk set endpoint of this service works. The URL of the endpoint is https://api.authlete.com/api/service/jwks/get/direct/service-api-key.

    If false, the endpoint returns 404 Not Found. In this case, if you want to provide a JWK Set endpoint to client applications, you have to implement the endpoint by yourself using Authlete's /api/service/jwks/get API.

    singleAccessTokenPerSubject boolean

    The flag to indicate whether the number of access tokens per subject (and per client) is at most one or can be more.

    If true, an attempt to issue a new access token invalidates existing access tokens that are associated with the same subject and the same client.

    Note that, however, attempts by Client Credentials Flow do not invalidate existing access tokens because access tokens issued by Client Credentials Flow are not associated with any end-user's subject. Also note that an attempt by Refresh Token Flow invalidates the coupled access token only and this invalidation is always performed regardless of whether the value of this setting item is true or false.

    pkceRequired boolean

    The flag to indicate whether the use of Proof Key for Code Exchange (PKCE) is always required for authorization requests by Authorization Code Flow.

    If true, code_challenge request parameter is always required for authorization requests using Authorization Code Flow.

    See RFC 7636 (Proof Key for Code Exchange by OAuth Public Clients) for details about code_challenge request parameter.

    refreshTokenKept boolean

    The flag to indicate whether a refresh token remains unchanged or gets renewed after its use.

    If true, a refresh token used to get a new access token remains valid after its use. Otherwise, if false, a refresh token is invalidated after its use and a new refresh token is issued.

    See RFC 6749 6. Refreshing an Access Token, as to how to get a new access token using a refresh token.

    errorDescriptionOmitted boolean

    The flag to indicate whether the error_description response parameter is omitted.

    According to RFC 6749, an authorization server may include the error_description response parameter in error responses.

    If true, Authlete does not embed the error_description response parameter in error responses.

    errorUriOmitted boolean

    The flag to indicate whether the error_uri response parameter is omitted.

    According to RFC 6749, an authorization server may include the error_uri response parameter in error responses.

    If true, Authlete does not embed the error_uri response parameter in error responses.

    description string

    The description about the service. It consists of at most 200 unicode letters.

    accessTokenType string

    The access token type. This value is used as the value of token_type property in access token responses. If this service complies with RFC 6750, the value of this property should be Bearer.

    See RFC 6749 (OAuth 2.0), 7.1. Access Token Types for details.

    accessTokenDuration i32

    The duration of access tokens in seconds. This value is used as the value of expires_in property in access token responses. expires_in is defined RFC 6749, 5.1. Successful Response.

    refreshTokenDuration i32

    The duration of refresh tokens in seconds. The related specifications have no requirements on refresh token duration, but Authlete sets expiration for refresh tokens.

    idTokenDuration i32

    The duration of ID tokens in seconds. This value is used to calculate the value of exp claim in an ID token.

    metadata Pair array

    The metadata of the service. The content of the returned array depends on contexts. The predefined service metadata is listed in the following table.

    Key Description
    "clientCount"

    The number of client applications which belong to this service.

    idTokenSignatureKeyId string

    The key ID to identify a JWK used for ID token signature using an asymmetric key.

    A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signature from the JWK Set when it generates an ID token and signature using an asymmetric key is required. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for ID token signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.

    This idTokenSignatureKeyId property exists for the purpose described above. For key rotation (OpenID Connect Core 1.0, 10.1.1. Rotation of Asymmetric Signing Keys), this mechanism is needed.

    userInfoSignatureKeyId string

    The key ID to identify a JWK used for user info signature using an asymmetric key.

    A JWK Set can be registered as a property of a Service. A JWK Set can contain 0 or more JWKs (See RFC 7517 for details about JWK). Authlete Server has to pick up one JWK for signature from the JWK Set when it is required to sign user info (which is returned from userinfo endpoint) using an asymmetric key. Authlete Server searches the registered JWK Set for a JWK which satisfies conditions for user info signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates.

    This userInfoSignatureKeyId property exists for the purpose described above. For key rotation (OpenID Connect Core 1.0, 10.1.1. Rotation of Asymmetric Signing Keys), this mechanism is needed.

    supportedServiceProfiles string array

    The profiles that this service supports. One of the values listed in Service Profile.

    tlsClientCertificateBoundAccessTokens boolean

    The boolean flag which indicates whether this service supports issuing TLS client certificate bound access tokens.

    introspectionEndpoint URL

    The URI of the introspection endpoint.

    supportedIntrospectionAuthMethods string arrray

    Client authentication methods supported at the introspection endpoint. One of the values listed in Client Authentication Method.

    mutualTlsValidatePkiCertChain boolean

    The boolean flag which indicates whether this service validates certificate chains during PKI-based client mutual TLS authentication.

    trustedRootCertificates string array

    The list of root certificates trusted by this service for PKI-based client mutual TLS authentication.

    accessTokenSignAlg string

    The signature algorithm of access tokens. One of the values listed in JWS Algorithm except for symmetric algorithms (HS256, HS384 and HS512). When null is set, access tokens issued by this service are just random strings. On the other hand, when a non-null value is set, access tokens issued by this service are JWTs and the value set by this method is used as the signature algorithm of the JWTs.

    This parameter is available since Authlete 2.1. Access tokens generated by older Authlete versions are always random strings.

    accessTokenSignatureKeyId string

    The duration of access tokens in seconds; the value of expires_in in access token responses.

    authorizationResponseDuration i64

    The duration of authorization response JWTs.

    Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) defines new values for the response_mode request parameter. They are query.jwt, fragment.jwt, form_post.jwt and jwt. If one of them is specified as the response mode, response parameters from the authorization endpoint will be packed into a JWT. This property is used to compute the value of the exp claim of the JWT.

    authorizationSignatureKeyId string

    The key ID to identify a JWK used for signing authorization responses using an asymmetric key.

    Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) defines new values for the response_mode request parameter. They are query.jwt, fragment.jwt, form_post.jwt and jwt. If one of them is specified as the response mode, response parameters from the authorization endpoint will be packed into a JWT. This property is used to compute the value of the exp claim of the JWT.

    Authlete Server searches the JWK Set for a JWK which satisfies conditions for authorization response signature. If the number of JWK candidates which satisfy the conditions is 1, there is no problem. On the other hand, if there exist multiple candidates, a Key ID is needed to be specified so that Authlete Server can pick up one JWK from among the JWK candidates. This property exists to specify the key ID.

    supportedBackchannelTokenDeliveryModes string array

    The supported backchannel token delivery modes. This property corresponds to the backchannel_token_delivery_modes_supported metadata.

    Backchannel token delivery modes are defined in the specification of CIBA (Client Initiated Backchannel Authentication).

    backchannelAuthenticationEndpoint URL

    The URI of the backchannel authentication endpoint.

    Backchannel token delivery modes are defined in the specification of CIBA (Client Initiated Backchannel Authentication).

    backchannelUserCodeParameterSupported boolean

    The boolean flag which indicates whether the "user_code" request parameter is supported at the backchannel authentication endpoint. This property corresponds to the backchannel_user_code_parameter_supported metadata.

    backchannelAuthReqIdDuration i32

    The duration of backchannel authentication request IDs issued from the backchannel authentication endpoint in seconds. This is used as the value of the expires_in property in responses from the backchannel authentication endpoint.

    backchannelPollingInterval i32

    The minimum interval between polling requests to the token endpoint from client applications in seconds. This is used as the value of the interval property in responses from the backchannel authentication endpoint.

    allowableClockSkew i32

    The allowable clock skew between the server and clients in seconds.

    The clock skew is taken into consideration when time-related claims in a JWT (e.g. "exp", "iat", "nbf") are verified.

    dynamicRegistrationSupported boolean

    The boolean flag which indicates whether the dynamic client registration is supported.

    Subject Type

    The listed below are Authlete's constant values that correspond to the subject identifier types described in OpenID Connect Core 1.0, 8. Subject Identifier Types.

    • PUBLIC
    • PAIRWISE

    Note that currently Authlete's implementation for PAIRWISE is not finished, so PAIRWISE behaves in the same way as PUBLIC.

    Tagged Value

    TaggedValue is a generic-purpose data structure to describe a pair of a language tag and a string. This data structure has two members, tag and value as described in the table below.

    Name Type Description
    tag string

    The language tag part. It must consist of only ASCII letters. Its length must not exceed 30.

    value string

    The value part. It is a unicode string, but some client properties put more restrictive limitations such as "ASCII only". Its length must not exceed 200.

    Some properties of Client such as clientNames and logoUris are represented in this data structure. See OpenID Connect Core 1.0, 5.2. Claims Languages and Scripts for the usage of language tags in OpenID Connect.

    Service Profile

    The listed below are profiles that a service can support. The supportedServiceProfiles property of Service is a string array containing values listed below.

    Value Description
    FAPI

    When this profile is enabled, it indicates the service supports Financial-grade API - Part 1: Read-Only API Security Profile and Financial-grade API - Part 2: Read and Write API Security Profile. Note that you need to enable this profile and also properly configure the service to conform the service to FAPI requirements.

    OPEN_BANKING

    When this profile is enabled, it indicates the service supports "Open Banking Security Profile". Note that you need to enable this profile and FAPI profile and also properly configure the service to conform the service to Open Banking requirements.

    Delivery Mode

    The listed below are Authlete's constant values that correspond to the delivery mode values defined in the specification of CIBA (Client Initiated Backchannel Authentication). The bcDeliveryMode property of Client has a value listed below.

    • PING
    • POLL
    • PUSH

    Service Management

    /service/create API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/service/create \
    -H 'Content-Type:application/json' \
    -u '9503564165:cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4' \
    -d '{ "serviceName": "My Service", "description": "This is My Service." }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    Service service = new Service()
      .setServiceName("My Service")
      .setDescription("This is My Service.")
    ;
    
    api.createService(service);
    
    require 'authlete'
    
    api = Authlete::Api.new(
      host: 'https://api.authlete.com',
      service_owner_api_key: 9503564165,
      service_owner_api_secret: 'cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4'
    )
    
    request = Authlete::Model::Service.new(
      service_name: 'My Service',
      description: 'This is My Service.'
    )
    
    api.service_create(service)
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    Service service     = new Service();
    service.Name        = "My Service";
    service.Description = "This is My Service.";
    
    await api.CreateService(service);
    

    Sample Response

    {
      "number": 1034,
      "serviceOwnerNumber": 2,
      "serviceName": "My Service",
      "apiKey": 10167240235,
      "apiSecret": "LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE",
      "issuer": "https://authlete.com",
      "supportedScopes": [...],
      "supportedResponseTypes": ["NONE", "CODE", "TOKEN", "ID_TOKEN", "CODE_TOKEN", "CODE_ID_TOKEN", "ID_TOKEN_TOKEN", "CODE_ID_TOKEN_TOKEN"],
      "supportedGrantTypes": ["AUTHORIZATION_CODE", "IMPLICIT", "PASSWORD", "CLIENT_CREDENTIALS", "REFRESH_TOKEN"],
      "supportedTokenAuthMethods": ["NONE", "CLIENT_SECRET_BASIC", "CLIENT_SECRET_POST"],
      "supportedDisplays": ["PAGE", "POPUP", "TOUCH", "WAP"],
      "supportedClaimTypes": ["NORMAL"],
      "supportedClaims": [...],
      "createdAt": 1510652454389,
      "modifiedAt": 1510652454389,
      "clientsPerDeveloper": 0,
      "directAuthorizationEndpointEnabled": true,
      "directTokenEndpointEnabled": true,
      "directRevocationEndpointEnabled": true,
      "directUserInfoEndpointEnabled": true,
      "directJwksEndpointEnabled": true,
      "directIntrospectionEndpointEnabled": true,
      "singleAccessTokenPerSubject": false,
      "pkceRequired": false,
      "refreshTokenKept": false,
      "errorDescriptionOmitted": false,
      "errorUriOmitted": false,
      "clientIdAliasEnabled": false,
      "tlsClientCertificateBoundAccessTokens": false,
      "mutualTlsValidatePkiCertChain": false,
      "dynamicRegistrationSupported": false,
      "accessTokenType": "Bearer",
      "accessTokenDuration": 86400,
      "refreshTokenDuration": 864000,
      "idTokenDuration": 86400,
      "authorizationResponseDuration": 0,
      "metadata": [...],
      "backchannelUserCodeParameterSupported": false,
      "backchannelAuthReqIdDuration": 0,
      "backchannelPollingInterval": 0,
      "allowableClockSkew": 0
    }
    

    Create a new service.

    Request

    POST /api/service/create

    Content-Type

    application/json

    Authorization

    Basic Authentication with API key & API secret of a service owner.

    Parameters

    A JSON which represents a new service. The detailed format is described in Service.

    Response

    Content-Type

    application/json

    Parameters

    A JSON which represents the newly created service. The detailed format is described in Service. The pair of API key & API secret of the service is embedded in the entity body of the response.

    /service/get API

    Sample Request

    curl -v https://api.authlete.com/api/service/get/10167240235 \
    -u '9503564165:cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    long serviceApiKey = 10167240235;
    
    api.getService(serviceApiKey);
    
    require 'authlete'
    
    api = Authlete::Api.new(
      host: "https://api.authlete.com",
      service_owner_api_key: 9503564165,
      service_owner_api_secret: 'cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4'
    )
    
    service_api_key = 10167240235
    
    api.service_get(service_api_key)
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    long serviceApiKey = 10167240235;
    
    await api.GetService(serviceApiKey);
    

    Sample Response

    {
      "number": 1034,
      "serviceOwnerNumber": 2,
      "serviceName": "My Service",
      "apiKey": 10167240235,
      "apiSecret": "LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE",
      "issuer": "https://authlete.com",
      "supportedScopes": [...],
      "supportedResponseTypes": ["NONE", "CODE", "TOKEN", "ID_TOKEN", "CODE_TOKEN", "CODE_ID_TOKEN", "ID_TOKEN_TOKEN", "CODE_ID_TOKEN_TOKEN"],
      "supportedGrantTypes": ["AUTHORIZATION_CODE", "IMPLICIT", "PASSWORD", "CLIENT_CREDENTIALS", "REFRESH_TOKEN"],
      "supportedTokenAuthMethods": ["NONE", "CLIENT_SECRET_BASIC", "CLIENT_SECRET_POST"],
      "supportedDisplays": ["PAGE", "POPUP", "TOUCH", "WAP"],
      "supportedClaimTypes": ["NORMAL"],
      "supportedClaims": [...],
      "createdAt": 1510652454389,
      "modifiedAt": 1510652454389,
      "clientsPerDeveloper": 0,
      "directAuthorizationEndpointEnabled": true,
      "directTokenEndpointEnabled": true,
      "directRevocationEndpointEnabled": true,
      "directUserInfoEndpointEnabled": true,
      "directJwksEndpointEnabled": true,
      "directIntrospectionEndpointEnabled": true,
      "singleAccessTokenPerSubject": false,
      "pkceRequired": false,
      "refreshTokenKept": false,
      "errorDescriptionOmitted": false,
      "errorUriOmitted": false,
      "clientIdAliasEnabled": false,
      "tlsClientCertificateBoundAccessTokens": false,
      "mutualTlsValidatePkiCertChain": false,
      "dynamicRegistrationSupported": false,
      "accessTokenType": "Bearer",
      "accessTokenDuration": 86400,
      "refreshTokenDuration": 864000,
      "idTokenDuration": 86400,
      "authorizationResponseDuration": 0,
      "metadata": [...],
      "backchannelUserCodeParameterSupported": false,
      "backchannelAuthReqIdDuration": 0,
      "backchannelPollingInterval": 0,
      "allowableClockSkew": 0
    }
    

    Get information about a service.

    Request

    GET /api/service/get/{serviceApiKey}

    Authorization

    Basic Authentication with API key & API secret of a service owner.

    Parameters

    Name Required Description
    serviceApiKey YES

    The API key of the service to be retrieved.

    Response

    Content-Type

    application/json

    Parameters

    A JSON which represents the service. The detailed format is described in Service.

    /service/get/list API

    Sample Request

    curl -v https://api.authlete.com/api/service/get/list?start=0\&end=3 \
    -u '9503564165:cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    int start = 0;
    int end   = 3;
    
    api.getServiceList(start, end);
    
    require 'authlete'
    
    api = Authlete::Api.new(
      host: 'https://api.authlete.com',
      service_owner_api_key: 9503564165,
      service_owner_api_secret: 'cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4'
    )
    
    parameters = { start: 0, end: 3 }
    
    api.service_get_list(parameters)
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    int start = 0;
    int end   = 3;
    
    await api.GetServiceList(start, end);
    

    Sample Response

    {
      "start": 0,
      "end": 3,
      "totalCount": 3,
      "services": [
        {
          "number": 1034,
          "serviceOwnerNumber": 2,
          "serviceName": "My Service",
          "apiKey": 10167240235,
          "apiSecret": "LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE",
          "issuer": "https://authlete.com",
          "supportedScopes": [...],
          "supportedResponseTypes": ["NONE", "CODE", "TOKEN", "ID_TOKEN", "CODE_TOKEN", "CODE_ID_TOKEN", "ID_TOKEN_TOKEN", "CODE_ID_TOKEN_TOKEN"],
          "supportedGrantTypes": ["AUTHORIZATION_CODE", "IMPLICIT", "PASSWORD", "CLIENT_CREDENTIALS", "REFRESH_TOKEN"],
          "supportedTokenAuthMethods": ["NONE", "CLIENT_SECRET_BASIC", "CLIENT_SECRET_POST"],
          "supportedDisplays": ["PAGE", "POPUP", "TOUCH", "WAP"],
          "supportedClaimTypes": ["NORMAL"],
          "supportedClaims": [...],
          "createdAt": 1510652454389,
          "modifiedAt": 1510652454389,
          "clientsPerDeveloper": 0,
          "directAuthorizationEndpointEnabled": true,
          "directTokenEndpointEnabled": true,
          "directRevocationEndpointEnabled": true,
          "directUserInfoEndpointEnabled": true,
          "directJwksEndpointEnabled": true,
          "directIntrospectionEndpointEnabled": true,
          "singleAccessTokenPerSubject": false,
          "pkceRequired": false,
          "refreshTokenKept": false,
          "errorDescriptionOmitted": false,
          "errorUriOmitted": false,
          "clientIdAliasEnabled": false,
          "tlsClientCertificateBoundAccessTokens": false,
          "mutualTlsValidatePkiCertChain": false,
          "dynamicRegistrationSupported": false,
          "accessTokenType": "Bearer",
          "accessTokenDuration": 86400,
          "refreshTokenDuration": 864000,
          "idTokenDuration": 86400,
          "authorizationResponseDuration": 0,
          "metadata": [...],
          "backchannelUserCodeParameterSupported": false,
          "backchannelAuthReqIdDuration": 0,
          "backchannelPollingInterval": 0,
          "allowableClockSkew": 0
        },
        {...},
        {...}
      ]
    }
    

    Get information about services.

    Request

    GET /api/service/get/list

    Authorization

    Basic Authentication with API key & API secret of a service owner.

    Parameters

    Name Required Description
    start NO

    The start index (inclusive) of the result set. The default value is 0. Must not be a negative number.

    end NO

    The end index (exclusive) of the result set. The default value is 5. Must not be a negative number.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    start i32

    The start index (inclusive) of the result set of the query.

    end i32

    The end index (exclusive) of the result set of the query.

    totalCount i32

    The total number of services owned by the service owner. This is different from the number of services contained in the response.

    services Service array

    An array of services.

    /service/update API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/service/update/10167240235 \
    -H 'Content-Type:application/json' \
    -u '9503564165:cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4' \
    -d '{ "description": "This is My Updated Test Service.", "serviceName": "My Updated Test Service" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    Service service = new Service()
      .setApiKey(10167240235)
      .setServiceName("My Updated Service")
      .setDescription("This is My Updated Service.")
    ;
    
    api.updateService(request);
    
    require 'authlete'
    
    api = Authlete::Api.new(
      host: 'https://api.authlete.com',
      service_owner_api_key: 9503564165,
      service_owner_api_secret: 'cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4'
    )
    
    # The API key of the service to be updated.
    service_api_key = 10167240235
    
    service = Authlete::Model::Request::Service.new(
      service_name: 'My Updated Service',
      description: 'This is My Updated Service.'
    )
    
    api.service_update(service_api_key, service)
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    Service service     = new Service();
    service.ApiKey      = 10167240235;
    service.Name        = "My Updated Service";
    service.Description = "This is My Updated Service.";
    
    await api.UpdateService(service);
    

    Sample Response

    {
      "number": 1034,
      "serviceOwnerNumber": 2,
      "serviceName": "My Service",
      "apiKey": 10167240235,
      "apiSecret": "LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE",
      "issuer": "https://authlete.com",
      "supportedScopes": [...],
      "supportedResponseTypes": ["NONE", "CODE", "TOKEN", "ID_TOKEN", "CODE_TOKEN", "CODE_ID_TOKEN", "ID_TOKEN_TOKEN", "CODE_ID_TOKEN_TOKEN"],
      "supportedGrantTypes": ["AUTHORIZATION_CODE", "IMPLICIT", "PASSWORD", "CLIENT_CREDENTIALS", "REFRESH_TOKEN"],
      "supportedTokenAuthMethods": ["NONE", "CLIENT_SECRET_BASIC", "CLIENT_SECRET_POST"],
      "supportedDisplays": ["PAGE", "POPUP", "TOUCH", "WAP"],
      "supportedClaimTypes": ["NORMAL"],
      "supportedClaims": [...],
      "createdAt": 1510652454389,
      "modifiedAt": 1510738648894,
      "clientsPerDeveloper": 0,
      "directAuthorizationEndpointEnabled": true,
      "directTokenEndpointEnabled": true,
      "directRevocationEndpointEnabled": true,
      "directUserInfoEndpointEnabled": true,
      "directJwksEndpointEnabled": true,
      "directIntrospectionEndpointEnabled": true,
      "singleAccessTokenPerSubject": false,
      "pkceRequired": false,
      "refreshTokenKept": false,
      "errorDescriptionOmitted": false,
      "errorUriOmitted": false,
      "clientIdAliasEnabled": false,
      "tlsClientCertificateBoundAccessTokens": false,
      "mutualTlsValidatePkiCertChain": false,
      "dynamicRegistrationSupported": false,
      "accessTokenType": "Bearer",
      "accessTokenDuration": 86400,
      "refreshTokenDuration": 864000,
      "idTokenDuration": 86400,
      "authorizationResponseDuration": 0,
      "metadata": [...],
      "backchannelUserCodeParameterSupported": false,
      "backchannelAuthReqIdDuration": 0,
      "backchannelPollingInterval": 0,
      "allowableClockSkew": 0
    }
    

    Update an existing service.

    Request

    POST /api/service/update
    PUT /api/service/update

    Content-Type

    application/json

    Authorization

    Basic Authentication with API key & API secret of a service owner.

    Parameters

    A JSON which represents the service to be updated. The detailed format is described in Service.

    Response

    Content-Type

    application/json

    Parameters

    A JSON which represents the updated service. The detailed format is described in Service.

    /service/delete API

    Sample Request

    curl -v -X DELETE https://api.authlete.com/api/service/delete/4656860419614 \
    -u '9503564165:cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // The API key of the service to be deleted.
    long serviceApiKey = 10167240235;
    
    api.deleteService(serviceApiKey);
    
    require 'authlete'
    
    api = Authlete::Api.new(
      host: 'https://api.authlete.com',
      service_owner_api_key: 9503564165,
      service_owner_api_secret: 'cxRpzPEkvqYbDu14gpCVKi_p6kMQvcW-lBRi7IfWLG4'
    )
    
    # The API key of the service to be deleted.
    service_api_key = 10167240235
    
    api.service_delete(service_api_key)
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    // The API key of the service to be deleted.
    long serviceApiKey = 10167240235;
    
    await api.DeleteService(serviceApiKey);
    

    Delete a service.

    Request

    DELETE /api/service/delete/{serviceApiKey}

    Content-Type

    application/json

    Authorization

    Basic Authentication with API key & API secret of a service owner.

    Parameters

    Name Required Description
    serviceApiKey YES

    The API key of the service to be deleted.

    Client Management

    /client/create API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/client/create \
    -H 'Content-Type:application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "developer": "john", "clientName": "My Client", "description": "This is My Client." }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    Client client = new Client()
      .setClientName("My Client")
      .setDescription("This is My Client.")
    ;
    
    api.createClient(client);
    
    require 'authlete'
    
    api = Authlete::Api.new(
      host: 'https://api.authlete.com',
      service_api_key: 10167240235,
      service_api_secret: 'LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    )
    
    client = Authlete::Model::Client.new(
      client_name: 'My Client',
      description: 'This is My Client.'
    )
    
    api.client_create(client)
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    Client client      = new Client();
    client.Name        = "My Client";
    client.Description = "This is My Client.";
    
    await api.CreateClient(client);
    

    Sample Response

    {
      "number": 1344,
      "serviceNumber": 1043,
      "developer": "john",
      "clientId": 57297408867,
      "clientIdAliasEnabled": false,
      "clientSecret": "J_3C7P0nDTP7CwCg_HyPQh7bTQ1696CC8GWot-EjesZmdBiU5Gsidq5Ve3tMaN2x2_VcKV1UE1U3ZdGKRuTs7A",
      "clientType": "PUBLIC",
      "grantTypes": ["AUTHORIZATION_CODE", "IMPLICIT", "PASSWORD", "CLIENT_CREDENTIALS", "REFRESH_TOKEN", "CIBA"],
      "responseTypes": ["NONE", "CODE", "TOKEN", "ID_TOKEN", "CODE_TOKEN", "CODE_ID_TOKEN", "ID_TOKEN_TOKEN", "CODE_ID_TOKEN_TOKEN"],
      "clientName": "My Client",
      "subjectType": "PUBLIC",
      "idTokenSignAlg": "HS256",
      "tokenAuthMethod": "NONE",
      "defaultMaxAge": 0,
      "authTimeRequired": false,
      "createdAt": 1510911877097,
      "modifiedAt": 1510911877097,
      "tlsClientCertificateBoundAccessTokens": false,
      "bcUserCodeRequired": false,
      "dynamicallyRegistered": false
    }
    

    Create a new client.

    Request

    POST /api/client/create

    Content-Type

    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    A JSON which represents a new client. The detailed format is described in Client.

    Response

    Content-Type

    application/json

    Parameters

    A JSON which represents the newly created client. The detailed format is described in Client. The pair of client ID & client secret of the client is embedded in the entity body of the response.

    /client/get API

    Sample Request

    curl -v https://api.authlete.com/api/client/get/57297408867 \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    long clientId = 57297408867;
    
    api.getClient(clientId);
    
    require 'authlete'
    
    api = Authlete::Api.new(
      host: "https://api.authlete.com",
      service_api_key: 4694807187524,
      service_api_secret: "mtztVQ1EDKMO3TozWJr22I2RRv8q4HlE-F9QibsHifQ"
    )
    
    client_id = 5774937767487
    
    api.client_get(client_id)
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    long clientId = 57297408867;
    
    await api.GetClient(clientId);
    

    Sample Response

    {
      "number": 1344,
      "serviceNumber": 1043,
      "developer": "john",
      "clientId": 57297408867,
      "clientIdAliasEnabled": false,
      "clientSecret": "J_3C7P0nDTP7CwCg_HyPQh7bTQ1696CC8GWot-EjesZmdBiU5Gsidq5Ve3tMaN2x2_VcKV1UE1U3ZdGKRuTs7A",
      "clientType": "PUBLIC",
      "grantTypes": ["AUTHORIZATION_CODE", "IMPLICIT", "PASSWORD", "CLIENT_CREDENTIALS", "REFRESH_TOKEN", "CIBA"],
      "responseTypes": ["NONE", "CODE", "TOKEN", "ID_TOKEN", "CODE_TOKEN", "CODE_ID_TOKEN", "ID_TOKEN_TOKEN", "CODE_ID_TOKEN_TOKEN"],
      "clientName": "My Client",
      "subjectType": "PUBLIC",
      "idTokenSignAlg": "HS256",
      "tokenAuthMethod": "NONE",
      "defaultMaxAge": 0,
      "authTimeRequired": false,
      "createdAt": 1510911877097,
      "modifiedAt": 1510911877097,
      "tlsClientCertificateBoundAccessTokens": false,
      "bcUserCodeRequired": false,
      "dynamicallyRegistered": false
    }
    

    Get information about a client.

    Request

    GET /api/client/get/{clientId}

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    clientId YES

    The ID of the client to be retrieved.

    Response

    Content-Type

    application/json

    Parameters

    A JSON which represents the client. The detailed format is described in Client.

    /client/get/list API

    Sample Request

    curl -v https://api.authlete.com/api/client/get/4656860419614?start=0\&end=3 \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    int start = 0;
    int end   = 3;
    
    api.getClientList(start, end);
    
    require 'authlete'
    
    api = Authlete::Api.new(
      host: 'https://api.authlete.com',
      service_api_key: 10167240235,
      service_api_secret: 'LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    )
    
    parameters = { start: 0, end: 3 }
    
    api.client_get_list(parameters)
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    int start = 0;
    int end   = 3;
    
    await api.GetClientList(start, end);
    

    Sample Response

    {
      "clients": [
        {
          "number": 1344,
          "serviceNumber": 1043,
          "developer": "john",
          "clientId": 57297408867,
          "clientIdAliasEnabled": false,
          "clientSecret": "J_3C7P0nDTP7CwCg_HyPQh7bTQ1696CC8GWot-EjesZmdBiU5Gsidq5Ve3tMaN2x2_VcKV1UE1U3ZdGKRuTs7A",
          "clientType": "PUBLIC",
          "grantTypes": ["AUTHORIZATION_CODE", "IMPLICIT", "PASSWORD", "CLIENT_CREDENTIALS", "REFRESH_TOKEN", "CIBA"],
          "responseTypes": ["NONE", "CODE", "TOKEN", "ID_TOKEN", "CODE_TOKEN", "CODE_ID_TOKEN", "ID_TOKEN_TOKEN", "CODE_ID_TOKEN_TOKEN"],
          "clientName": "My Client",
          "subjectType": "PUBLIC",
          "idTokenSignAlg": "HS256",
          "tokenAuthMethod": "NONE",
          "defaultMaxAge": 0,
          "authTimeRequired": false,
          "createdAt": 1510911877097,
          "modifiedAt": 1510911877097,
          "tlsClientCertificateBoundAccessTokens": false,
          "bcUserCodeRequired": false,
          "dynamicallyRegistered": false
        },
        {...},
        {...}
      ],
      "end": 3,
      "start": 0,
      "totalCount": 3
    }
    

    Get information about clients.

    Request

    GET /api/client/get/list

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    start NO

    The start index (inclusive) of the result set. The default value is 0. Must not be a negative number.

    end NO

    The end index (exclusive) of the result set. The default value is 5. Must not be a negative number.

    developer NO

    The developer of client applications. The default value is null. If this parameter is not null, client application of the specified developer are returned. Otherwise, all client applications that belong to the service are returned.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    start i32

    The start index (inclusive) of the result set of the query.

    end i32

    The end index (exclusive) of the result set of the query.

    developer String

    The developer of the client applications. If the request did not have developer, this property is null.

    totalCount i32

    The total number of clients that belong to the service. This is different from the number of clients contained in the response.

    clients Client array

    An array of clients.

    /client/update API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/client/update/57297408867 \
    -H 'Content-Type:application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "developer": "john", "clientName": "My Updated Client", "description": "This is My Updated Client." }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    Client client = new Client()
      .setClientName("My Updated Client")
      .setDescription("This is My Updated Client.")
    ;
    
    api.updateClient(client);
    
    require 'authlete'
    
    api = Authlete::Api.new(
      host: "https://api.authlete.com",
      service_api_key: 10167240235,
      service_api_secret: 'LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    )
    
    client = Authlete::Model::Client.new(
      client_name: "My Updated Client",
      description: "This is My Updated Client."
    )
    
    api.client_update(client)
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    Client client      = new Client();
    client.Name        = "My Client";
    client.Description = "This is My Client.";
    
    await api.CreateClient(client);
    

    Sample Response

    {
      "number": 1344,
      "serviceNumber": 1043,
      "developer": "john",
      "clientId": 57297408867,
      "clientIdAliasEnabled": false,
      "clientSecret": "J_3C7P0nDTP7CwCg_HyPQh7bTQ1696CC8GWot-EjesZmdBiU5Gsidq5Ve3tMaN2x2_VcKV1UE1U3ZdGKRuTs7A",
      "clientType": "PUBLIC",
      "grantTypes": ["AUTHORIZATION_CODE", "IMPLICIT", "PASSWORD", "CLIENT_CREDENTIALS", "REFRESH_TOKEN", "CIBA"],
      "responseTypes": ["NONE", "CODE", "TOKEN", "ID_TOKEN", "CODE_TOKEN", "CODE_ID_TOKEN", "ID_TOKEN_TOKEN", "CODE_ID_TOKEN_TOKEN"],
      "clientName": "My Client",
      "subjectType": "PUBLIC",
      "idTokenSignAlg": "HS256",
      "tokenAuthMethod": "NONE",
      "defaultMaxAge": 0,
      "authTimeRequired": false,
      "createdAt": 1510911877097,
      "modifiedAt": 1510913912201,
      "tlsClientCertificateBoundAccessTokens": false,
      "bcUserCodeRequired": false,
      "dynamicallyRegistered": false
    }
    

    Update an existing client.

    Request

    POST /api/client/update
    PUT /api/client/update

    Content-Type

    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    A JSON which represents the client to be updated. The detailed format is described in Client.

    Response

    Content-Type

    application/json

    Parameters

    A JSON which represents the updated client. The detailed format is described in Client.

    /client/delete API

    Sample Request

    curl -v -X DELETE https://api.authlete.com/api/client/delete/57297408867 \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // The ID of the client to be deleted.
    long clientId = 57297408867;
    
    api.deleteClient(clientId);
    
    require 'authlete'
    
    api = Authlete::Api.new(
      host: 'https://api.authlete.com',
      service_api_key: 10167240235,
      service_api_secret: 'LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    )
    
    # The ID of the client to be deleted.
    client_id = 57297408867
    
    api.client_delete(client_id)
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    // The ID of the client to be deleted.
    long clientId = 57297408867;
    
    await api.DeleteClient(clientId);
    

    Delete a client.

    Request

    DELETE /api/client/delete/{clientId}

    Content-Type

    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    clientId YES

    The ID of the client to be deleted.

    /client/secret/refresh API

    Sample Request

    curl -v https://api.authlete.com/api/client/secret/refresh/57297408867 \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    long clientId = 57297408867;
    
    api.refreshClientSecret(clientId);
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    long clientId = 57297408867;
    
    await api.RefreshClientSecret(clientId);
    

    Sample Response

    {
      "type": "clientSecretRefreshResponse",
      "resultCode": "A148001",
      "resultMessage": "[A148001] Successfully refreshed the client secret of the client (ID = 57297408867).",
      "newClientSecret": "256LJ_49MISH6pP_3WeO8I9wa2LXkZKzqsNGS6XK8srtHYYJyV0jxg-jIaA2Sa0ZA67xA4bpQFKwc94WNUZrWA",
      "oldClientSecret": "J_3C7P0nDTP7CwCg_HyPQh7bTQ1696CC8GWot-EjesZmdBiU5Gsidq5Ve3tMaN2x2_VcKV1UE1U3ZdGKRuTs7A"
    }
    

    Refresh the client secret of a client. A new value of the client secret will be generated by the Authlete server.
    If you want to specify a new value, use /api/client/secret/update API.

    Request

    GET /api/client/secret/refresh/{clientIdentifier}

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    clientIdentifier YES

    The client ID or the client ID alias of a client.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    newClientSecret string

    The new client secret.

    oldClientSecret string

    The old client secret.

    /client/secret/update API

    Sample Request

    curl -v https://api.authlete.com/api/client/secret/update/57297408867 \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -H 'Content-Type:application/json' \
    -d '{ "clientSecret": "my_new_client_secret" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    long clientId       = 57297408867;
    tring clientSecret = "my_new_client_secret";
    
    api.updateClientSecret(clientId, clientSecret);
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    long clientId       = 57297408867;
    string clientSecret = "my_new_client_secret";
    
    await api.UpdateClientSecret(clientId, clientSecret);
    

    Sample Response

    {
      "type": "clientSecretUpdateResponse",
      "resultCode": "A149001",
      "resultMessage": "[A149001] Successfully updated the client secret of the client (ID = 57297408867).",
      "newClientSecret": "my_new_client_secret",
      "oldClientSecret": "J_3C7P0nDTP7CwCg_HyPQh7bTQ1696CC8GWot-EjesZmdBiU5Gsidq5Ve3tMaN2x2_VcKV1UE1U3ZdGKRuTs7A"
    }
    

    Update the client secret of a client.
    If you want to have the Authlete server generate a new value of the client secret, use /api/client/secret/refresh API.

    Request

    POST /api/client/secret/update/{clientIdentifier}

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    clientIdentifier YES

    The client ID or the client ID alias of a client.

    clientSecret YES

    The new value of the client secret. Valid characters for a client secret are A-Z, a-z, 0-9, -, and _. The maximum length of a client secret is 86.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    newClientSecret string

    The new client secret.

    oldClientSecret string

    The old client secret.

    /client/extension/requestable_scopes/get API

    Sample Request

    curl -v https://api.authlete.com/api/client/extension/requestable_scopes/get/57297408867?pretty=true \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    long clientId = 57297408867;
    
    api.getRequestableScopes(clientId);
    
    # This API is not supported yet.
    
    // This API is not supported yet.
    

    Sample Response

    {
      "requestableScopes": [
        "openid"
      ]
    }
    

    Get the set of scopes that a client application is allowed to request.

    Request

    GET /api/client/extension/requestable_scopes/get/{clientId}

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    clientId YES

    A client ID.

    pretty NO

    This boolean value indicates whether the JSON in the response should be formatted or not. If true, the JSON in the response is pretty-formatted. The default value is false.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    requestableScopes string array

    The set of scopes that the client application is allowed to request. This paramter will be one of the following. Details are described in the description.

    • null
    • an empty set
    • a set with at least one element

    Description

    Possible values for requestableScopes parameter in the response from this API are as follows.


    null

    When the value of requestableScopes parameter is null, it means that the set of scopes that the client application is allowed to request is the set of the scopes that the service supports.


    an empty set

    When the value of requestableScopes parameter is an empty set, it means that the client application is not allowed to request any scopes.


    a set with at least one element

    When the value of requestableScopes parameter is a set with at least one element, it means that the set is the set of scopes that the client application is allowed to request.

    /client/extension/requestable_scopes/update API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/client/extension/requestable_scopes/update/57297408867 \
    -H 'Content-Type:application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "requestableScopes": [ "openid", "email" ] }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    long clientId   = 57297408867;
    String[] scopes = { "email", "openid" }; 
    
    api.setRequestableScopes(clientId, scope);
    
    # This API is not supported yet.
    
    // This API is not supported yet.
    

    Sample Response

    {
      "requestableScopes": ["openid", "email"]
    }
    

    Update the set of scopes that a client application is allowed to request.

    Request

    POST /api/client/extension/requestable_scopes/update/{clientId}
    PUT /api/client/extension/requestable_scopes/update/{clientId}

    Content-Type

    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    clientId YES

    A client ID.

    requestableScopes NO

    A new set of scopes that the client application is allowed to request. This must be one of the following.

    • null
    • an empty set
    • a set with at least one element

    If this parameter contains scopes that the service does not support, those scopes are just ignored. Also, if this parameter is null or is not included in the request, it is equivalent to calling /client/extension/requestable_scopes/delete API.

    pretty NO

    This boolean value indicates whether the JSON in the response should be formatted or not. If true, the JSON in the response is pretty-formatted. The default value is false.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    requestableScopes string array

    The set of scopes that the client application is allowed to request. This paramter will be one of the following. Details are described in the description.

    • null
    • an empty set
    • a set with at least one element

    Description

    Possible values for requestableScopes parameter in the response from this API are as follows.


    null

    When the value of requestableScopes parameter is null, it means that the set of scopes that the client application is allowed to request is the set of the scopes that the service supports.


    an empty set

    When the value of requestableScopes parameter is an empty set, it means that the client application is not allowed to request any scopes.


    a set with at least one element

    When the value of requestableScopes parameter is a set with at least one element, it means that the set is the set of scopes that the client application is allowed to request.

    /client/extension/requestable_scopes/delete API

    Sample Request

    curl -v -X DELETE https://api.authlete.com/api/client/extension/requestable_scopes/delete/57297408867 \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    long clientId   = 57297408867;
    
    api.deleteRequestableScopes(clientId);
    
    # This API is not supported yet.
    
    // This API is not supported yet.
    

    Delete the set of scopes that a client application is allowed to request.

    Request

    DELETE /api/client/extension/requestable_scopes/delete/{clientId}

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    clientId YES

    A client ID.

    /client/authorization/get/list API

    Sample Request

    curl -v https://api.authlete.com/api/client/authorization/get/list/john?start=0\&end=3 \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    ClientAuthorizationGetListRequest request = new ClientAuthorizationGetListRequest()
      .setSubject("john")
      .setStart(0)
      .setEnd(3)
    ;
    
    api.getClientAuthoriztionList(request);
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    ClientAuthorizationGetListRequest request = new ClientAuthorizationGetListRequest();
    request.Subject = "john";
    request.Start   = 0;
    request.End     = 3;
    
    await api.GetClientAuthorizationList(request);
    

    Sample Response

    {
      "type": "authorizedClientListResponse",
      "clients": [
        {
          "number": 1344,
          "serviceNumber": 1043,
          "developer": "john",
          "clientId": 57297408867,
          "clientIdAliasEnabled": false,
          "clientSecret": "J_3C7P0nDTP7CwCg_HyPQh7bTQ1696CC8GWot-EjesZmdBiU5Gsidq5Ve3tMaN2x2_VcKV1UE1U3ZdGKRuTs7A",
          "clientType": "PUBLIC",
          "grantTypes": ["AUTHORIZATION_CODE", "IMPLICIT", "PASSWORD", "CLIENT_CREDENTIALS", "REFRESH_TOKEN", "CIBA"],
          "responseTypes": ["NONE", "CODE", "TOKEN", "ID_TOKEN", "CODE_TOKEN", "CODE_ID_TOKEN", "ID_TOKEN_TOKEN", "CODE_ID_TOKEN_TOKEN"],
          "clientName": "My Client",
          "subjectType": "PUBLIC",
          "idTokenSignAlg": "HS256",
          "tokenAuthMethod": "NONE",
          "defaultMaxAge": 0,
          "authTimeRequired": false,
          "createdAt": 1510911877097,
          "modifiedAt": 1510911877097,
          "tlsClientCertificateBoundAccessTokens": false,
          "bcUserCodeRequired": false,
          "dynamicallyRegistered": false
        },
        {...},
        {...}
      ],
      "end": 3,
      "start": 0,
      "totalCount": 3,
      "subject": "john"
    }
    

    Get a list of client applications that an end-user has authorized.

    Request

    GET /api/client/authorization/get/list/{subject}
    GET /api/client/authorization/get/list?subject={subject}
    POST /api/client/authorization/get/list

    Content-Type

    application/x-www-form-urlencoded (POST only)
    application/json (POST only)

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    subject YES

    Unique user ID.

    start NO

    Start index of search results (inclusive). The default value is 0.

    end NO

    End index of search results (exclusive). The default value is 5.

    developer NO

    Unique Developer ID. The default value is null.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    start i32

    Start index of search results (inclusive).

    end i32

    End index of search results (exclusive).

    developer string

    Unique developer ID.

    totalCount i32

    The total number of clients that meet the conditions.

    clients Client array

    An array of clients.

    /client/authorization/update API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/client/authorization/update/57297408867 \
    -H 'Content-Type:application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "subject": "john", "scopes": [{ "name": "my_custom_scope1" }] }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    long clientId  = 57297408867;
    String subject = "john";
    
    ClientAuthorizationUpdateRequest request = new ClientAuthorizationUpdateRequest().setSubject(subject);
    
    ClientAuthorizationUpdateResponse = api.updateClientAuthoriztion(clientId, request);
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    long clientId = 57297408867;
    
    ClientAuthorizationUpdateRequest request = new ClientAuthorizationUpdateRequest();
    request.Subject = "john";
    
    await api.UpdateClientAuthoriztion(clientId, request); 
    

    Sample Response

    {
      "resultCode": "A138001",
      "resultMessage": "[A138001] Updated 1 access token(s) issued to the client (ID = 57297408867) of the service (API Key = 10167240235)."
    }
    

    Update attributes of all existing access tokens given to a client application.

    Request

    POST /api/client/authorization/update/{clientId}

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    clientId YES

    The ID of the target client.

    subject YES

    Unique user ID.

    scopes NO

    An array of new scopes. Optional. If a non-null value is given, the new scopes are set to all existing access tokens. If an API call is made using "Content-Type: application/x-www-form-urlencoded", scope names listed in this request parameter should be delimited by spaces (after form encoding, spaces are converted to '+').

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    /client/authorization/delete API

    Sample Request

    curl -v -X DELETE https://api.authlete.com/api/client/authorization/delete/57297408867/john \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    long clientId  = 57297408867;
    String subject = "john";
    
    api.deleteClientAuthoriztion(clientId, subject);
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    long clientId  = 57297408867;
    String subject = "john";
    
    await api.DeleteClientAuthorization(clientId, subject);
    

    Sample Response

    {
      "resultCode": "A137001",
      "resultMessage": "[A137001] Deleted 3 access token(s) issued to the client (ID = 57297408867) of the service (API Key = 10167240235)."
    }
    

    Delete all existing access tokens issued to a client application by an end-user.

    Request

    DELETE /api/client/authorization/delete/{clientId}/{subject}
    DELETE /api/client/authorization/delete/{clientId}?subject={subject}
    POST /api/client/authorization/delete/{clientId}

    Content-Type

    application/x-www-form-urlencoded (POST only)
    application/json (POST only)

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    clientId YES

    The ID of the target client.

    subject YES

    Unique user ID.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    /client/granted_scopes/get API

    Sample Request

    curl -v https://api.authlete.com/api/client/granted_scopes/get/57297408867/john \
    -H 'Content-Type:application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    long clientId  = 57297408867;
    String subject = "john";
    
    api.getGrantedScopes(clientId, subject);
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    long clientId  = 57297408867;
    string subject = "john";
    
    await api.GetGrantedScopes(clientId, subject); 
    

    Sample Response

    {
      "type": "GrantedScopesGetResponse",
      "serviceApiKey": 10167240235,
      "clientId": 57297408867,
      "subject": "john",
      "latestGrantedScopes": ["email"],
      "mergedGrantedScopes": ["email", "openid"]
    }
    

    Get the set of scopes that a user has granted to a client application.

    Request

    GET /api/client/granted_scopes/get/{clientId}/{subject}
    GET /api/client/granted_scopes/get/{clientId}&subject={subject}
    POST /api/client/granted_scopes/get/{clientId}

    Content-Type

    application/x-www-form-urlencoded (POST only)
    application/json (POST only)

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    clientId YES

    Client ID.

    subject YES

    Unique user ID.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    serviceApiKey string

    Service API key.

    clientId string

    Client ID.

    subject string

    Unique user ID.

    latestGrantedScopes string array

    Scopes granted by the last authorization process. (See Description for details.)

    mergedGrantedScopes string array

    All scopes granted so far. (See Description for details.)

    Description

    Description of values for latestGrantedScopes and mergedGrantedScopes:

    null

    The user has not granted authorization to the client application in the past, or records about the combination of the user and the client application have been deleted from Authlete's DB.

    []

    The user has granted authorization to the client application in the past, but no scopes are associated with the authorization.

    a set with at least one element

    The user has granted authorization to the client application in the past and some scopes are associated with the authorization. These scopes are returned.
    Example: [ "profile", "email" ]

    /client/granted_scopes/delete API

    Sample Request

    curl -v -X DELETE https://api.authlete.com/api/client/granted_scopes/delete/57297408867/john \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    long clientId  = 57297408867;
    String subject = "john";
    
    api.deleteGrantedScopes(clientId, subject);
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    long clientId  = 57297408867;
    string subject = "john";
    
    await api.DeleteGrantedScopes(clientId, subject);
    

    Sample Response

    {
      "resultCode" : "A140002",
      "resultMessage" : "[A140002] Successfully deleted the information about scopes granted to the combination of the client (ID = 57297408867) and the subject (john)."
    }
    

    Delete the set of scopes that a user has granted to a client application.

    Request

    DELETE /api/client/granted_scopes/delete/{clientId}/{subject}
    DELETE /api/client/granted_scopes/delete/{clientId}&subject={subject}
    POST /api/client/granted_scopes/delete/{clientId}

    Content-Type

    application/x-www-form-urlencoded (POST only)
    application/json (POST only)

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    clientId YES

    Client ID.

    subject YES

    Unique user ID.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    Description

    Even if records about granted scopes are deleted by calling this API, existing access tokens are not deleted and scopes of existing access tokens are not changed.

    Authorization Endpoint

    /auth/authorization API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/auth/authorization \
    -H 'Content-Type: application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "parameters": "response_type=code&client_id=57297408867&redirect_uri=https%3A%2F%2Fapi.authlete.com%2Fapi%2Fmock%2Fredirection%2F10167240235" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // Extract request parameters that the OAuth 2.0 authorization endpoint of 
    // this OAuth 2.0 serever implementation received from the client application.
    String parameters = extractRequestParameters();
    
    AuthorizationRequest request = new AuthorizationRequest().setParameters(parameters);
    
    api.authorization(request);
    
    require 'authlete'
    
    api = Authlete::Api.new(
      host: 'https://api.authlete.com',
      service_api_key: 10167240235,
      service_api_secret: 'LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    )
    
    # Extract request parameters that the OAuth 2.0 authorization endpoint of 
    # this OAuth 2.0 serever implementation received from the client application.
    parameters = extract_request_parameters
    
    request = Authlete::Model::Request::AuthorizationRequest.new(
      parameters: parameters
    )
    
    api.authorization(request)
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    // Extract request parameters that the OAuth 2.0 authorization endpoint of 
    // this OAuth 2.0 serever implementation received from the client application.
    string parameters = ExtractRequestParameters();
    
    AuthorizationRequest request = new AuthorizationRequest();
    request.Parameters = parameters;
    
    await api.Authorization(request);
    

    Sample Response

    {
      "type": "authorizationResponse",
      "resultCode": "A004001",
      "resultMessage": "[A004001] Authlete has successfully issued a ticket to the service (API Key = 10167240235) for the authorization request from the client (ID = 57297408867). [response_type=code, openid=false]",
      "acrEssential": false,
      "action": "INTERACTION",
      "client": {...},
      "clientIdAliasUsed": false,
      "display": "PAGE",
      "maxAge": 1209600,
      "service": {...},
      "ticket": "c4iy3TWGn74UMO7ihRl0ZS8OEUzV9axBlBbJbqxH-9Q"
    }
    

    This API parses request parameters of an authorization request and returns necessary data for the authorization server implementation to process the authorization request further.

    Request

    POST /api/auth/authorization

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    parameters YES

    OAuth 2.0 authorization request parameters which are the request parameters that the OAuth 2.0 authorization endpoint of the authorization server implementation received from the client application.

    The value of parameters is either (1) the entire query string when the HTTP method of the request from the client application is GET or (2) the entire entity body (which is formatted in application/x-www-form-urlencoded) when the HTTP method of the request from the client application is POST.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • INTERNAL_SERVER_ERROR
    • BAD_REQUEST
    • LOCATION
    • FORM
    • NO_INTERACTION
    • INTERACTION
    client Client

    Information about the client application which made the authorization request. This may be null if the authorization request does not contain a valid client ID (client_id) or if the client application is locked.

    display string

    The display mode which the client application requests by display request parameter [1]. One of the values listed in Display.

    When the authorization request does not have display request parameter, PAGE is set as the default value.

    It is ensured that the value of display is one of the supported display modes which are specified by supportedDisplays configuration parameter of the service. If the display mode specified by the authorization request is not supported, an error is raised.

    The values listed above correspond to the values listed in "OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, display".

    maxAge i32

    The maximum authentication age. This value comes from max_age request parameter [1], or defaultMaxAge configuration parameter of the client application when the authorization request does not contain max_age request parameter.

    See " OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, max_age" for max_age request parameter, and see " OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata, default_max_age" for defaultMaxAge configuration parameter.

    service Service

    Information about the service to which the authorization request was made.

    scopes Scope array

    The scopes that the client application requests. This value comes from scope request parameter [1]. If the request does not contain scope parameter, this parameter is a list of scopes which are registered as default. If the authorization request does not have scope request parameter and the service has not registered any default scope, the value of this parameter is null.

    It is ensured that scopes listed by this parameters are contained in the list of supported scopes which are specified by supportedScopes configuration parameter of the service. Unsupported scopes in the authorization request do not cause an error and are just ignored.

    OpenID Connect defines some scope names which need to be treated specially. The table below lists the special scope names.

    Name Description
    openid

    This scope must be contained in scope request parameter to promote an OAuth 2.0 authorization request to an OpenID Connect request. It is described in " OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, scope".

    profile

    This scope is used to request some claims to be embedded in the ID token. The claims are name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at. It is described in OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values.

    email

    This scope is used to request some claims to be embedded in the ID token. The claims are email and email_verified. It is described in OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values.

    address

    This scope is used to request address claim to be embedded in the ID token. It is described in OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values.

    The format of address claim is not a simple string. It is described in OpenID Connect Core 1.0, 5.1.1. Address Claim.

    phone

    This scope is used to request some claims to be embedded in the ID token. The claims are phone_number and phone_number_verified. It is described in OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values.

    offline_access

    The following is an excerpt about this scope from OpenID Connect Core 1.0, 11. Offline Access.

    OPTIONAL. This scope value requests that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token that grants access to the end-user's userinfo endpoint even when the end-user is not present (not logged in).


    Note that, if response_type request parameter does not contain code, offline_acccess scope is removed from this list even when scope request parameter contains offline_access. This behavior is a requirement written in OpenID Connect Core 1.0, 11. Offline Access.

    uiLocales string array

    The locales that the client application presented as candidates to be used for UI. This value comes from ui_locales request parameter [1]. The format of ui_locales is a space-separated list of language tag values defined in RFC5646. See " OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, ui_locales" for details.

    It is ensured that locales listed by this parameters are contained in the list of supported UI locales which are specified by supportedUiLocales configuration parameter of the service. Unsupported UI locales in the authorization request do not cause an error and are just ignored.

    claimsLocales string array

    End-user's preferred languages and scripts for claims. This value comes from claims_locales request parameter [1]. The format of claims_locales is a space-separated list of language tag values defined in RFC5646. See " OpenID Connect Core 1.0, 5.2. Claims Languages and Scripts" for details.

    It is ensured that locales listed by this parameters are contained in the list of supported claim locales which are specified by supportedClaimsLocales configuration parameter of the service. Unsupported claim locales in the authorization request do not cause an error and are just ignored.

    claims string array

    The list of claims that the client application requests to be embedded in the ID token. The value comes from (1) id_token in claims request parameter [1] and/or (2) special scopes (profile, email, address and phone) which are expanded to claims.

    See OpenID Connect Core 1.0, 5.5. Requesting Claims using the "claims" Request Parameter for claims request parameter, and see OpenID Connect Core 1.0, 5.4. Requesting Claims using Scope Values for the special scopes.

    acrEssential boolean

    This boolean value indicates whether the authentication of the end-user must be one of the ACRs (Authentication Context Class References) listed in acrs parameter. This parameter becomes true only when (1) the authorization request contains claims request parameter [1] and (2) acr claim is in it, and (3) essential property of the acr claim is true. See OpenID Connect Core 1.0, 5.5.1.1. Requesting the "acr" Claim for details.

    clientIdAliasUsed boolean

    true if the value of the client_id request parameter included in the authorization request is the client ID alias. false if the value is the original numeric client ID.

    acrs string array

    The list of ACRs (Authentication Context Class References) one of which the client application requests to be satisfied for the authentication of the end-user. This value comes from acr_values request parameter [1] or defaultAcrs configuration parameter of the client application.

    See " OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, acr_values" for acr_values request parameter, and see " OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata, default_acr_values" for defaultAcrs configuration parameter.

    subject string

    The subject (= unique user ID managed by the authorization server implementation) that the client application expects to grant authorization. The value comes from sub claim in claims request parameter.

    loginHint string

    A hint about the login identifier of the end-user. The value comes from login_hint request parameter.

    prompts string array

    The list of values of prompt request parameter. Possible element values are liseted in Prompt.

    See " OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, prompt" for prompt request parameter.

    lowestPrompt string

    The prompt that the UI displayed to the end-user must satisfy as the minimum level. This value comes from prompt request parameter [1] and one of the values listed in Prompt except for NONE.

    When the authorization request does not contain prompt request parameter, CONSENT is used as the default value.

    See " OpenID Connect Core 1.0, 3.1.2.1. Authentication Request, prompt" for prompt request parameter.

    requestObjectPayload string

    The payload part of the request object. The value of this proprty is null if the authorization request does not include a request object.

    idTokenClaims string

    The value of the id_token property in the claims request parameter or in the claims property in a request object.

    A client application may request certain claims be embedded in an ID token or in a response from the UserInfo endpoint. There are several ways. Including the claims request parameter and including the claims property in a request object are such examples. In both the cases, the value of the claims parameter/property is JSON. Its format is described in 5.5. Requesting Claims using the "claims" Request Parameter of OpenID Connect Core 1.0.

    The following is an excerpt from the specification. You can find userinfo and id_token are top-level properties.

    {
      "userinfo":
      {
        "given_name": {"essential": true},
        "nickname": null,
        "email": {"essential": true},
        "email_verified": {"essential": true},
        "picture": null,
        "http://example.info/claims/groups": null
      },
      "id_token":
      {
        "auth_time": {"essential": true},
        "acr": {"values": ["urn:mace:incommon:iap:silver"] }
      }
    }

    This value of this property is the value of the id_token property in JSON format. For example, if the JSON above is included in an authorization request, this method returns JSON equivalent to the following.

    {
      "auth_time": {"essential": true},
      "acr": {"values": ["urn:mace:incommon:iap:silver"] }
    }

    Note that if a request object is given and it contains the claims property and if the claims request parameter is also given, the value of this property the value in the former.

    userInfoClaims string

    The value of the userinfo property in the claims request parameter or in the claims property in a request object.

    A client application may request certain claims be embedded in an ID token or in a response from the UserInfo endpoint. There are several ways. Including the claims request parameter and including the claims property in a request object are such examples. In both the cases, the value of the claims parameter/property is JSON. Its format is described in 5.5. Requesting Claims using the "claims" Request Parameter of OpenID Connect Core 1.0.

    The following is an excerpt from the specification. You can find userinfo and id_token are top-level properties.

    {
      "userinfo":
      {
        "given_name": {"essential": true},
        "nickname": null,
        "email": {"essential": true},
        "email_verified": {"essential": true},
        "picture": null,
        "http://example.info/claims/groups": null
      },
      "id_token":
      {
        "auth_time": {"essential": true},
        "acr": {"values": ["urn:mace:incommon:iap:silver"] }
      }
    }

    The value of this property is the value of the uderinfo property in JSON format. For example, if the JSON above is included in an authorization request, this method returns JSON equivalent to the following.

    {
      "auth_time": {"essential": true},
      "acr": {"values": ["urn:mace:incommon:iap:silver"] }
    }

    Note that if a request object is given and it contains the claims property and if the claims request parameter is also given, the value of this property the value in the former.

    resources string

    The resources specified by the resource request parameters or by the resource property in the request object. If both are given, the values in the request object should be set. See "Resource Indicators for OAuth 2.0" for details. This parameter is available since Authlete 2.2.

    authorizationDetails string

    The authorization details. This represents the value of the authorization_details request parameter which is defined in OAuth 2.0 Rich Authorization Requests. This parameter is available since Authlete 2.2.

    purpose string

    The purpose request parameter is defined in 8. Transaction-specific Purpose of OpenID Connect for Identity Assurance 1.0 as follows:

    purpose OPTIONAL. String describing the purpose for obtaining certain user data from the OP. The purpose MUST NOT be shorter than 3 characters and MUST NOT be longer than 300 characters. If these rules are violated, the authentication request MUST fail and the OP returns an error invalid_request to the RP.

    This parameter is available since Authlete 2.2.

    responseContent string

    The content that the authorization server implementation is to return to the client application. Its format varies depending on the value of action parameter. See description for details.

    ticket string

    A ticket issued by Authlete to the service implementation. This is needed when the service implementation calls either /auth/authorization/fail API or /auth/authorization/issue API.

    [1] OpenID Connect introduces request parameter and request_uri parameter as means to specify request parameters indirectly. See OpenID Connect Core 1.0, 6. Passing Request Parameters as JWTs for details.

    Description

    This API is supposed to be called from within the implementation of the authorization endpoint of the service. The endpoint implementation must extract the request parameters from the authorization request from the client application and pass them as the value of parameters request parameter for Authlete's /auth/authorization API.

    The value of parameters is either (1) the entire query string when the HTTP method of the request from the client application is GET or (2) the entire entity body (which is formatted in application/x-www-form-urlencoded) when the HTTP method of the request from the client application is POST.

    The following code snippet is an example in JAX-RS showing how to extract request parameters from the authorization request.

    @GET
    public Response get(@Context UriInfo uriInfo)
    {
        // The query parameters of the authorization request.
        String parameters = uriInfo.getRequestUri().getQuery();
        ......
    }
     
    @POST
    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
    public Response post(String parameters)
    {
        // 'parameters' is the entity body of the authorization request.
        ......
    }

    The endpoint implementation does not have to parse the request parameters from the client application because Authlete's /auth/authorization API does it.

    The response from /auth/authorization API has various parameters. Among them, it is action parameter that the authorization server implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the service implementation must take the steps described below.


    INTERNAL_SERVER_ERROR

    When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete.

    In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with HTTP status of "500 Internal Server Error". Authlete recommends application/json as the content type although OAuth 2.0 specification does not mention the format of the error response when the redirect URI is not usable.

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the service implementation should generate and return to the client application.

    HTTP/1.1 500 Internal Server Error
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
    
    {responseContent}

    The endpoint implementation may return another different response to the client application since "500 Internal Server Error" is not required by OAuth 2.0.


    BAD_REQUEST

    When the value of action is BAD_REQUEST, it means that the request from the client application is invalid.

    A response with HTTP status of "400 Bad Request" should be returned to the client application and Authlete recommends application/json as the content type although OAuth 2.0 specification does not mention the format of the error response when the redirect URI is not usable.

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the service implementation should generate and return to the client application.

    HTTP/1.1 400 Bad Request
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
    
    {responseContent}

    The endpoint implementation may return another different response to the client application since "400 Bad Request" is not required by OAuth 2.0.


    LOCATION

    When the value of action is LOCATION, it means that the request from the client application is invalid but the redirect URI to which the error should be reported has been determined.

    A response with HTTP status of "302 Found" must be returned to the client application with Location header which has a redirect URI with error parameter.

    The parameter responseContent contains a redirect URI with error parameter, so it can be used as the value of Location header.

    The following illustrates the response which the service implementation must generate and return to the client application.

    HTTP/1.1 302 Found
    Location: {responseContent}
    Cache-Control: no-store
    Pragma: no-cache

    FORM

    When the value of action is FORM, it means that the request from the client application is invalid but the redirect URI to which the error should be reported has been determined, and that the authorization request contains response_mode=form_post as is defined in OAuth 2.0 Form Post Response Mode.

    A response with HTTP status of "200 OK" must be returned to the client application with an HTML which satisfies the requirements of response_mode=form_post.

    The parameter responseContent contains an HTML which can be used as the entity body of the response.

    The following illustrates the response which the service implementation must generate and return to the client application.

    HTTP/1.1 200 OK
    Content-Type: text/html;charset=UTF-8
    Cache-Control: no-store
    Pragma: no-cache
    
    {responseContent}

    NO_INTERACTION

    When the value of action is NO_INTERACTION, it means that the request from the client application has no problem and requires the service to process the request without displaying any user interface pages for authentication or consent. This case happens when the authorization request contains prompt=none.

    The service must follow the steps described below.

    1. [END-USER AUTHENTICATION]

      Check whether an end-user has already logged in. If an end-user has logged in, go to the next step ([MAX_AGE]). Otherwise, call Authlete's /auth/authorization/fail API with reason=NOT_LOGGED_IN and use the response from the API to generate a response to the client application.

    2. [MAX_AGE]

      Get the value of maxAge parameter. The value represents the maximum authentication age which has come from max_age request parameter or defaultMaxAge configuration parameter of the client application. If the value is 0, go to the next step ([SUBJECT]). Otherwise, follow the sub steps described below.

      1. Get the time at which the end-user was authenticated. Note that this value is not managed by Authlete, meaning that it is expected that the service implementation manages the value. If the service implementation does not manage authentication time of end-users, call Authlete's /auth/authorization/fail API with reason=MAX_AGE_NOT_SUPPORTED and use the response from the API to generate a response to the client application.

      2. Add the value of the maximum authentication age (which is represented in seconds) to the authentication time. The calculated value is the expiration time.

        Check whether the calculated value is equal to or greater than the current time. If this condition is satisfied, go to the next step ([SUBJECT]). Otherwise, call Authlete's /auth/authorization/fail API with reason=EXCEEDS_MAX_AGE and use the response from the API to generate a response to the client application.

    3. [SUBJECT]

      Get the value of subject. The value represents an end-user who the client application expects to grant authorization. If the value is null, go to the next step ([ACRs]). Otherwise, follow the sub steps described below.

      1. Compare the value of the requested subject to the current end-user.

      2. If they are equal, go to the next step ([ACRs]).

      3. If they are not equal, call Authlete's /auth/authorization/fail API with reason=DIFFERENT_SUBJECT and use the response from the API to generate a response to the client application.

    4. [ACRs]

      Get the value of acrs. The value represents a list of ACRs (Authentication Context Class References) and comes from (1) acr claim in claims request parameter, (2) acr_values rquest parameter, or (3) defaultAcrs configuration parameter of the client application.

      It is ensured that all the ACRs in acrs are supported by the authorization server implementation. In other words, it is ensured that all the ACRs are listed in supportedAcrs configuration parameter of the authorization server implementation.

      If the value of ACRs is null, go to the next step ([ISSUE]). Otherwise, follow the sub steps described below.

      1. Get the ACR performed for the authentication of the current end-user. Note that this value is managed not by Authlete but by the authorization server implementation. (If the authorization server implementation cannot handle ACRs, it should not have listed ACRs in supportedAcrs.)

      2. Compare the ACR value obtained in the above step to each element in the ACR array (acrs) in the listed order. If the ACR value was found in the array, go to the next step ([ISSUE]).

      3. If the ACR value was not found in the ACR array, in other words, if the ACR performed for the authentication of the current end-user did not match any one of the ACRs requested by the client application, get the value of acrEssential. If the boolean value is true, call Authlete's /auth/authorization/fail API with reason=ACR_NOT_SATISFIED and use the response from the API to generate a response to the client application. Otherwise, go to the next step ([ISSUE]).

    5. [ISSUE]

      If all the above steps succeeded, the last step is to issue an authorization code, an ID token and/or an access token. (There is a special case, though. In the case of response_type=none, nothing is issued.) It can be performed by calling Authlete's /auth/authorization/issue API. The API requires the following parameters. Prepare these parameters and call /auth/authorization/issue API and use the response from the API to generate a response to the client application.


      • ticket (required)

        This parameter represents a ticket which is exchanged with tokens at /auth/authorization/issue. Use the value of ticket contained in the response from /auth/authorization API.

      • subject (conditionally required)

        This parameter represents the unique identifier of the current end-user. It is often called "user ID" and it may or may not be visible to the user. In any case, it is a number or a string assigned to an end-user by the authorization server implementation. Authlete does not care about the format of the value of subject, but it must consist of only ASCII letters and its length must not exceed 100.

        When subject parameter in the response from /auth/authorization API is not null, it is necessarily identical to the value of subject parameter for /auth/authorization/issue API.

        The value of this parameter will be embedded in an ID token as the value of sub claim. When the value of subjectType configuration parameter of the client application is PAIRWISE, the value of sub claim is different from the value specified by this parameter, but PAIRWISE is not supported by Authlete yet. See 8. Subject Identifier Types of OpenID Connect Core 1.0 for details about subject types.

        You can use the sub request parameter to adjust the value of the sub claim in an ID token. See the description of the sub request parameter for details.

      • authTime (optional)

        This parameter represents the time when the end-user authentication occurred. Its value is the number of seconds from 1970-01-01. The value of this parameter will be embedded in an ID token as the value of auth_time claim.

      • acr (optional)

        This parameter represents the ACR (Authentication Context Class Reference) which the authentication of the end-user satisfies. When acrs in the response from /auth/authorization API is a non-empty array and acrEssential is true, the value of this parameter must be one of the array elements. Otherwise, even null is allowed. The value of this parameter will be embedded in an ID token as the value of acr claim.

      • claims (optional)

        This parameter represents claims of the end-user. "Claims" here are pieces of information about the end-user such as "name", "email" and "birthdate". The authorization server implementation is required to gather claims of the end-user, format the claim values into JSON and set the JSON string as the value of this parameter.

        The claims which the authorization server implementation is required to gather are listed in claims parameter in the response from /auth/authorization API. It is ensured that the values in claims parameter are contained in the list of supported claims which are specified by supportedClaims configuration parameter of the service.

        For example, if claims parameter lists name, email and birthdate, the value of this parameter should look like the following.

        {
          "name": "John Smith",
          "email": "john@example.com",
          "birthdate": "1974-05-06"
        }

        claimsLocales parameter in the response from /auth/authorization API lists the end-user's preferred languages and scripts, ordered by preference. When claimsLocales parameter is a non-empty array, its elements should be taken into account when the authorization server implementation gathers claim values. Especially, note the excerpt below from 5.2. Claims Languages and Scripts of OpenID Connect Core 1.0.

        When the OP determines, either through the claims_locales parameter, or by other means, that the End-User and Client are requesting Claims in only one set of languages and scripts, it is RECOMMENDED that OPs return Claims without language tags when they employ this language and script. It is also RECOMMENDED that Clients be written in a manner that they can handle and utilize Claims using language tags.

        If claims parameter in the response from /auth/authorization API is null or an empty array, the value of this parameter should be null.

        See 5.1. Standard Claims of OpenID Connect core 1.0 for claim names and their value formats. Note (1) that the authorization server implementation support its special claims (5.1.2. Additional Claims) and (2) that claim names may be followed by a language tag (5.2. Claims Languages and Scripts). Read the specification of OpenID Connect Core 1.0 for details.

        Claim names (listed in claims parameter) that the authorization server implementation cannot understand can be ignored and their claim values do not have to be gathered.

        The claim values in this parameter will be embedded in an ID token.

      • properties (optional)

        Extra properties to associate with an access token and/or an authorization code that may be issued by this request. Note that properties parameter is accepted only when Content-Type of the request is application/json, so don't use application/x-www-form-urlencoded for details.

      • scopes (optional)

        Scopes to associate with an access token and/or an authorization code. If this parameter is null, the scopes specified in the original authorization request from the client application are used. In other cases, including the case of an empty array, the specified scopes will replace the original scopes contained in the original authorization request.

        Even scopes that are not included in the original authorization request can be specified. However, as an exception, openid scope is ignored on the server side if it is not included in the original request. It is because the existence of openid scope considerably changes the validation steps and because adding openid triggers generation of an ID token (although the client application has not requested it) and the behavior is a major violation against the specification.

        If you add offline_access scope although it is not included in the original request, keep in mind that the specification requires explicit consent from the user for the scope (OpenID Connect Core 1.0, 11. Offline Access). When offline_access is included in the original request, the current implementation of Authlete's /auth/authorization API checks whether the request has come along with prompt request parameter and the value includes consent. However, note that the implementation of Authlete's /auth/authorization/issue API does not perform such checking if offline_access scope is added via this scopes parameter.

      • sub (optional)

        The value of the sub claim in an ID token. If the value of this request parameter is not empty, it is used as the value of the sub claim. Otherwise, the value of the subject request parameter is used as the value of the sub claim. The main purpose of this parameter is to hide the actual value of the subject from client applications.

        Note that even if this sub parameter is not empty, the value of the subject request parameter is used as the value of the subject which is associated with the access token.


    INTERACTION

    When the value of action is INTERACTION, it means that the request from the client application has no problem and requires the service to process the request with user interaction by an HTML form.

    The purpose of the UI displayed to the end-user is to ask the end-user to grant authorization to the client application. The items described below are some points which the service implementation should take into account when it builds the UI.

    1. [DISPLAY MODE]

      The response from /auth/authorization API has display parameter. It is one of PAGE (default), POPUP, TOUCH and WAP The meanings of the values are described in 3.1.2.1. Authentication Request of OpenID Connect Core 1.0. Basically, the authorization server implementation should display the UI which is suitable for the display mode, but it is okay for the authorization server implementation to "attempt to detect the capabilities of the User Agent and present an appropriate display."

      It is ensured that the value of display is one of the supported display modes which are specified by supportedDisplays configuration parameter of the service.

    2. [UI LOCALE]

      The response from /auth/authorization API has uiLocales parameter. It it is not null, it lists language tag values (such as fr-CA, ja-JP and en) ordered by preference. The service implementation should display the UI in one of the language listed in the parameter when possible.

      It is ensured that language tags listed in uiLocales are contained in the list of supported UI locales which are specified by supportedUiLocales configuration parameter of the service.

    3. [CLIENT INFORMATION]

      The authorization server implementation should show information about the client application to the end-user. The information is embedded in client parameter in the response from /auth/authorization API. The format of client parameter is described in Data Type, Client.

    4. [SCOPES]

      A client application requires authorization for specific permissions. In OAuth 2.0 specification, "scope" is a technical term which represents a permission. scopes parameter in the response from /auth/authorization API is a list of scopes requested by the client application. The service implementation should show the end-user the scopes.

      It is ensured that the values in scopes parameter are contained in the list of supported scopes which are specified by supportedScopes configuration parameter of the service.

    5. [AUTHORIZATION DETAILS]

      The authorization server implementation should show the end-user "authorization details" if the request includes it. The value of authorization_details parameter in the response is the content of the authorization_details request parameter.

      See "OAuth 2.0 Rich Authorization Requests" for details. Note that the specification is supported since Authlete 2.2. If the Authlete server you are using is older than 2.2, the value of authorization_details parameter in the response is always null.

    6. [CLAIMS]

      A client application may require claims of the end-user. In OpenID Connect specification, "claim" is a technical term which represents a piece of information about an end-user. claims parameter in the response from /auth/authorization API is a list of claims requested by the client aplication. The service implementation should show the end-user the claim names.

      It is ensured that the values in claims parameter are contained in the list of supported claims which are specified by supportedClaims configuration parameter of the service.

    7. [END-USER AUTHENTICATION]

      Necessarily, the end-user must be authenticated (= must login the service) before granting authorization to the client application. Simply put, a login form is expected to be displayed for end-user authentication. The service implementation must follow the steps described below to comply with OpenID Connect. (Or just always show a login form if it's too much of a bother.)

      1. Get the value of lowestPrompt in the response from /auth/authorization API. The value is one of LOGIN, CONSENT and SELECT_ACCOUNT. The meanings of the values are described in 3.1.2.1. Authentication Request of OpenID Connect Core 1.0. Note that prompts response parameter has been included in the response since August, 2016. So, you may refer to the parameter directly for better control (especially if the logic here does not meet your requirements).

      2. When the value of lowestPrompt is SELECT_ACCOUNT display a form to let the end-user select on of his/her accounts for login. If subject parameter in the response from /auth/authorization API is not null it is the end-user ID that the client expects, so it should be set to the input field for the login ID. When subject is null, loginHint may be referred to calculate the initial value of the input field.

      3. Otherwise, when the value of the lowest prompt is LOGIN, display a form to let the end-user login. If subject parameter in the response from /auth/authorization API is not null it is the end-user ID that the client expects, so it should be set to the input field for the login ID. When subject is null, loginHint may be referred to calculate the initial value of the input field.

      4. Otherwise, when the value of the lowest prompt is CONSENT, the authorization server implementation can omit a login form and use the end-user who has currently logged in the service if all the conditions described below are satisfied. If any one of the conditions is not satisfied, show a login form to authenticate the end-user.

        1. An end-user has already logged in the service.

        2. The login ID of the current end-user matches the value of subject parameter in the response from /auth/authorization API. This check should be performed only when subject is not null.

        3. The maximum authentication age, which is the value of maxAge parameter in the response from /auth/authorization API, has not passed since the current end-user logged in the service. This check should be performed only when maxAge is not 0.

          If the authorization server implementation does not manage authentication time of end-users (= cannot know when end-users logged in) and if maxAge is not 0, a login form should be displayed.

        4. The ACR (Authentication Context Class Reference) of the authentication performed for the current end-user satisfies one of the ACRs listed in acrs parameter in the response from /auth/authorization API. This check should be performed only when acrs is a non-empty array.

      In every case, the end-user authentication must satisfy one of the ACRs listed in acrs parameter when acrs is a non-empty array and acrEssential is true.

    8. [GRANT/DENY BUTTONS]

      The end-user is supposed to choose either (1) to grant authorization to the client applicationor (2) to deny the authorization request. The UI must have UI components to accept the judgment by the user. Usually, a button to grant authorization and a button to deny the request are provided.

    When subject parameter in the response from /auth/authorization API is not null, the authorization server implementation must check whether the value matches the login ID of the authenticated user. The authorization server implementation should repeatedly show a login form until the specified subject is successfully authenticated.

    The end-user will choose either (1) to grant authorization to the client application or (2) to deny the authorization request. When the end-user chose to deny the authentication request, call Authlete's /auth/authorization/fail API with reason=DENIED and use the response from the API to generate a response to the client application.

    When the end-user chose to grant authorization to the client application, the authorization server implementation has to issue an authorization code, an ID token and/or an access token to the client application. (There is a special case. In the case of response_type=none, nothing is issued.) It can be performed by calling Authlete's /auth/authorization/issue API. Read [ISSUE] written above in the description for the case of action=NO_INTERACTION.


    The following code snippet is an excerpt from the sample code of the authorization endpoint. This illustrates how to dispatch processing based on the value of action parameter.

    /**
     * Process the parameters of the authorization request.
     */
    private Response process(HttpServletRequest request, String parameters)
    {
        // Call Authlete's /auth/authorization API.
        AuthorizationResponse response =
            callAuthleteAuthorizationApi(parameters);
     
        // 'action' in the response denotes the next action which
        // this authorization server implementation should take.
        Action action = response.getAction();
     
        // The content of the response to the client application.
        // The format of the content varies depending on the action.
        String content = response.getResponseContent();
     
        // Dispatch according to the action.
        switch (action)
        {
            case INTERNAL_SERVER_ERROR:
                // 500 Internal Server Error
                return ResponseUtil.internalServerError(content);
     
            case BAD_REQUEST:
                // 400 Bad Request
                return ResponseUtil.badRequest(content);
     
            case LOCATION:
                // 302 Found
                return ResponseUtil.location(content);
     
            case FORM:
                // 200 OK
                return ResponseUtil.form(content);
     
            case NO_INTERACTION:
                // Process the authorization request without user interaction.
                return handleNoInteraction(response);
     
            case INTERACTION:
                // Process the authorization request with user interaction.
                return handleInteraction(request.getSession(), response);
     
            default:
                // This never happens.
                throw new InternalServerErrorException("Unknown action");
        }
    }

    /auth/authorization/fail API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/auth/authorization \
    -H 'Content-Type: application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "ticket": "c4iy3TWGn74UMO7ihRl0ZS8OEUzV9axBlBbJbqxH-9Q", "reason": "NOT_AUTHENTICATED" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // Extract the ticket issued by '/auth/authorization' API.
    String ticket = extractTicket();
    
    AuthorizationFailRequest request = new AuthorizationFailRequest()
      .setTicket(ticket)
      .setReason(AuthorizationFailRequest.Reason.NOT_AUTHENTICATED)
    ;
    
    api.authorizationFail(request);
    
    require 'authlete'
    
    api = Authlete::Api.new(
      host: 'https://api.authlete.com',
      service_api_key: 10167240235,
      service_api_secret: LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE
    )
    
    # Extract the ticket issued by '/auth/token' API.
    ticket = extract_ticket
    
    # The reason of the failure of the token request. 
    reason = 'NOT_AUTHENTICATED'
    
    request = Authlete::Model::Request::AuthorizationFailRequest.new(
      ticket: ticket, 
      reason: reason
    )
    
    api.authorization_fail(request)
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    // Extract the ticket issued by '/auth/authorization' API.
    string ticket = ExtractTicket();
    
    AuthorizationFailRequest request = new AuthorizationFailRequest();
    request.Ticket = ticket;
    reqeust.Reason = AuthorizationFailReason.NOT_AUTHENTICATED;
    
    await api.AuthorizationFail(request);
    

    Sample Response

    {
      "type": "authorizationFailResponse",
      "resultCode": "A060309",
      "resultMessage": "[A060309] The authorization request failed because the end-user was not authenticated or did not exist.",
      "action": "LOCATION",
      "responseContent": "https://api.authlete.com/api/mock/redirection/10167240235?error=login_required&error_description=%5BA060309%5D+The+authorization+request+failed+because+the+end-user+was+not+authenticated+or+did+not+exist.&error_uri=https%3A%2F%2Fwww.authlete.com%2Fdocuments%2Fapis%2Fresult_codes%23A060309"
    }
    

    This API generates a content of an error authorization response that the authorization server implementation returns to the client application.

    Request

    POST /api/auth/authorization/fail

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    ticket YES

    The ticket issued from Authlete's /auth/authorization API.

    reason YES

    The reason of the failure of the authorization request. One of the following.

    • UNKNOWN
    • NOT_LOGGED_IN
    • MAX_AGE_NOT_SUPPORTED
    • EXCEEDS_MAX_AGE
    • DIFFERENT_SUBJECT
    • ACR_NOT_SATISFIED
    • DENIED
    • SERVER_ERROR
    • NOT_AUTHENTICATED
    • ACCOUNT_SELECTION_REQUIRED
    • CONSENT_REQUIRED
    • INTERACTION_REQUIRED
    description NO

    The custom description about the authorization failure.

    The following are descriptions about the values of reason parameter. The description of the /auth/authorization API describes as to which reason should be used when.

    UNKNOWN

    Unknown reason.

    NOT_LOGGED_IN

    The authorization request from the client application contained prompt=none, but any end-user has logged in.

    MAX_AGE_NOT_SUPPORTED

    The authorization request from the client application contained max_age parameter with a non-zero value or the value of defaultMaxAge configuration parameter of the client application is not 0, but the service implementation cannot behave properly based the maximum authentication age value mainly because the service implementation does not manage authentication time of end-users.

    EXCEEDS_MAX_AGE

    The authorization request from the client application contained prompt=none, but the maximum authentication age (= the time specified by max_age request parameter or by defaultMaxAge configuration parameter of the client application) has passed since the time when the end-user logged in.

    DIFFERENT_SUBJECT

    The authorization request from the client application requested a specific value for sub claim, but the current end-user (in the case of prompt=none) or the end-user after the authentication is different from the specified value.

    ACR_NOT_SATISFIED

    The authorization request from the client application contained acr claim in claims request parameter and the claim was marked as essential, but the ACR (Authentication Context Class Reference) performed for the end-user does not match any of the requested ACRs.

    DENIED

    The end-user denied the authorization request from the client application.

    SERVER_ERROR

    Server error.

    NOT_AUTHENTICATED

    The end-user was not authenticated.

    ACCOUNT_SELECTION_REQUIRED

    The authorization server cannot obtain an account selection choice made by the end-user.

    CONSENT_REQUIRED

    The authorization server cannot obtain consent from the end-user.

    INTERACTION_REQUIRED

    The authorization server needs interaction with the end-user.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • INTERNAL_SERVER_ERROR
    • BAD_REQUEST
    • LOCATION
    • FORM
    responseContent string

    The content that the authorization server implementation is to return to the client application. Its format varies depending on the value of action parameter. See description for details.

    Description

    This API is supposed to be called from within the implementation of the authorization endpoint of the service in order to generate an error response to the client application.

    The description of the /auth/authorization API describes the timing when this API should be called.

    The response from /auth/authorization/fail API has some parameters. Among them, it is action parameter that the authorization server implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the authorization server implementation must take the steps described below.


    INTERNAL_SERVER_ERROR

    When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete.

    In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with HTTP status of "500 Internal Server Error". Authlete recommends application/json as the content type.

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the service implementation should generate and return to the client application.

    HTTP/1.1 500 Internal Server Error
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
    
    {responseContent}

    The endpoint implementation may return another different response to the client application since "500 Internal Server Error" is not required by OAuth 2.0.


    BAD_REQUEST

    When the value of action is BAD_REQUEST, it means that the ticket is no longer valid (deleted or expired) and that the reason of the invalidity was probably due to the end-user's too-delayed response to the authorization UI.

    A response with HTTP status of "400 Bad Request" should be returned to the client application and Authlete recommends application/json as the content type.

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the service implementation should generate and return to the client application.

    HTTP/1.1 400 Bad Request
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
    
    {responseContent}

    The endpoint implementation may return another different response to the client application since "400 Bad Request" is not required by OAuth 2.0.


    LOCATION

    When the value of action is LOCATION, it means that the response to the client application must be "302 Found" with Location header.

    The parameter responseContent contains a redirect URI with error parameter, so it can be used as the value of Location header.

    The following illustrates the response which the service implementation must generate and return to the client application.

    HTTP/1.1 302 Found
    Location: {responseContent}
    Cache-Control: no-store
    Pragma: no-cache

    FORM

    When the value of action is FORM, it means that the response to the client application must be 200 OK with an HTML which triggers redirection by JavaScript. This happens when the authorization request from the client application contained response_mode=form_post.

    The parameter responseContent contains an HTML which can be used as the entity body of the response.

    The following illustrates the response which the service implementation must generate and return to the client application.

    HTTP/1.1 200 OK
    Content-Type: text/html;charset=UTF-8
    Cache-Control: no-store
    Pragma: no-cache
    
    {responseContent}

    The following code snippet is an excerpt from the sample code of the authorization endpoint. This illustrates how to dispatch processing based on the value of action parameter.

    /**
     * Create a response that describes the failure. This method
     * calls Authlete's {@code /auth/authorization/fail} API.
     */
    private Response createFailureResponse(String ticket, Reason reason)
    {
        // Call Authlete's /auth/authorization/fail API.
        AuthorizationFailResponse response =
            callAuthleteAuthorizationFailApi(ticket, reason);
     
        // 'action' in the response denotes the next action which
        // this authorization server implementation should take.
        AuthorizationFailResponse.Action action = response.getAction();
     
        // The content of the response to the client application.
        // The format of the content varies depending on the action.
        String content = response.getResponseContent();
     
        // Dispatch according to the action.
        switch (action)
        {
            case INTERNAL_SERVER_ERROR:
                // 500 Internal Server Error
                return ResponseUtil.internalServerError(content);
     
            case BAD_REQUEST:
                // 400 Bad Request
                return ResponseUtil.badRequest(content);
     
            case LOCATION:
                // 302 Found
                return ResponseUtil.location(content);
     
            case FORM:
                // 200 OK
                return ResponseUtil.form(content);
     
            default:
                // This never happens.
                throw new InternalServerErrorException("Unknown action");
        }
    }

    /auth/authorization/issue API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/auth/authorization/issue \
    -H 'Content-Type: application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "ticket": "FFgB9gwb_WXh6g1u-UQ8ZI-d_k4B-o-cm7RkVzI8Vnc", "subject": "john" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // Extract the ticket issued by '/auth/authorization' API.
    String ticket = extractTicket();
    
    // Get the subject (= unique identifier) of the end-user.
    String subject = getSubject();
    
    AuthorizationIssueRequest request = new AuthorizationIssueRequest()
      .setTicket(ticket)
      .setSubject(subject)
    ;
    
    api.authorizationIssue(request);
    
    require 'authlete'
    
    api = Authlete::Api.new(
      host: 'https://api.authlete.com',
      service_api_key: 10167240235,
      service_api_secret: 'LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    )
    
    # Extract the ticket issued by '/auth/authorization' API.
    ticket = extract_ticket
    
    # Get the subject (= unique identifier) of the end-user.
    subject = get_subject
    
    request = Authlete::Model::Request::AuthorizationIssueRequest.new(
      ticket: ticket, 
      reason: subject
    )
    
    api.authorization_issue(request)
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    // Extract the ticket issued by '/auth/authorization' API.
    string ticket = ExtractTicket();
    
    // Get the subject (= unique identifier) of the end-user.
    string subject = GetSubject();
    
    AuthorizationIssueRequest request = new AuthorizationIssueRequest();
    request.Ticket  = ticket;
    request.Subject = subject;
    
    await api.AuthorizationIssue(request);
    

    Sample Response

    {
        "type": "authorizationIssueResponse",
        "resultCode": "A040001",
        "resultMessage": "[A040001] The authorization request was processed successfully.",
        "accessTokenDuration": 0,
        "accessTokenExpiresAt": 0,
        "action": "LOCATION",
        "authorizationCode": "_VSzpgug3OpdUymcbLYJjH1v9tE4hSPaxX_pSkxUUyk",
        "responseContent": "https://api.authlete.com/api/mock/redirection/10167240235?code=_VSzpgug3OpdUymcbLYJjH1v9tE4hSPaxX_pSkxUUyk"
    }
    

    This API generates a content of a successful authorization response that the authorization server implementation returns to the client application.

    Request

    POST /api/auth/authorization/issue

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    ticket YES

    The ticket issued from Authlete's /auth/authorization API.

    subject YES

    The subject (= a user account managed by the service) who has granted authorization to the client application.

    authTime NO

    The time when the authentication of the end-user occurred. Its value is the number of seconds from 1970-01-01.

    acr NO

    The Authentication Context Class Reference performed for the end-user authentication.

    claims NO

    The claims of the end-user (= pieces of information about the end-user) in JSON format See OpenID Connect Core 1.0, 5.1. Standard Claims for details about the format.

    properties NO

    Extra properties to associate with an access token and/or an authorization code. See Extra Properties for details.

    scopes NO

    Scopes to associate with an access token and/or an authorization code. If a non-empty string array is given, it replaces the scopes specified by the original authorization request.

    sub NO

    The value of the sub claim to embed in an ID token. If this request parameter is null or empty, the value of the subject request parameter is used as the value of the sub claim.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • INTERNAL_SERVER_ERROR
    • BAD_REQUEST
    • LOCATION
    • FORM
    responseContent string

    The content that the authorization server implementation is to return to the client application. Its format varies depending on the value of action parameter. See description for details.

    accessToken string

    The newly issued access token. Note that an access token is issued from an authorization endpoint only when response_type contains token.

    accessTokenExpiresAt i32

    The datetime at which the newly issued access token will expire. The value is represented in milliseconds since the Unix epoch (1970-01-01).

    accessTokenDuration i32

    The duration of the newly issued access token in seconds.

    idToken string

    The newly issued ID token. Note that an ID token is issued from an authorization endpoint only when response_type contains id_token.

    authorizationCode string

    The newly issued authorization code. Note that an authorization code is issued only when response_type contains code.

    jwtAccessToken string

    The newly issued access token in JWT format. If the service is not configured to issue JWT-based access tokens, this method always returns null.

    Description

    This API is supposed to be called from within the implementation of the authorization endpoint of the service in order to generate a successful response to the client application.

    The description of the /auth/authorization API describes the timing when this API should be called and the meaning of request parameters. See [ISSUE] in NO_INTERACTION.

    The response from /auth/authorization/issue API has some parameters. Among them, it is action parameter that the authorization server implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the authorization server implementation must take the steps described below.


    INTERNAL_SERVER_ERROR

    When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete.

    In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with HTTP status of "500 Internal Server Error". Authlete recommends application/json as the content type.

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the service implementation should generate and return to the client application.

    HTTP/1.1 500 Internal Server Error
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
     
    {responseContent}

    The endpoint implementation may return another different response to the client application since "500 Internal Server Error" is not required by OAuth 2.0.


    BAD_REQUEST

    When the value of action is BAD_REQUEST, it means that the ticket is no longer valid (deleted or expired) and that the reason of the invalidity was probably due to the end-user's too-delayed response to the authorization UI.

    A response with HTTP status of "400 Bad Request" should be returned to the client application and Authlete recommends application/json as the content type.

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the service implementation should generate and return to the client application.

    HTTP/1.1 400 Bad Request
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
     
    {responseContent}

    The endpoint implementation may return another different response to the client application since "400 Bad Request" is not required by OAuth 2.0.


    LOCATION

    When the value of action is LOCATION, it means that the response to the client application must be "302 Found" with Location header.

    The parameter responseContent contains a redirect URI with (1) an authorization code, an ID token and/or an access token (on success) or (2) an error code (on failure), so it can be used as the value of Location header.

    The following illustrates the response which the service implementation must generate and return to the client application.

    HTTP/1.1 302 Found
    Location: {responseContent}
    Cache-Control: no-store
    Pragma: no-cache

    FORM

    When the value of action is FORM, it means that the response to the client application must be 200 OK with an HTML which triggers redirection by JavaScript. This happens when the authorization request from the client application contained response_mode=form_post.

    The parameter responseContent contains an HTML which can be used as the entity body of the response.

    The following illustrates the response which the service implementation must generate and return to the client application.

    HTTP/1.1 200 OK
    Content-Type: text/html;charset=UTF-8
    Cache-Control: no-store
    Pragma: no-cache
     
    {responseContent}

    Token Endpoint

    /auth/token API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/auth/token \
    -H "Content-Type: application/json" \
    -u "10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE" \
    -d '{ "parameters": "grant_type=authorization_code&code=DkKMvKzrRAsWErsWCChNX_gydqqgA55AW2OJlXmNTQI&redirect_uri=https%3A%2F%2Fapi.authlete.com%2Fapi%2Fmock%2Fredirection%2F10167240235" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // Extract request parameters that the OAuth 2.0 token endpoint of 
    // this OAuth 2.0 serever implementation received from the client application.
    String parameters = extractRequestParameters();
    
    // The credentials of the client application extracted from 'Authorization' header.
    String clientId     = extractClientId();
    String clientSecret = extractClientSecret();
    
    TokenRequest request = new TokenRequest()
      .setParameters(parameters)
      .setClientId(clientId)
      .setClientSecret(clientSecret)
    ;
    
    api.token(request);
    
    require 'authlete'
    
    api = Authlete::Api.new(
      host: "https://api.authlete.com",
      service_api_key: "10167240235",
      service_api_secret: "LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE"
    )
    
    # Extract request parameters that the OAuth 2.0 token endpoint of 
    # this OAuth 2.0 serever implementation received from the client application.
    parameters = extract_request_parameters
    
    # The credentials of the client application extracted from 'Authorization' header.
    client_id     = extract_client_id
    client_secret = extract_client_secret
    
    request = Authlete::Model::Request::TokenRequest.new(
      parameters:    parameters,
      client_id:     client_id,
      client_secret: client_secret
    )
    
    api.token(request)
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    // Extract request parameters that the OAuth 2.0 token endpoint of 
    // this OAuth 2.0 serever implementation received from the client application.
    string parameters = ExtractRequestParameters();
    
    // The credentials of the client application extracted from 'Authorization' header.
    string clientId     = ExtractClientId();
    string clientSecret = ExtractClientSecret();
    
    TokenRequest request = new TokenRequest();
    request.Parameters   = parameters;
    request.ClientId     = clientId;
    request.ClientSecret = clientSecret;
    
    await api.Token(request);
    

    Sample Response

    {
      "type": "tokenResponse",
      "resultCode": "A050001",
      "resultMessage": "[A050001] The token request (grant_type=authorization_code) was processed successfully.",
      "accessToken": "rt5bUJsGfS17YCSmYGtgelMtokTLdoCmBe4VUFCk1YZ",
      "accessTokenDuration": 86400,
      "accessTokenExpiresAt": 1510647924410,
      "action": "OK",
      "clientId": 57297408867,
      "clientIdAliasUsed": false,
      "grantType": "AUTHORIZATION_CODE",
      "refreshToken": "sdQqY9Tbhsq6ZsWm1rZLgW4A3yxIk6RcgmmexHZ9BXB",
      "refreshTokenDuration": 864000,
      "refreshTokenExpiresAt": 1511425524410,
      "responseContent": "{\"scope\":null,\"expires_in\":86400,\"token_type\":\"Bearer\",\"refresh_token\":\"sdQqY9Tbhsq6ZsWm1rZLgW4A3yxIk6RcgmmexHZ9BXB\",\"access_token\":\"rt5bUJsGfS17YCSmYGtgelMtokTLdoCmBe4VUFCk1YZ\"}",
      "subject": "john"
    }
    

    This API parses request parameters of a token request and returns necessary data for the authorization server implementation to process the token request further.

    Request

    POST /api/auth/token

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    parameters YES

    OAuth 2.0 token request parameters which are the request parameters that the OAuth 2.0 token endpoint of the authorization server implementation received from the client application.

    The value of parameters is the entire entity body (which is formatted in application/x-www-form-urlencoded) of the request from the client application.

    clientId NO

    The client ID extracted from Authorization header of the token request from the client application.

    If the token endpoint of the authorization server implementation supports Basic Authentication as a means of client authentication, and the request from the client application contained its client ID in Authorization header, the value should be extracted and set to this parameter.

    clientSecret NO

    The client secret extracted from Authorization header of the token request from the client application.

    If the token endpoint of the authorization server implementation supports Basic Authentication as a means of client authentication, and the request from the client application contained its client secret in Authorization header, the value should be extracted and set to this parameter.

    clientCertificate NO

    The client certificate from the MTLS of the token request from the client application.

    clientCertificatePath NO

    The certificate path presented by the client during client authentication. These certificates are strings in PEM format.

    properties NO

    Extra properties to associate with an access token. See Extra Properties for details.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • INVALID_CLIENT
    • INTERNAL_SERVER_ERROR
    • BAD_REQUEST
    • PASSWORD
    • OK
    responseContent string

    The content that the authorization server implementation is to return to the client application. Its format is JSON.

    username string

    The value of username request parameter in the token request. The client application must specify username when it uses Resource Owner Password Grant. In other words, when the value of grant_type request parameter is password, username request parameter must come along.

    This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.

    password string

    The value of password request parameter in the token request. The client application must specify password when it uses Resource Owner Password Grant. In other words, when the value of grant_type request parameter is password, password request parameter must come along.

    This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.

    ticket string

    The ticket which is necessary to call Authlete's /auth/token/fail API or /auth/token/issue API.

    This parameter has a value only if the value of grant_type request parameter is password and the token request is valid.

    accessToken string

    The newly issued access token.

    accessTokenExpiresAt i32

    The datetime at which the newly issued access token will expire. The value is represented in milliseconds since the Unix epoch (1970-01-01).

    accessTokenDuration i32

    The duration of the newly issued access token in seconds.

    refreshToken string

    The newly issued refresh token.

    refreshTokenExpiresAt i32

    The datetime at which the newly issued refresh token will expire. The value is represented in milliseconds since the Unix epoch (1970-01-01).

    refreshTokenDuration i32

    The duration of the newly issued refresh token in seconds.

    idToken string

    The newly issued ID token. Note that an ID token is issued from a token endpoint only when the response_type request parameter of the authorization request to an authorization endpoint has contained code and the scope request parameter has contained openid.

    grantType string

    The grant type of the token request.

    clientId i64

    The client ID.

    clientIdAlias string

    The client ID alias when the token request was made. If the client did not have an alias, this parameter is null. Also, if the token request was invalid and it failed to identify a client, this parameter is null.

    clientIdAliasUsed boolean

    The flag which indicates whether the client ID alias was used when the token request was made. true if the client ID alias was used when the token request was made.

    subject string

    The subject (= resource owner's ID) of the access token.

    Even if an access token has been issued by the call of /api/auth/token API, this parameter is null if the flow of the token request was Client Credentials Flow (grant_type=client_credentials) because it means the access token is not associated with any specific end-user.

    scopes string array

    The scopes covered by the access token.

    properties string

    The extra properties associated with the access token. This parameter is null when no extra property is associated with the issued access token.

    jwtAccessToken string

    The newly issued access token in JWT format. If the authorization server is configured to issue JWT-based access tokens (= if the Service's accessTokenSignAlg value is a non-null value), a JWT-based access token is issued along with the original random-string one.

    Description

    This API is supposed to be called from with the implementation of the token endpoint of the service. The endpoint implementation must extract the request parameters from the token request from the client application and pass them as the value of parameters request parameter to Authlete's /auth/token API.

    The value of parameters is the entire entity body (which is formatted in application/x-www-form-urlencoded) of the token request.

    In addition, if the token endpoint of the authorization server implementation supports Basic Authentication as a means of client authentication, the client credentials must be extracted from Authorization header and they must be passed as clientId request parameter and clientSecret request parameter to Authlete's /auth/token API.

    The following code snippet is an example in JAX-RS showing how to extract request parameters from the token request and client credentials from Authorization header.

    @POST
    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
    public Response post(
            @HeaderParam(HttpHeaders.AUTHORIZATION) String auth,
            String parameters)
    {
        // Convert the value of Authorization header (credentials of
        // the client application), if any, into BasicCredentials.
        BasicCredentials credentials = BasicCredentials.parse(auth);
     
        // The credentials of the client application extracted from
        // 'Authorization' header. These may be null.
        String clientId     = credentials == null ? null
                            : credentials.getUserId();
        String clientSecret = credentials == null ? null
                            : credentials.getPassword();
     
        // Process the given parameters.
        return process(parameters, clientId, clientSecret);
    }

    The response from /auth/token API has some parameters. Among them, it is action parameter that the service implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the authorization server implementation must take the steps described below.


    INVALID_CLIENT

    When the value of action is INVALID_CLIENT, it means that authentication of the client failed. In this case, the HTTP status of the response to the client application is either "400 Bad Request" or "401 Unauthorized". This requirement comes from RFC 6749, 5.2. Error Response. The description about invalid_client shown below is an excerpt from RFC 6749.

    Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.

    In either case, the value of responseContent contains a JSON string which can be used as the entity body of the response to the client application.

    The following illustrate responses which the service implementation must generate and return to the client application.

    HTTP/1.1 400 Bad Request
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
     
    {responseContent}
    HTTP/1.1 401 Unauthorized
    WWW-Authenticate: {challenge}
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
     
    {responseContent}

    INTERNAL_SERVER_ERROR

    When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete.

    In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with HTTP status of "500 Internal Server Error".

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the service implementation should generate and return to the client application.

    HTTP/1.1 500 Internal Server Error
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
     
    {responseContent}

    The endpoint implementation may return another different response to the client application since "500 Internal Server Error" is not required by OAuth 2.0.


    BAD_REQUEST

    When the value of action is BAD_REQUEST, it means that the request from the client is invalid.

    A response with HTTP status of "400 Bad Request" must be returned to the client application and the content type must be application/json.

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the service implementation should generate and return to the client application.

    HTTP/1.1 400 Bad Request
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
     
    {responseContent}

    PASSWORD

    When the value of action is PASSWORD, it means that the request from the client application is valid and the value of grant_type request parameter is password. That is, the flow is Resource Owner Password Credentials.

    In this case, subject parameter and password parameter are the credentials of the resource owner (= end-user). The authorization server implementation must validate the credentials and take either of the actions below according to the validation result.

    When the credentials are valid,

    Call Authlete's /auth/token/issue API to generate an access token for the client application. The response from /auth/token/issue API contains data (an access token and others) which must be returend to the client application. Use the data to generate a response to the client application.

    When the credentials are invalid,

    Call Authlete's /auth/token/fail API with reason=INVALID_RESOURCE_OWNER_CREDENTIALS to generate an error response for the client application. The response from /auth/token/fail API contains error information which must be returned to the client application. Use the data to generate a response to the client application.

    Both /auth/token/issue API and /auth/token/fail API require ticket request parameter whose value must be the ticket in the response from Authlete's /auth/token API.


    OK

    When the value of action is OK, it means that the request from the client application is valid and an access token, and optionally an ID token, is ready to be issued.

    The HTTP status of the response returned to the client application must be "200 OK" and the content type must be application/json.

    The parameter responseContent contains a JSON string which contains an access token (and optionally an ID token), so it can be used as the entity body of the response.

    The following illustrates the response which the service implementation must generate and return to the client application.

    HTTP/1.1 200 OK
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
     
    {responseContent}

    The following code snippet is an excerpt from the sample code of the token endpoint. This illustrates how to dispatch processing based on the value of action parameter.

    private Response process(
        String parameters, String clientId, String clientSecret)
    {
        // Call Authlete's /auth/token API.
        TokenResponse response =
            callAuthleteTokenApi(parameters, clientId, clientSecret);
     
        // 'action' in the response denotes the next action which
        // this authorization server implementation should take.
        Action action = response.getAction();
     
        // The content of the response to the client application.
        String content = response.getResponseContent();
     
        // Dispatch according to the action.
        switch (action)
        {
            case INVALID_CLIENT:
                // 401 Unauthorized
                return ResponseUtil.unauthorized(content, CHALLENGE);
     
            case INTERNAL_SERVER_ERROR:
                // 500 Internal Server Error
                return ResponseUtil.internalServerError(content);
     
            case BAD_REQUEST:
                // 400 Bad Request
                return ResponseUtil.badRequest(content);
     
            case PASSWORD:
                // Process the token request whose flow is
                // "Resource Owner Password Credentials".
                return handlePassword(response);
     
            case OK:
                // 200 OK
                return ResponseUtil.ok(content);
     
            default:
                // This never happens.
                throw new InternalServerErrorException("Unknown action");
        }
    }

    /auth/token/fail API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/auth/token/fail \
    -H "Content-Type: application/json" \
    -u "10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE" \
    -d '{ "ticket": "83BNqKIhGMyrkvop_7jQjv2Z1612LNdGSQKkvkrf47c", "reason": "INVALID_RESOURCE_OWNER_CREDENTIALS" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // Extract the ticket issued by '/auth/token' API.
    String ticket = extractRequestTicket();
    
    TokenFailRequest request = new TokenFailRequest()
      .setTicket(ticket)
      .setReason(TokenFailRequest.Reason.INVALID_RESOURCE_OWNER_CREDENTIALS)
    ;
    
    api.tokenFail(request);
    
    require 'authlete'
    
    api = Authlete::Api.new(
      host: "https://api.authlete.com",
      service_api_key: "10167240235",
      service_api_secret: "LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE"
    )
    
    # Extract the ticket issued by '/api/token' API.
    ticket = extract_ticket
    
    # The reason of the failure of the authorization request. 
    reason = 'INVALID_RESOURCE_OWNER_CREDENTIALS'
    
    request = Authlete::Model::Request::TokenFailRequest.new(
      ticket: ticket, 
      reason: reason
    )
    
    api.token_fail(request)
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    // Extract the ticket issued by '/auth/token' API.
    string ticket = ExtractTicket();
    
    TokenFailRequest request = new TokenFailRequest();
    request.Ticket = ticket;
    reqeust.Reason = TokenFailReason.INVALID_RESOURCE_OWNER_CREDENTIALS;
    
    await api.TokenFail(request);
    

    Sample Response

    {
        "type": "tokenFailResponse",
        "resultCode": "A067301",
        "resultMessage": "[A067301] The credentials (username & password) passed to the token endpoint are invalid.",
        "action": "BAD_REQUEST",
        "responseContent": "{\"error_uri\":\"https://www.authlete.com/documents/apis/result_codes#A067301\",\"error\":\"invalid_request\",\"error_description\":\"[A067301] The credentials (username & password) passed to the token endpoint are invalid.\"}"
    }
    

    This API generates a content of an error token response that the authorization server implementation returns to the client application. This API is used only for Resource Owner Password Credentials Grant.

    Request

    POST /api/auth/token/fail

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    ticket YES

    The ticket issued from Authlete's /auth/token API.

    reason YES

    The reason of the failure of the token request.

    • UNKNOWN
    • INVALID_RESOURCE_OWNER_CREDENTIALS

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • INTERNAL_SERVER_ERROR
    • BAD_REQUEST
    responseContent string

    The content that the authorization server implementation is to return to the client application. Its format varies depending on the value of action parameter. See description for details.

    Description

    This API is supposed to be called from within the implementation of the token endpoint of the service in order to generate an error response to the client application.

    The description of the /auth/token API describes the timing when this API should be called.

    The response from /auth/token/fail API has some parameters. Among them, it is action parameter that the authorization server implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the authorization server implementation must take the steps described below.


    INTERNAL_SERVER_ERROR

    When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete.

    In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with HTTP status of "500 Internal Server Error".

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the service implementation should generate and return to the client application.

    HTTP/1.1 500 Internal Server Error
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
    
    {responseContent}

    The endpoint implementation may return another different response to the client application since "500 Internal Server Error" is not required by OAuth 2.0.


    BAD_REQUEST

    When the value of action is BAD_REQUEST, it means that Authlete's /auth/token/fail API successfully generated an error response for the client application.

    The HTTP status of the response returned to the client application must be "400 Bad Request" and the content type must be application/json.

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the service implementation should generate and return to the client application.

    HTTP/1.1 400 Bad Request
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
    
    {responseContent}

    /auth/token/issue API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/auth/token/issue \
    -H "Content-Type: application/json" \
    -u "10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE" \
    -d '{ "ticket": "83BNqKIhGMyrkvop_7jQjv2Z1612LNdGSQKkvkrf47c" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // Extract the ticket issued by '/auth/token' API.
    String ticket = extractTicket();
    
    TokenIssueRequest request = new TokenIssueRequest().setTicket(ticket);
    
    api.tokenIssue(request);
    
    require 'authlete'
    
    api = Authlete::Api.new(
      host: 'https://api.authlete.com',
      service_api_key: 10167240235,
      service_api_secret: 'LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    )
    
    # Extract the ticket issued by '/auth/token' API.
    ticket = extract_ticket
    
    request = Authlete::Model::Request::TokenIssueRequest.new(ticket: ticket)
    
    api.token_issue(request)
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    // Extract the ticket issued by '/auth/token' API.
    string ticket = ExtractTicket();
    
    TokenIssueRequest request = new TokenIssueRequest();
    request.Ticket = ticket;
    
    await api.TokenIssue(request);
    

    Sample Response

    {
      "type": "tokenIssueResponse",
      "resultCode": "A054001",
      "resultMessage": "[A054001] The token request (grant_type=password) was processed successfully.",
      "accessToken": "W04RiPBuTJB6cQ-MppuVOKWAEezwU6jMx2-Q7ouSiBz",
      "accessTokenDuration": 86400,
      "accessTokenExpiresAt": 1513064337919,
      "action": "OK",
      "clientId": 57297408867,
      "clientIdAliasUsed": false,
      "refreshToken": "_zfwGRZ9cQhSm-qLGWAF4JHnk0i_Y7CNHHxf8poUtAX",
      "refreshTokenDuration": 864000,
      "refreshTokenExpiresAt": 1513841937919,
      "responseContent": "{\"scope\":null,\"expires_in\":86400,\"token_type\":\"Bearer\",\"refresh_token\":\"_zfwGRZ9cQhSm-qLGWAF4JHnk0i_Y7CNHHxf8poUtAX\",\"access_token\":\"W04RiPBuTJB6cQ-MppuVOKWAEezwU6jMx2-Q7ouSiBz\"}",
      "subject": "john"
    }
    

    This API generates a content of a successful token response that the authorization server implementation returns to the client application. This API is used only for Resource Owner Password Credentials Grant.

    Request

    POST /api/auth/token/issue

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    ticket YES

    The ticket issued from Authlete's /auth/token API.

    properties NO

    Extra properties to associate with a newly created access token. Note that properties parameter is accepted only when Content-Type of the request is application/json, so don't use application/x-www-form-urlencoded if you want to specify properties. See Extra Properties for details.

    subject YES

    The subject (= unique identifier) of the authenticated user.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • INTERNAL_SERVER_ERROR
    • OK
    responseContent string

    The content that the authorization server implementation is to return to the client application. Its format is JSON.

    accessToken string

    The newly issued access token. This parameter is a non-null value only when the value of action parameter is OK.

    accessTokenExpiresAt string

    The date in milliseconds since the Unix epoch (1970-01-01) at which the access token will expire.

    accessTokenDuration string

    The duration of the access token in seconds.

    refreshToken string

    The refresh token. This parameter is a non-null value only when action> OK and the service supports the refresh token flow.

    If "Refresh Token Continuous Use" configuration parameter is NO (= `refreshTokenKept=false`), a new refresh token is issued and the old refresh token used in the refresh token flow is invalidated. On the contrary, if the configuration parameter is YES, the refresh token itself is not refreshed.

    refreshTokenExpiresAt string

    The date in milliseconds since the Unix epoch (1970-01-01) at which the refresh token will expire.

    refreshTokenDuration string

    The duration of the refresh token in seconds.

    clientId i64

    The client ID.

    clientIdAlias string

    If the client did not have an alias, this parameter is null.

    clientIdAliasUsed boolean

    The flag which indicates whether the client ID alias was used when the token request was made. true if the client ID alias was used when the token request was made.

    subject string

    The subject (= resource owner's ID) of the access token.

    Even if an access token has been issued by the call of /api/auth/token API, this parameter is null if the flow of the token request was Client Credentials Flow (grant_type=client_credentials) because it means the access token is not associated with any specific end-user.

    scopes string array

    The scopes covered by the access token.

    properties string

    The extra properties associated with the access token. This parameter is null when no extra property is associated with the issued access token.

    Description

    This API is supposed to be called from within the implementation of the token endpoint of the service in order to generate a successful response to the client application.

    The description of the /auth/token API describes the timing when this API should be called. See the description for the case of action=PASSWORD.

    The response from /auth/token/issue API has some parameters. Among them, it is action parameter that the authorization server implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the authorization server implementation must take the steps described below.


    INTERNAL_SERVER_ERROR

    When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete.

    In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with HTTP status of "500 Internal Server Error".

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the service implementation should generate and return to the client application.

    HTTP/1.1 500 Internal Server Error
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
    
    {responseContent}

    The endpoint implementation may return another different response to the client application since "500 Internal Server Error" is not required by OAuth 2.0.


    OK

    When the value of action is OK, it means that Authlete's /auth/token/issue API successfully generated an access token.

    The HTTP status of the response returned to the client application must be "200 OK" and the content type must be application/json.

    The parameter responseContent contains a JSON string which contains an access token, so it can be used as the entity body of the response.

    The following illustrates the response which the service implementation must generate and return to the client application.

    HTTP/1.1 200 OK
    Content-Type: text/html;charset=UTF-8
    Cache-Control: no-store
    Pragma: no-cache
     
    {responseContent}

    Introspection Endpoint

    /auth/introspection API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/auth/introspection \
    -H 'Content-Type:application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "token": "VFGsNK-5sXiqterdaR7b5QbRX9VTwVCQB87jbr2_xAI" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // An access token to introspect.
    String token = "VFGsNK-5sXiqterdaR7b5QbRX9VTwVCQB87jbr2_xAI";
    
    IntrospectionRequest request = new IntrospectionRequest().setToken(token);
    
    api.introspection(request);
    
    require 'authlete'
    
    api = Authlete::Api.new(
      host: 'https://api.authlete.com',
      service_api_key: 10167240235,
      service_api_secret: 'LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    )
    
    # An access token to introspect.
    token = 'VFGsNK-5sXiqterdaR7b5QbRX9VTwVCQB87jbr2_xAI'
    
    api.introspection(token)
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    // An access token to introspect.
    string token = "VFGsNK-5sXiqterdaR7b5QbRX9VTwVCQB87jbr2_xAI";
    
    IntrospectionRequest request = new IntrospectionRequest();
    request.Token = token;
    
    await api.Introspection(request); 
    

    Sample Response

    {
      "type": "introspectionResponse",
      "resultCode": "A056001",
      "resultMessage": "[A056001] The access token is valid.",
      "action": "OK",
      "clientId": 57297408867,
      "clientIdAliasUsed": false,
      "existent": true,
      "expiresAt": 1511252965000,
      "refreshable": true,
      "responseContent": "Bearer error=\"invalid_request\"",
      "subject": "john",
      "sufficient": true,
      "usable": true
    }
    

    This API gathers information about an access token.

    Request

    POST /api/auth/introspection

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    token YES

    An access token to introspect.

    scopes NO

    A string array listing names of scopes which the caller (= a protected resource endpoint of the service) requires. When the content type of the request from the service is application/x-www-form-urlencoded, the format of scopes is a space-separated list of scope names.

    If this parameter is a non-empty array and if it contains a scope which is not covered by the access token, action=FORBIDDEN with error=insufficient_scope is returned from Authlete.

    subject NO

    A subject (= a user account managed by the service) whom the caller (= a protected resource endpoint of the service) requires.

    If this parameter is not null and if the value does not match the subject who is associated with the access token, action=FORBIDDEN with error=invalid_request is returned from Authlete.

    clientCertificate NO

    The client certificate in PEM format, used to validate binding against access tokens using the TLS client certificate confirmation method.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • INTERNAL_SERVER_ERROR
    • BAD_REQUEST
    • UNAUTHORIZED
    • FORBIDDEN
    • OK
    clientId i64

    The ID of the client application which is associated with the access token.

    clientIdAlias string

    The client ID alias when the authorization request or the token request for the access token was made.

    clientIdAliasUsed boolean

    The flag which indicates whether the client ID alias was used when the authorization request or the token request for the access token was made.

    expiresAt i64

    The time at which the access token expires.

    subject subject

    The subject who is associated with the access token. This is null if the access token was issued using the flow of Client Credentials Grant.

    scopes string array

    Scopes which are associated with the access token.

    existent boolean

    true if the access token exists in the database of Authlete. This does not always mean the access token is usable.

    usable boolean

    true if the access token is usable (= exists and has not expired).

    sufficient boolean

    true if the access token covers all the required scopes.

    refreshable boolean

    true if the access token can be refreshed using the associated refresh token which had been issued along with the access token. false if the refresh token for the access token has expired or the access token has no associated refresh token.

    responseContent string

    The content that the authorization server implementation can use as the value of WWW-Authenticate header on errors.

    properties Property array

    Extra properties associated with the access token. See Extra Properties for details.

    certificateThumbpint Property array

    The client certificate thumbprint used to validate the access token.

    Description

    This API is supposed to be called from within the implementations of protected resource endpoints of the authorization server implementation in order to get information about the access token which was presented by the client application.

    In general, a client application accesses a protected resource endpoint of a service with an access token, and the implementation of the endpoint checks whether the presented access token has enough privileges (= scopes) to access the protected resource before returning the protected resource to the client application. To achieve this flow, the endpoint implementation has to know detailed information about the access token. Authlete's /auth/introspection API can be used to get such information.

    The response from /auth/introspection API has some parameters. Among them, it is action parameter that the authorization server implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the authorization server implementation must take the steps described below.


    INTERNAL_SERVER_ERROR

    When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete.

    In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with HTTP status of "500 Internal Server Error".

    The parameter responseContent contains a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage), so if the protected resource of the service implementation wants to return an error response to the client application in the way that complies with RFC 6750 (in other words, if accessTokenType configuration parameter of the service is Bearer), the value of responseContent can be used as the value of WWW-Authenticate header.

    The following is an example response which complies with RFC 6750.

    HTTP/1.1 500 Internal Server Error
    WWW-Authenticate: {responseContent}
    Cache-Control: no-store
    Pragma: no-cache
    

    BAD_REQUEST

    When the value of action is BAD_REQUEST, it means that the request from the client application does not contain an access token (= the request from the authorization server implementation to Authlete does not contain token request parameter).

    The parameter responseContent contains a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage), so if the protected resource of the service implementation wants to return an error response to the client application in the way that complies with RFC 6750 (in other words, if accessTokenType configuration parameter of the service is Bearer), the value of responseContent can be used as the value of WWW-Authenticate header.

    The following is an example response which complies with RFC 6750.

    HTTP/1.1 400 Bad Request
    WWW-Authenticate: {responseContent}
    Cache-Control: no-store
    Pragma: no-cache
    

    UNAUTHORIZED

    When the value of action is UNAUTHORIZED, it means that the access token does not exist or has expired.

    The parameter responseContent contains a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage), so if the protected resource of the service implementation wants to return an error response to the client application in the way that complies with RFC 6750 (in other words, if accessTokenType configuration parameter of the service is Bearer), the value of responseContent can be used as the value of WWW-Authenticate header.

    The following is an example response which complies with RFC 6750.

    HTTP/1.1 401 Unauthorized
    WWW-Authenticate: {responseContent}
    Cache-Control: no-store
    Pragma: no-cache
    

    FORBIDDEN

    When the value of action is FORBIDDEN, it means that the access token does not cover the required scopes or that the subject associated with the access token is different from the subject contained in the request.

    The parameter responseContent contains a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage), so if the protected resource of the service implementation wants to return an error response to the client application in the way that complies with RFC 6750 (in other words, if accessTokenType configuration parameter of the service is Bearer), the value of responseContent can be used as the value of WWW-Authenticate header.

    The following is an example response which complies with RFC 6750.

    HTTP/1.1 403 Forbidden
    WWW-Authenticate: {responseContent}
    Cache-Control: no-store
    Pragma: no-cache
    

    OK

    When the value of action is OK, it means that the access token which the client application presented is valid (= exists and has not expired).

    The implementation of the protected resource endpoint is supposed to return the protected resource to the client application.

    When action is OK, the value of responseContent is "Bearer error=\"invalid_request\"". This is the simplest string which can be used as the value of WWW-Authenticate header to indicate "400 Bad Request". The implementation of the protected resource endpoint may use this string to tell the client application that the request was bad (e.g. in case necessary request parameters for the protected resource endpoint are missing). However, in such a case, the implementation should generate a more informative error message to help developers of client applications.

    The following is an example error response which complies with RFC 6750.

    HTTP/1.1 400 Bad Request
    WWW-Authenticate: {responseContent}
    Cache-Control: no-store
    Pragma: no-cache
    

    Basically, responseContent is a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage). So, if the service has selected Bearer as the value of accessTokenType configuration parameter, the value of responseContent can be used directly as the value of WWW-Authenticate header. However, if the service has selected another different token type, the service has to generate error messages for itself.

    /auth/introspection/standard API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/auth/introspection/standard \
    -H "Content-Type:application/json" \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "parameters":"token=VFGsNK-5sXiqterdaR7b5QbRX9VTwVCQB87jbr2_xAI&token_type_hint=access_token" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // Extract request parameters which comply with the introspection request defined
    // in "2.1. Introspection Request" in RFC 7662.
    String parameters = extractRequestParameters();
    
    StandardIntrospectionRequest request = new StandardIntrospectionRequest().setParameters(parameters);
    
    api.standardIntrospection(request);
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    // Extract request parameters which comply with the introspection request defined
    // in "2.1. Introspection Request" in RFC 7662.
    string parameters = ExtractRequestParameters();
    
    StandardIntrospectionRequest request = new StandardIntrospectionRequest();
    request.Parameters = parameters;
    
    await api.StandardIntrospection(request); 
    

    Sample Response

    {
      "type": "standardIntrospectionResponse",
      "resultCode": "A145001",
      "resultMessage": "[A145001] Introspection was performed successfully (type=access_token, active=true).",
      "action": "OK",
      "responseContent": "{\"exp\":1513679256,\"sub\":\"john\",\"scope\":null,\"iss\":\"https://authlete.com\",\"aud\":[\"57297408867\"],\"active\":true,\"token_type\":\"Bearer\",\"client_id\":\"57297408867\"}"
    }
    

    This API exists to help your authorization server provide its own introspection API which complies with RFC 7662 (OAuth 2.0 Token Introspection).

    Request

    POST /api/auth/introspection/standard

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    parameters YES

    Request parameters which comply with the introspection request defined in "2.1. Introspection Request" in RFC 7662. The following is an example value of parameters.

    token=pNj1h24a4geA_YHilxrshkRkxJDsyXBZWKp3hZ5ND7A&token_type_hint=access_token

    The implementation of the introspection endpoint of your service will receive an HTTP POST [RFC 7231] request with parameters in the application/x-www-form-urlencoded format. It is the entity body of the request that Authlete's /api/auth/introspection/standard API expects as the value of parameters.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • INTERNAL_SERVER_ERROR
    • BAD_REQUEST
    • OK
    responseContent string

    The response content which can be used as the entity body of the response returned to the client application.

    Description

    This API is supposed to be called from within the implementations of the introspection endpoint of your service. The authorization server implementation should retrieve the value of action from the response and take the following steps according to the value.


    INTERNAL_SERVER_ERROR

    When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete.

    In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with HTTP status of "500 Internal Server Error".

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response if you want. Note that, however, RFC 7662 does not mention anything about the response body of error responses.

    The following illustrates an example response which the introspection endpoint of the authorization server implementation generates and returns to the client application.

    HTTP/1.1 500 Internal Server Error
    Content-Type: application/json
    
    {responseContent}
    

    BAD_REQUEST

    When the value of action is BAD_REQUEST, it means that the request from the client application is invalid. This happens when the request from the client did not include the token request parameter. See "2.1. Introspection Request" in RFC 7662 for details about requirements for introspection requests.

    The HTTP status of the response returned to the client application should be "400 Bad Request".

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response if you want. Note that, however, RFC 7662 does not mention anything about the response body of error responses.

    The following illustrates an example response which the introspection endpoint of the authorization server implementation generates and returns to the client application.

    HTTP/1.1 400 Bad Request
    Content-Type: application/json
    
    {responseContent}
    

    OK

    When the value of action is OK, the request from the client application is valid.

    The HTTP status of the response returned to the client application must be "200 OK" and its content type must be application/json.

    The parameter responseContent contains a JSON string which complies with the introspection response defined in "2.2. Introspection Response" in RFC7662.

    The following illustrates the response which the introspection endpoint of your authorization server implementation should generate and return to the client application.

     HTTP/1.1 200 OK
    Content-Type: application/json
    
    {responseContent}
    

    Note that RFC 7662 says "To prevent token scanning attacks, the endpoint MUST also require some form of authorization to access this endpoint". This means that you have to protect your introspection endpoint in some way or other. Authlete does not care about how your introspection endpoint is protected. In most cases, as mentioned in RFC 7662, "401 Unauthorized" is a proper response when an introspection request does not satisfy authorization requirements imposed by your introspection endpoint.

    Revocation Endpoint

    /auth/revocation API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/auth/revocation \
    -H 'Content-Type:application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "parameters": "token=VFGsNK-5sXiqterdaR7b5QbRX9VTwVCQB87jbr2_xAI&token_type_hint=access_token" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // Extract request parameters that the OAuth 2.0 token revocation endpoint of 
    // this OAuth 2.0 serever implementation received from the client application.
    String parameters = extractRequestParameters();
    
    RevocationRequest request = new RevocationRequest().setParameters(parameters);
    
    api.revocation(request);
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    // Extract request parameters that the OAuth 2.0 token revocation endpoint of 
    // this OAuth 2.0 serever implementation received from the client application.
    string parameters = ExtractRequestParameters();
    
    RevocationRequest request = new RevocationRequest();
    request.Parameters = parameters;
    
    await api.Revocation(request); 
    

    Sample Response

    {
      "type": "revocationResponse",
      "resultCode": "A113001",
      "resultMessage": "[A113001] The token has been revoked successfully.",
      "action": "OK"
    }
    

    This API revokes access tokens and refresh tokens.

    Request

    POST /api/auth/revocation

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    parameters YES

    OAuth 2.0 token revocation request parameters which are the request parameters that the OAuth 2.0 token revocation endpoint (RFC 7009) of the authorization server implementation received from the client application.

    The value of parameters is the entire entity body (which is formatted in application/x-www-form-urlencoded) of the request from the client application.

    clientId NO

    The client ID extracted from Authorization header of the token request from the client application.

    If the token revocation endpoint of the authorization server implementation supports Basic Authentication as a means of client authentication, and the request from the client application contains its client ID in Authorization header, the value should be extracted and set to this parameter.

    clientSecret NO

    The client secret extracted from Authorization header of the token request from the client application.

    If the token revocation endpoint of the authorization server implementation supports Basic Authentication as a means of client authentication, and the request from the client application contains its client secret in Authorization header, the value should be extracted and set to this parameter.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • INVALID_CLIENT
    • INTERNAL_SERVER_ERROR
    • BAD_REQUEST
    • OK
    responseContent string

    The content that the authorization server implementation is to return to the client application. Its format is JSON.

    Description

    This API is supposed to be called from within the implementation of the revocation endpoint (RFC 7009) of the authorization server implementation in order to revoke access tokens and refresh tokens.

    The response from /auth/revocation API has some parameters. Among them, it is action parameter that the authorization server implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the authorization server implementation must take the steps described below.


    INVALID_CLIENT

    When the value of action is INVALID_CLIENT, it means that authentication of the client failed. In this case, the HTTP status of the response to the client application is either "400 Bad Request" or "401 Unauthorized". The description about invalid_client shown below is an excerpt from RFC 6749.

    invalid_client

    Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the WWW-Authenticate response header field matching the authentication scheme used by the client.

    In either case, the value of responseContent contains a JSON string which can be used as the entity body of the response to the client application.

    The following illustrates the response which the service implementation should generate and return to the client application.

    HTTP/1.1 400 Bad Request
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
     
    {responseContent}
    HTTP/1.1 401 Unauthorized
    WWW-Authenticate: {challenge}
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
     
    {responseContent}

    INTERNAL_SERVER_ERROR

    When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete.

    In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with the HTTP status of "500 Internal Server Error".

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the service implementation should generate and return to the client application.

    HTTP/1.1 500 Internal Server Error
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
     
    {responseContent}

    BAD_REQUEST

    When the value of action is BAD_REQUEST, it means that the request from the client application is invalid.

    The HTTP status of the response returned to the client application must be "400 Bad Request" and the content type must be application/json. RFC 7009, 2.2.1. Error Response states "The error presentation conforms to the definition in Section 5.2 of [RFC 6749]."

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the authorization server implementation should generate and return to the client application.

    HTTP/1.1 400 Bad Request
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
     
    {responseContent}

    OK

    When the value of action is OK, it means that the request from the client application is valid and the presented token has been revoked successfully or if the client submitted an invalid token. Note that invalid tokens do not cause an error. See 2.2. Revocation Response for details.

    The HTTP status of the response returned to the client application must be 200 OK.

    If the original request from the client application contains callback request parameter and its value is not empty, the content type should be application/javascript and the content should be a JavaScript snippet for JSONP.

    The parameter responseContent contains a JavaScript snippet if the original request from the client application contains callback request parameter and its value is not empty. Otherwise, the value of responseContent is null.

    HTTP/1.1 200 OK
    Content-Type: application/javascript
    Cache-Control: no-store
    Pragma: no-cache
     
    {responseContent}

    Userinfo Endpoint

    /auth/userinfo API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/auth/userinfo \
    -H 'Content-Type:application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "token": "Ntm9MDb8WXQAevqrBkd84KTTHbYHVQrTjgUZCOWqEUI" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // An access token to get user information.
    String token = "Ntm9MDb8WXQAevqrBkd84KTTHbYHVQrTjgUZCOWqEUI";
    
    UserInfoRequest request = new UserInfoRequest().setToken(token);
    
    api.userinfo(request);
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    // An access token to get user information.
    string token = "Ntm9MDb8WXQAevqrBkd84KTTHbYHVQrTjgUZCOWqEUI";
    
    UserInfoRequest request = new UserInfoRequest();
    request.Token = token;
    
    await api.UserInfo(request); 
    

    Sample Response

    {
      "type": "userInfoResponse",
      "resultCode": "A091001",
      "resultMessage": "[A091001] The access token presented at the userinfo endpoint is valid.",
      "action": "OK",
      "clientId": 57297408867,
      "clientIdAliasUsed": false,
      "scopes": ["openid"],
      "subject": "john",
      "token": "Ntm9MDb8WXQAevqrBkd84KTTHbYHVQrTjgUZCOWqEUI"
    }
    

    This API gathers information about a user.

    Request

    POST /api/auth/userinfo

    Content-Type

    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    token YES

    An access token to get user information.

    clientCertificate NO

    The client certificate used in the TLS connection established between the client application and the userinfo endpoint.

    The value of this request parameter is referred to when the access token given to the userinfo endpoint was bound to a client certificate when it was issued. See " OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens" for details about the specification of certificate-bound access tokens.

    Response

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • INTERNAL_SERVER_ERROR
    • BAD_REQUEST
    • UNAUTHORIZED
    • FORBIDDEN
    • OK
    claims string array

    The list of claims that the client application requests to be embedded in the ID token.

    clientId i64

    The ID of the client application which is associated with the access token.

    clientIdAlias string

    The client ID alias when the authorization request for the access token was made.

    clientIdAliasUsed boolean

    The flag which indicates whether the client ID alias was used when the authorization request for the access token was made.

    responseContent string

    The content that the authorization server implementation can use as the value of WWW-Authenticate header on errors.

    scopes string array

    The scopes covered by the access token.

    subject string

    The subject (= resource owner's ID).

    token string

    The access token that came along with the userinfo request.

    Description

    This API is supposed to be called from within the implementation of the userinfo endpoint of the authorization server in order to get information about the user that is associated with an access token.

    The response from /auth/userinfo API has various parameters. Among them, it is action parameter that the authorization server implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the service implementation must take the steps described below.


    INTERNAL_SERVER_ERROR

    When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete.

    In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with the HTTP status of "500 Internal Server Error".

    The parameter responseContent returns a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage) so the userinfo endpoint implementation of your service can use the value of responseContent as the value of WWW-Authenticate header.

    The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Response for details.

    HTTP/1.1 500 Internal Server Error
    WWW-Authenticate: {responseContent}
    Cache-Control: no-store
    Pragma: no-cache

    BAD_REQUEST

    When the value of action is BAD_REQUEST, it means that the request from the client application does not contain an access token (= the request from the authorization server implementation to Authlete does not contain token parameter).

    The parameter responseContent contains a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage), so the userinfo endpoint implementation of your authorization server can use the value of responseContent as the value of WWW-Authenticate header.

    The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Response for details.

    HTTP/1.1 400 Bad Request
    WWW-Authenticate: {responseContent}
    Cache-Control: no-store
    Pragma: no-cache

    UNAUTHORIZED

    When the value of action is UNAUTHORIZED, it means that the access token does not exist, has expired, or is not associated with any subject (= any user account).

    The parameter responseContent contains a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage), so the userinfo endpoint implementation of your authorization server can use the value of responseContent as the value of WWW-Authenticate header.

    The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Response for details.

    HTTP/1.1 401 Unauthorized
    WWW-Authenticate: {responseContent}
    Cache-Control: no-store
    Pragma: no-cache

    FORBIDDEN

    When the value of action is FORBIDDEN, it means that the access token does not include the openid scope.

    The parameter responseContent contains a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage), so the userinfo endpoint implementation of your authorization server can use the value of responseContent as the value of WWW-Authenticate header.

    The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Response for details.

    HTTP/1.1 403 Forbidden
    WWW-Authenticate: {responseContent}
    Cache-Control: no-store
    Pragma: no-cache

    OK

    When the value of action is OK, it means that the access token which the client application presented is valid. To be concrete, it means that the access token exists, has not expired, includes the openid scope, and is associated with a subject (= a user account).

    What the userinfo endpoint of your service should do next is to collect information about the subject (user) from your database. The value of the subject is contained in the subject parameter in the response from this API and the names of data, i.e., the claims names are contained in the claims parameter in the response. For example, if the subject parameter is joe123 and the claims parameter is ["given_name", "email"], you need to extract information about joe123's given name and email from your database.

    Then, call Authlete's /auth/userinfo/issue API with the collected information and the access token in order to make Authlete generate an ID token.

    If an error occurred during the above steps, generate an error response to the client. The response should comply with RFC 6750. For example, if the subject associated with the access token does not exist in your database any longer, you may feel like generating a response like below.

    HTTP/1.1 400 Bad Request
    WWW-Authenticate: Bearer error="invalid_token",
     error_description="The subject associated with the access token does not exist."
    Cache-Control: no-store
    Pragma: no-cache

    Also, an error might occur on database access. If you treat the error as an internal server error, then the response would be like the following.

    HTTP/1.1 500 Internal Server Error
    WWW-Authenticate: Bearer error="server_error",
     error_description="Failed to extract information about the subject from the database."
    Cache-Control: no-store
    Pragma: no-cache

    /auth/userinfo/issue API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/auth/userinfo/issue \
    -H 'Content-Type:application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "token": "Ntm9MDb8WXQAevqrBkd84KTTHbYHVQrTjgUZCOWqEUI" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // The access token that has been passed to the service's userinfo endpoint by the client application.
    String token = "Ntm9MDb8WXQAevqrBkd84KTTHbYHVQrTjgUZCOWqEUI"
    
    UserInfoIssueRequest request = new UserInfoIssueRequest().setToken(token);
    
    api.userinfoIssue(request);
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    // The access token that has been passed to the service's userinfo endpoint by the client application.
    string token = "Ntm9MDb8WXQAevqrBkd84KTTHbYHVQrTjgUZCOWqEUI";
    
    UserInfoIssueRequest request = new UserInfoIssueRequest();
    request.Token = token;
    
    await api.UserInfoIssue(request); 
    

    Sample Response

    {
      "type": "userInfoIssueResponse",
      "resultCode": "A096001",
      "resultMessage": "[A096001] An ID token was generated successfully.",
      "action": "JSON",
      "responseContent": "{\"exp\":1511600971,\"sub\":\"john\",\"aud\":[\"57297408867\"],\"iss\":\"https://authlete.com\",\"iat\":1511514571}"
    }
    

    This API generates an ID token.

    Request

    POST /api/auth/userinfo/issue

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    token YES

    The access token that has been passed to the service's userinfo endpoint by the client application. In other words, the access token which was contained in the userinfo request.

    claims NO

    Claims in JSON format. As for the format, see "OpenID Connect Core 1.0, 5.1. Standard Claims".

    sub NO

    The value of the sub claim. If the value of this request parameter is not empty, it is used as the value of the sub claim. Otherwise, the value of the subject associated with the access token is used.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • INTERNAL_SERVER_ERROR
    • BAD_REQUEST
    • UNAUTHORIZED
    • FORBIDDEN
    • JSON
    • JWT
    responseContent string

    The content that the authorization server implementation can use as the value of WWW-Authenticate header on errors.

    Description

    This API is supposed to be called from within the implementation of the userinfo endpoint of the authorization server in order to generate an ID token. Before calling this API, a valid response from /auth/userinfo API must be obtained. Then, call this API with the access token contained in the response and the claims values of the user (subject) associated with the access token. See OK written in the description of /auth/userinfo API for details.

    The response from /auth/userinfo/issue API has various parameters. Among them, it is action parameter that the authorization server implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the service implementation must take the steps described below.


    INTERNAL_SERVER_ERROR

    When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete.

    In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with the HTTP status of "500 Internal Server Error".

    The parameter responseContent returns a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage) so the userinfo endpoint implementation of your authorization server can use the value of responseContent as the value of WWW-Authenticate header.

    The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Response for details.

    HTTP/1.1 500 Internal Server Error
    WWW-Authenticate: {responseContent}
    Cache-Control: no-store
    Pragma: no-cache

    BAD_REQUEST

    When the value of action is BAD_REQUEST, it means that the request from the client application does not contain an access token (= the request from the authorization server implementation to Authlete does not contain token parameter).

    The parameter responseContent contains a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage), so the userinfo endpoint implementation of your authorization server can use the value of responseContent as the value of WWW-Authenticate header.

    The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Response for details.

    HTTP/1.1 400 Bad Request
    WWW-Authenticate: {responseContent}
    Cache-Control: no-store
    Pragma: no-cache

    UNAUTHORIZED

    When the value of action is UNAUTHORIZED, it means that the access token does not exist, has expired, or is not associated with any subject (= any user account).

    The parameter responseContent contains a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage), so the userinfo endpoint implementation of your authorization server can use the value of responseContent as the value of WWW-Authenticate header.

    The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Response for details.

    HTTP/1.1 401 Unauthorized
    WWW-Authenticate: {responseContent}
    Cache-Control: no-store
    Pragma: no-cache

    FORBIDDEN

    When the value of action is FORBIDDEN, it means that the access token does not include the openid scope.

    The parameter responseContent contains a string which describes the error in the format of RFC 6750 (OAuth 2.0 Bearer Token Usage), so the userinfo endpoint implementation of your authorization server can use the value of responseContent as the value of WWW-Authenticate header.

    The following is an example response which complies with RFC 6750. Note that OpenID Connect Core 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See 5.3.3. UserInfo Response for details.

    HTTP/1.1 403 Forbidden
    WWW-Authenticate: {responseContent}
    Cache-Control: no-store
    Pragma: no-cache

    JSON

    When the value of action is JSON, it means that the access token which the client application presented is valid and an ID token was successfully generated in the format of JSON.

    The userinfo endpoint of your service is expected to generate a response to the client application. The content type of the response must be application/json and the response body must be an ID token in JSON format.

    The parameter responseContent contains the ID token in JSON format when action is JSON, so a response to the client can be built like below.

    HTTP/1.1 200 OK
    Cache-Control: no-store
    Pragma: no-cache
    Content-Type: application/json;charset=UTF-8
     
    {responseContent}

    JWT

    When the value of action is JWT, it means that the access token which the client application presented is valid and an ID token was successfully generated in the format of JWT (JSON Web Token) (RFC 7519)

    The userinfo endpoint of your service is expected to generate a response to the client application. The content type of the response must be application/jwt and the response body must be an ID token in JWT format.

    The parameter responseContent contains the ID token in JWT format when action is JWT, so a response to the client can be built like below.

    HTTP/1.1 200 OK
    Cache-Control: no-store
    Pragma: no-cache
    Content-Type: application/jwt
     
    {responseContent}

    JWK Set Endpoint

    /service/jwks/get API

    Sample Request

    curl -v https://api.authlete.com/api/service/jwks/get?pretty=true \
    -H 'Content-Type:application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    api.getServiceJwks();
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    await api.GetServiceJwks(); 
    

    Sample Response

    {
      "keys": [
        {
          "e": "AQAB",
          "n": "kVXi0XB8LGYZfFPXymaszWjBQsO22tasQH3PEiPeLSymBHbp7PtqM8O8xblqhbxV-24lKNs2zDugQaBiVt4zpalyYxL5kqnfY247priZRfmeUatdECh81T-i3VcLpz_M5yfljfVp3sFdaURUQNA3ow9VtUfvPIxN_9YIxXN1zP2nLP5amC2XA8xMt5iubRwbbPbrLyg69zTOzosDVhRTSs5adHK5HNwVn8wCCZPbU7u1cQD8hFNn8xlQcmOmJjSXUQ9slBpLc7G-dUEOI59RxiPd4R44GtSe8gA1WFXvOAdtGjivSm8BAbxuNO8HFtDJmpVl9YsDr9FsxirFl9ZPKs",
          "kty": "RSA",
          "use": "sig",
          "kid": "rsa-sig-001"
        },
        {
          "e": "AQAB",
          "n": "lQui3_DlrkLs_dyaOQBOclphIIRTTMo0gNlnAgfEM9xjbYQJQzi0CLtO6eseecE3HtvDBWVTw-rMM_NMJTlPTO0_ODWvmJRjXy9DZGEm05LFd_qr6jZ7cdOvjD7zUC3GI9TIokPbjGzueBPJjtAvv_tAazRFCQQfiFy7sQR3u-J4tM8fNo9szo9H09R_eA29llZ3hU39JDKs9nzG60I1mVZtJYPx0_bnO8eYeVDHqoj4SZ4jeru3iX9iDeccH_cDm3M87UomUh-Ri4LlAxXgewDvOaPxAef9ADkDvBVmRo5t60_PJxQ3Tug2EKK-xF1_T7I4TxgS7ga8entMmCxLca",
          "kty": "RSA",
          "use": "enc",
          "kid": "rsa-enc-001"
        },
        {
          "crv": "P-256",
          "kty": "EC",
          "use": "sig",
          "y": "824At71mYpbGK2oOCKAL1Z2scLPrbVwhM882v3a9gBq",
          "x": "ZXE3h9BxCyyb_Z9ZJ5qH4Vx650y09qwI1EpZO4o4OmL",
          "kid": "ec256-sig-001"
        },
        {
          "crv": "P-256",
          "kty": "EC",
          "use": "enc",
          "y": "j80Y3leZHHnxC_gN-Ols_l_VfEBQkfGDFFDG5LNJKMl",
          "x": "xAdEkaExYWGGAC1xYjwxzvqcaCyDloylZk04yiE9_OF",
          "kid": "ec256-enc-001"
        }
      ]
    }
    

    This API gathers JWK Set information for a service so that its client applications can verify signatures by the service and encrypt their requests to the service.

    Request

    GET /api/service/jwks/get

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    includePrivateKeys NO

    This boolean value indicates whether the response should include the private keys associated with the service or not. If true, the private keys are included in the response. The default value is false.

    pretty NO

    This boolean value indicates whether the JSON in the response should be formatted or not. If true, the JSON in the response is pretty-formatted. The default value is false.

    Response

    Content-Type

    application/json

    Parameters

    A JSON which represents the JWK Set of the service.

    Description

    This API is supposed to be called from within the implementation of the jwk set endpoint of the service where the service that supports OpenID Connect must expose its JWK Set information so that client applications can verify signatures by the service and encrypt their requests to the service. The URI of the endpoint can be found as the value of jwks_uri in OpenID Provider Metadata if the service supports OpenID Connect Discovery 1.0.

    Discovery Endpoint

    /service/configuration API

    Sample Request

    curl -v https://api.authlete.com/api/service/configuration?pretty=true \
    -H "Content-Type:application/json" \
    -u "10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE"
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    api.getServiceConfiguration();
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    await api.GetServiceConfiguration();
    

    Sample Response

    {
      "issuer": "https://authlete.com",
      "authorization_endpoint": "https://api.authlete.com/api/auth/authorization/direct/10167240235",
      "token_endpoint": "https://api.authlete.com/api/auth/token/direct/10167240235",
      "userinfo_endpoint": "https://api.authlete.com/api/auth/userinfo/direct/10167240235",
      "jwks_uri": "https://api.authlete.com/api/service/jwks/get/direct/10167240235",
      "scopes_supported": [
        "address",
        "email",
        "openid",
        "offline_access",
        "phone",
        "profile"
      ],
      "response_types_supported": [
        "none",
        "id_token",
        "code token",
        "code id_token",
        "id_token token",
        "code id_token token"
      ],
      "response_modes_supported": [
        "query",
        "fragment",
        "form_post",
        "query.jwt",
        "fragment.jwt",
        "form_post.jwt",
        "jwt"
      ],
      "grant_types_supported": [
        "authorization_code",
        "implicit",
        "password",
        "client_credentials",
        "refresh_token"
      ],
      "acr_values_supported": [
        "urn:mace:incommon:iap:silver",
        "urn:openbanking:psd2:sca",
        "urn:openbanking:psd2:ca"
      ],
      "subject_types_supported": [
        "public",
        "pairwise"
      ],
      "id_token_signing_alg_values_supported": [
        "HS256",
        "HS384",
        "HS512",
        "RS256",
        "RS384",
        "RS512",
        "ES256",
        "ES384",
        "ES512",
        "PS256",
        "PS384",
        "PS512"
      ],
      "id_token_encryption_alg_values_supported": [
        "RSA1_5",
        "RSA-OAEP",
        "RSA-OEAP-256",
        "A128KW",
        "A192KW",
        "A256KW",
        "dir",
        "ECDH-ES",
        "ECDH-ES+A128KW",
        "ECDH-ES+A192KW",
        "ECDH-ES+A256KW",
        "A128GCMKW",
        "A192GCMKW",
        "A256GCMKW",
        "PBES2-HS256+A128KW",
        "PBES2-HS384+A192KW",
        "PBES2-HS512+A256KW"
      ],
      "id_token_encryption_enc_values_supported": [
        "A128CBC-HS256",
        "A192CBC-HS384",
        "A256CBC-HS512",
        "A128GCM",
        "A192GCM",
        "A256GCM"
      ],
      "userinfo_signing_alg_values_supported": [
        "none",
        "HS256",
        "HS384",
        "HS512",
        "RS256",
        "RS384",
        "RS512",
        "ES256",
        "ES384",
        "ES512",
        "PS256",
        "PS384",
        "PS512"
      ],
      "userinfo_encryption_alg_values_supported": [
        "RSA1_5",
        "RSA-OAEP",
        "RSA-OEAP-256",
        "A128KW",
        "A192KW",
        "A256KW",
        "dir",
        "ECDH-ES",
        "ECDH-ES+A128KW",
        "ECDH-ES+A192KW",
        "ECDH-ES+A256KW",
        "A128GCMKW",
        "A192GCMKW",
        "A256GCMKW",
        "PBES2-HS256+A128KW",
        "PBES2-HS384+A192KW",
        "PBES2-HS512+A256KW"
      ],
      "userinfo_encryption_enc_values_supported": [
        "A128CBC-HS256",
        "A192CBC-HS384",
        "A256CBC-HS512",
        "A128GCM",
        "A192GCM",
        "A256GCM"
      ],
      "request_object_signing_alg_values_supported": [
        "none",
        "HS256",
        "HS384",
        "HS512",
        "RS256",
        "RS384",
        "RS512",
        "ES256",
        "ES384",
        "ES512",
        "PS256",
        "PS384",
        "PS512"
      ],
      "request_object_encryption_alg_values_supported": [
        "RSA1_5",
        "RSA-OAEP",
        "RSA-OEAP-256",
        "A128KW",
        "A192KW",
        "A256KW",
        "dir",
        "ECDH-ES",
        "ECDH-ES+A128KW",
        "ECDH-ES+A192KW",
        "ECDH-ES+A256KW",
        "A128GCMKW",
        "A192GCMKW",
        "A256GCMKW",
        "PBES2-HS256+A128KW",
        "PBES2-HS384+A192KW",
        "PBES2-HS512+A256KW"
      ],
      "request_object_encryption_enc_values_supported": [
        "A128CBC-HS256",
        "A192CBC-HS384",
        "A256CBC-HS512",
        "A128GCM",
        "A192GCM",
        "A256GCM"
      ],
      "authorization_signing_alg_values_supported": [
        "HS256",
        "HS384",
        "HS512",
        "RS256",
        "RS384",
        "RS512",
        "ES256",
        "ES384",
        "ES512",
        "PS256",
        "PS384",
        "PS512"
      ],
      "authorization_encryption_alg_values_supported": [
        "RSA1_5",
        "RSA-OAEP",
        "RSA-OEAP-256",
        "A128KW",
        "A192KW",
        "A256KW",
        "dir",
        "ECDH-ES",
        "ECDH-ES+A128KW",
        "ECDH-ES+A192KW",
        "ECDH-ES+A256KW",
        "A128GCMKW",
        "A192GCMKW",
        "A256GCMKW",
        "PBES2-HS256+A128KW",
        "PBES2-HS384+A192KW",
        "PBES2-HS512+A256KW"
      ],
      "authorization_encryption_enc_values_supported": [
        "A128CBC-HS256",
        "A192CBC-HS384",
        "A256CBC-HS512",
        "A128GCM",
        "A192GCM",
        "A256GCM"
      ],
      "token_endpoint_auth_methods_supported": [
        "none",
        "client_secret_basic",
        "client_secret_post"
      ],
      "token_endpoint_auth_signing_alg_values_supported": [
        "HS256",
        "HS384",
        "HS512",
        "RS256",
        "RS384",
        "RS512",
        "ES256",
        "ES384",
        "ES512",
        "PS256",
        "PS384",
        "PS512"
      ],
      "display_values_supported": [
        "page",
        "popup",
        "touch",
        "wap"
      ],
      "claim_types_supported": [
        "normal"
      ],
      "claims_supported": [
        "sub",
        "website",
        "zoneinfo",
        "email_verified",
        "birthdate",
        "address",
        "gender",
        "profile",
        "phone_number_verified",
        "preferred_username",
        "given_name",
        "middle_name",
        "locale",
        "picture",
        "updated_at",
        "name",
        "nickname",
        "phone_number",
        "family_name",
        "email",
        "openbanking_intent_id",
        "acr"
      ],
      "claims_parameter_supported": true,
      "request_parameter_supported": true,
      "request_uri_parameter_supported": true,
      "require_request_uri_registration": true,
      "revocation_endpoint": "https://api.authlete.com/api/auth/revocation/direct/10167240235",
      "revocation_endpoint_auth_methods_supported": [],
      "revocation_endpoint_auth_signing_alg_values_supported": [
        "HS256",
        "HS384",
        "HS512",
        "RS256",
        "RS384",
        "RS512",
        "ES256",
        "ES384",
        "ES512",
        "PS256",
        "PS384",
        "PS512"
      ],
      "introspection_endpoint_auth_methods_supported": [],
      "introspection_endpoint_auth_signing_alg_values_supported": [
        "HS256",
        "HS384",
        "HS512",
        "RS256",
        "RS384",
        "RS512",
        "ES256",
        "ES384",
        "ES512",
        "PS256",
        "PS384",
        "PS512"
      ],
      "code_challenge_methods_supported": [
        "plain",
        "S256"
      ],
      "tls_client_certificate_bound_access_tokens": false,
      "backchannel_token_delivery_modes_supported": [],
      "backchannel_authentication_request_signing_alg_values_supported": [
        "RS256",
        "RS384",
        "RS512",
        "ES256",
        "ES384",
        "ES512",
        "PS256",
        "PS384",
        "PS512"
      ],
      "backchannel_user_code_parameter_supported": false
    }
    

    This API gathers configuration information of a service.

    Request

    GET /api/service/configuration

    Content-Type

    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    pretty NO

    This boolean value indicates whether the JSON in the response should be formatted or not. If true, the JSON in the response is pretty-formatted. The default value is false.

    Response

    Content-Type

    application/json

    Parameters

    A JSON which represents the configuration of the service. The detailed format is described in OpenID Provider Configuration Response

    Description

    This API is supposed to be called from within the implementation of the configuration endpoint of the service where the service that supports OpenID Connect and OpenID Connect Discovery 1.0 must expose its configuration information in a JSON format. Details about the format are described in "3. OpenID Provider Metadata" in OpenID Connect Discovery 1.0.

    CIBA

    The following APIs are supposed to be used for implementing CIBA (Client Initiated Backchannel Authentication Flow) endpoints.

    /backchannel/authentication API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/backchannel/authentication \
    -H 'Content-Type: application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "parameters": "login_hint=john&scope=openid&client_notification_token=my-client-notification-token&user_code=my-user-code", "clientId": "57297408867", "clientSecret":"J_3C7P0nDTP7CwCg_HyPQh7bTQ1696CC8GWot-EjesZmdBiU5Gsidq5Ve3tMaN2x2_VcKV1UE1U3ZdGKRuTs7A" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // Extract request parameters that the CIBA backchannel authentication endpoint of 
    // this authorization serever implementation received from the client application.
    String parameters = extractRequestParameters();
    
    // The credentials of the client application extracted from 'Authorization' header.
    String clientId     = extractClientId();
    String clientSecret = extractClientSecret();
    
    BackchannelAuthenticationRequest request = new BackchannelAuthenticationRequest()
      .setParameters(parameters)
      .setClientId(clientId)
      .setClientSecret(clientSecret)
    ;
    
    api.backchannelAuthentication(request);
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    // Extract request parameters that CIBA backchannel authentication endpoint of 
    // this authorization serever implementation received from the client application.
    string parameters = ExtractRequestParameters();
    
    // The credentials of the client application extracted from 'Authorization' header.
    string clientId     = ExtractClientId();
    string clientSecret = ExtractClientSecret();
    
    BackchannelAuthenticationRequest request = new BackchannelAuthenticationRequest();
    request.Parameters   = parameters;
    request.ClientId     = clientId;
    request.ClientSecret = clientSecret;
    
    await api.BackchannelAuthentication(request);
    

    Sample Response

    {
      "type": "backchannelAuthenticationResponse",
      "resultCode": "A179001",
      "resultMessage": "[A179001] The backchannel authentication request was processed successfully.",
      "action": "USER_IDENTIFICATION",
      "clientId": 57297408867,
      "clientIdAliasUsed": false,
      "clientName": "My Client",
      "clientNotificationToken": "my-client-notification-token",
      "deliveryMode": "PING",
      "hint": "john",
      "hintType": "LOGIN_HINT",
      "requestedExpiry": 0,
      "scopes": [{
        "defaultEntry": false,
        "name": "openid"
      }],
      "ticket": "ZZxECt-wZTJUWKdAUZ8okwglXLFUTWeGcuKdktSbSsI",
      "userCode": "my-user-code",
      "userCodeRequired": true
    }
    

    This API parses request parameters of a backchannel authentication request and returns necessary data for the authorization server implementation to process the backchannel authentication request further.

    Request

    POST /api/backchannel/authentication

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    parameters YES

    Parameters of a backchannel authentication request which are the request parameters that the backchannel authentication endpoint of the OpenID provider implementation received from the client application.

    The value of parameters is the entire entity body (which is formatted in application/x-www-form-urlencoded) of the request from the client application.

    clientId NO

    The client ID extracted from Authorization header of the backchannel authentication request from the client application.

    If the backchannel authentication endpoint of the OpenID provider implementation supports Basic Authentication as a means of client authentication, and the request from the client application contained its client ID in Authorization header, the value should be extracted and set to this parameter.

    clientSecret NO

    The client secret extracted from Authorization header of the backchannel authentication request from the client application.

    If the backchannel authentication endpoint of the OpenID provider implementation supports Basic Authentication as a means of client authentication, and the request from the client application contained its client secret in Authorization header, the value should be extracted and set to this parameter.

    clientCertificate NO

    The client certification used in the TLS connection between the client application and the backchannel authentication endpoint of the OpenID provider.

    clientCertificatePath NO

    The client certificate path presented by the client during client authentication. Each element is a string in PEM format.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • INTERNAL_SERVER_ERROR
    • BAD_REQUEST
    • UNAUTHORIZED
    • USER_IDENTIFICATION
    responseContent string

    The content that the authorization server implementation is to return to the client application. Its format varies depending on the value of action parameter. See description for details.

    clientId string

    The client ID of the client application that has made the backchannel authentication request.

    clientIdAlias string

    The client ID alias of the client application that has made the backchannel authentication request.

    clientIdAliasUsed boolean

    true if the value of the client_id request parameter included in the authorization request is the client ID alias. false if the value is the original numeric client ID.

    clientName string

    The name of the client application which has made the backchannel authentication request.

    scopes string array

    The scopes requested by the backchannel authentication request.

    Basically, this method returns the value of the scope request parameter in the backchannel authentication request. However, because unregistered scopes are dropped on Authlete side, if the scope request parameter contains unknown scopes, the list returned by this method becomes different from the value of the scope request parameter.

    Note that description property and descriptions property of each scope object in the array contained in this property is always null even if descriptions of the scopes are registered.

    claimNames string array

    The names of the claims which were requested indirectly via some special scopes. See 5.4. Requesting Claims using Scope Values in OpenID Connect Core 1.0 for details.

    clientNotificationToken string

    The client notification token included in the backchannel authentication request.

    acrs string array

    The list of ACR values requested by the backchannel authentication request.

    Basically, this method returns the value of the acr_values request parameter in the backchannel authentication request. However, because unsupported ACR values are dropped on Authlete side, if the acr_values request parameter contains unrecognized ACR values, the list returned by this method becomes different from the value of the acr_values request parameter.

    hintType string The type of the hint for end-user identification which was included in the backchannel authentication request.
    hint string The value of the hint for end-user identification.
    sub string The value of the sub claim contained in the ID token hint included in the backchannel authentication request.
    bindingMessage string The binding message included in the backchannel authentication request.
    userCode string The user code included in the backchannel authentication request.
    userCodeRequired boolean

    The flag which indicates whether a user code is required.

    true when both the backchannel_user_code_parameter metadata of the client (= Client's bcUserCodeRequired property) and the backchannel_user_code_parameter_supported metadata of the service (= Service's backchannelUserCodeParameterSupported property) are true.

    requestedExpiry i32

    The requested expiry for the authentication request ID (auth_req_id).

    requestContext string

    The request context of the backchannel authentication request.

    It is the value of the request_context claim in the signed authentication request and its format is JSON. request_context is a new claim added by the FAPI-CIBA profile.

    warnings string array

    The warnings raised during processing the backchannel authentication request.

    ticket string

    A ticket issued by Authlete to the authorization server implementation. This is needed when the service implementation calls /backchannel/authentication/* API.

    resources string array

    The resources specified by the resource request parameters or by the resource property in the request object. If both are given, the values in the request object should be set. See Resource Indicators for OAuth 2.0 for details. This parameter is available since Authlete 2.2.

    authorizationDetails string

    The authorization details. This represents the value of the authorization_details request parameter which is defined in OAuth 2.0 Rich Authorization Requests. This parameter is available since Authlete 2.2.

    Description

    This API is supposed to be called from within the implementation of the CIBA backchannel authentication endpoint of the service. The endpoint implementation must extract the request parameters from the backchannel authentication request from the client application and pass them as the value of parameters request parameter for Authlete's /backchannel/authentication API.

    The value of parameters is the entire entity body (which is formatted in application/x-www-form-urlencoded) of the request from the client application.

    The following code snippet is an example in JAX-RS showing how to extract request parameters from the backchannel authentication request.

    @POST
    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
    public Response post(String parameters)
    {
        // 'parameters' is the entity body of the backchannel authentication request.
        ......
    }

    The endpoint implementation does not have to parse the request parameters from the client application because Authlete's /backchannel/authentication API does it.

    The response from /backchannel/authentication API has various parameters. Among them, it is action parameter that the authorization server implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the service implementation must take the steps described below.


    INTERNAL_SERVER_ERROR

    When the value of action is INTERNAL_SERVER_ERROR, it means that the request from the authorization server implementation was wrong or that an error occurred in Authlete.

    In either case, from the viewpoint of the client application, it is an error on the server side. Therefore, the service implementation should generate a response to the client application with HTTP status of "500 Internal Server Error" and application/json.

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the service implementation should generate and return to the client application.

    HTTP/1.1 500 Internal Server Error
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
    
    {responseContent}

    BAD_REQUEST

    When the value of action is BAD_REQUEST, it means that the request from the client application is invalid.

    A response with HTTP status of "400 Bad Request" should be returned to the client application and application/json.

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the service implementation should generate and return to the client application.

    HTTP/1.1 400 Bad Request
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
    
    {responseContent}

    UNAUTHORIZED

    When the value of action is UNAUTHORIZED, it means that client authentication of the backchannel authentication request failed. Note that client authentication is always required at the backchannel authentication endpoint. This implies that public clients are not allowed to use the backchannel authentication endpoint.

    The authorization server implementation should generate a response to the client application with "401 Unauthorized" and application/json.

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the service implementation must generate and return to the client application.

    HTTP/1.1 401 Unauthorized
    WWW-Authenticate: (challenge)
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
    
    {responseContent}

    USER_IDENTIFICATION

    When the value of action is USER_IDENTIFICATION, it means that the backchannel authentication request from the client application is valid. The authorization server implementation has to follow the steps below.

    1. [END-USER IDENTIFICATION]

      The first step is to determine the subject (= unique identifier) of the end-user from whom the client application wants to get authorization.

      According to the CIBA specification, a backchannel authentication request contains one (and only one) of the login_hint_token, id_token_hint and login_hint request parameters as a hint by which the authorization server identifies the subject of an end-user.

      The authorization server implementation can know which hint is included in the backchannel authentication request by the hintType parameter. For example, when the value of the parameter LOGIN_HINT, it means that the backchannel authentication request contains the login_hint request parameter as a hint.

      The value of the hint parameter is the value of the hint. For example, when the value of the hintType parameter is LOGIN_HINT, The value of the hint parameter is the value of the login_hint request parameter.

      It is up to the authorization server implementation how to determine the subject of the end-user from the hint. Only when the id_token_hint request parameter is used, authorization server implementation can use the sub response parameter, which holds the value of the sub claim in the id_token_hint request parameter.

    2. [END-USER IDENTIFICATION ERROR]

      There are some cases where the authorization server implementation encounters an error during the user identification process. In any error case, the service implementation has to return an HTTP response with the error response parameter to the client application. The following is an example of such error responses.

      HTTP/1.1 400 Bad Request
      Content-Type: application/json
      Cache-Control: no-store
      Pragma: no-cache
      
      {"error":"unknown_user_id"}

      Authlete provides /backchannel/authentication/fail API that builds the response body (JSON) of an error response. However, because it is easy to build an error response manually, you may choose not to call the API. One good thing in using the API is that the API call can trigger deletion of the ticket which has been issued from Authlete's /backchannel/authentication API. If you don't call /backchannel/authentication/fail API, the ticket will continue to exist in the database until it is cleaned up by the batch program after the ticket expires.

      Possible error cases that the authorization server implementation itself has to handle are as follows. Other error cases have already been covered by /backchannel/authentication API.

      error description
      expired_login_hint_token

      The authorization server implementation detected that the hint presented by the login_hint_token request parameter has expired.

      Note that the format of login_hint_token is not described in the CIBA Core spec at all and so there is no consensus on how to detect expiration of login_hint_token. Interpretation of login_hint_token is left to each authorization server implementation.

      unknown_user_id

      The authorization server implementation could not determine the subject of the end-user by the presented hint.

      unauthorized_client

      The authorization server implementation has custom rules to reject backchannel authentication requests from some particular clients and found that the client which has made the backchannel authentication request is one of the particular clients.

      Note that /backchannel/authentication API does not return action=USER_IDENTIFICATION in cases where the client does not exist or client authentication has failed. Therefore, the authorization server implementation will never have to use the error code unauthorized_client unless the server has intentionally implemented custom rules to reject backchannel authentication requests based on clients.

      missing_user_code

      The authorization server implementation has custom rules to require that a backchannel authentication request include a user code for some particular users and found that the user identified by the hint is one of the particular users.

      Note that /backchannel/authentication API does not return action=USER_IDENTIFICATION when both the backchannel_user_code_parameter_supported metadata of the server and the backchannel_user_code_parameter metadata of the client are true and the backchannel authentication request does not include the user_code request parameter. In this case, /backchannel/authentication API returns action=BAD_REQUEST with JSON containing "error":"missing_user_code". Therefore, the authorization server implementation will never have to use the error code missing_user_code unless the server has intentionally implemented custom rules to require a user code based on users even in the case where the backchannel_user_code_parameter metadata of the client which has made the backchannel authentication request is false.

      invalid_user_code

      The authorization server implementation detected that the presented user code is invalid.

      Note that the format of user_code is not described in the CIBA Core spec at all and so there is no consensus on how to judge whether a user code is valid or not. It is up to each authorization server implementation how to handle user codes.

      invalid_binding_message

      The authorization server implementation detected that the presented binding message is invalid.

      Note that the format of binding_message is not described in the CIBA Core spec at all and so there is no consensus on how to judge whether a binding message is valid or not. It is up to each authorization server implementation how to handle binding messages.

      invalid_target

      The authorization server implementation rejects the requested target resources.

      The error code invalid_target is from "Resource Indicators for OAuth 2.0". The specification defines the resource request parameter. By using the parameter, client applications can request target resources that should be bound to the access token being issued. If the authorization server wants to reject the request, call /backchannel/authentication/fail API with INVALID_TARGET.

      Note that "Resource Indicators for OAuth 2.0" is supported since Authlete 2.2. Older versions don't recognize the resource request parameter, so the resources parameter is always null if the Authlete server you are using is older than 2.2.

      access_denined

      The authorization server implementation has custom rules to reject backchannel authentication requests without asking the end-user and respond to the client as if the end-user had rejected the request in some particular cases and found that the backchannel authentication request is one of the particular cases.

      The authorization server implementation will never have to use the error code access_denied at this timing unless the server has intentionally implemented custom rules to reject backchannel authentication requests without asking the end-user and respond to the client as if the end-user had rejected the request.

    3. [AUTH_REQ_ID ISSUE]

      If the authorization server implementation has successfully determined the subject of the end-user, the next action is to return an HTTP response to the client application which contains auth_req_id.

      Authlete provides /backchannel/authentication/issue API which generates a JSON containing auth_req_id, so, your next action is (1) call the API, (2) receive the response from the API, (3) build a response to the client application using the content of the API response, and (4) return the response to the client application. See the description of /backchannel/authentication/issue API for details.

    4. END-USER AUTHENTICATION AND AUTHORIZATION

      After sending a JSON containing auth_req_id back to the client application, the service implementation starts to communicate with an authentication device of the end-user. It is assumed that end-user authentication is performed on the authentication device and the end-user confirms the content of the backchannel authentication request and grants authorization to the client application if everything is okay. The authorization server implementation must be able to receive the result of the end-user authentication and authorization from the authentication device.

      How to communicate with an authentication device and achieve end-user authentication and authorization is up to each authorization server implementation, but the following request parameters of the backchannel authentication request should be taken into consideration in any implementation.

      parameter description
      acr_values

      A backchannel authentication request may contain an array of ACRs (Authentication Context Class References) in preference order. If multiple authentication devices are registered for the end-user, the authorization server implementation should take the ACRs into consideration when selecting the best authentication device.

      scope

      A backchannel authentication request always contains a list of scopes. At least, openid> is included in the list (otherwise /backchannel/authentication API returns action=BAD_REQUEST). It would be better to show the requested scopes to the end-user on the authentication device or somewhere appropriate.

      If the scope request parameter contains address, email, phone and/or profile, they are interpreted as defined in "5.4. Requesting Claims using Scope Values of OpenID Connect Core 1.0". That is, they are expanded into a list of claim names. The claimNames parameter returns the expanded result.

      binding_message

      A backchannel authentication request may contain a binding message. It is a human readable identifier or message intended to be displayed on both the consumption device (client application) and the authentication device.

      user_code

      A backchannel authentication request may contain a user code. It is a secret code, such as password or pin, known only to the end-user but verifiable by the authorization server. The user code should be used to authorize sending a request to the authentication device.

    5. [END-USER AUTHENTICATION AND AUTHORIZATION COMPLETION]

      After receiving the result of end-user authentication and authorization, the authorization server implementation must call Authlete's /backchannel/authentication/complete API to tell Authlete the result and pass necessary data so that Authlete can generate an ID token, an access token and optionally a refresh token. See the description of the API for details.

    6. [CLIENT NOTIFICATION]

      When the backchannel token delivery mode is either ping or push, the authorization server implementation must send a notification to the pre-registered notification endpoint of the client after the end-user authentication and authorization. In this case, the action parameter in a response from /backchannel/authentication/complete API is NOTIFICATION. See the description of /backchannel/authentication/complete API for details.

    7. [TOKEN REQUEST]

      When the backchannel token delivery mode is either ping or poll, the client application will make a token request to the token endpoint to get an ID token, an access token and optionally a refresh token.

      A token request that corresponds to a backchannel authentication request uses urn:openid:params:grant-type:ciba as the value of the grant_type request parameter. Authlete's /auth/token API recognizes the grant type automatically and behaves properly, so the existing token endpoint implementation does not have to be changed to support CIBA.

    /backchannel/authentication/issue API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/backchannel/authentication/issue \
    -H 'Content-Type: application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "ticket": "ZZxECt-wZTJUWKdAUZ8okwglXLFUTWeGcuKdktSbSsI" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // Extract the ticket issued by '/backchannel/authentication' API.
    String ticket = extractTicket();
    
    BackchannelAuthenticationIssueRequest request = new BackchannelAuthenticationIssueRequest().setTicket(ticket);
    
    api.backchannelAuthenticationIssue(request);
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    // Extract the ticket issued by '/backchannel/authentication' API.
    string ticket = ExtractTicket();
    
    BackchannelAuthenticationIssueRequest request = new BackchannelAuthenticationIssueRequest();
    request.Ticket = ticket;
    
    await api.BackchannelAuthenticationIssue(request);
    

    Sample Response

    {
      "type": "backchannelAuthenticationIssueResponse",
      "resultCode": "A183001",
      "resultMessage": "[A183001] An auth_req_id was issued successfully.",
      "action": "OK",
      "authReqId": "gwHSu6EOjpsYtH3pKgUdQzMIjkql6KYpCAsUFZR9Gl0",
      "expiresIn": 0,
      "interval": 0,
      "responseContent": "{\"auth_req_id\":\"gwHSu6EOjpsYtH3pKgUdQzMIjkql6KYpCAsUFZR9Gl0\",\"interval\":0,\"expires_in\":0}"
    }
    

    This API prepares JSON that contains an auth_req_id. The JSON should be used as the response body of the response which is returned to the client from the backchannel authentication endpoint.

    Request

    POST /api/backchannel/authentication/issue

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    ticket YES

    The ticket issued from Authlete's /backchannel/authentication API.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • INTERNAL_SERVER_ERROR
    • INVALID_TICKET
    • OK
    responseContent string

    The content that the authorization server implementation is to return to the client application. Its format varies depending on the value of action parameter. See description for details.

    authReqId string

    The newly issued authentication request ID.

    expiresIn i32

    The duration of the issued authentication request ID in seconds.

    interval i32

    The minimum amount of time in seconds that the client must wait for between polling requests to the token endpoint.

    Description

    This API is supposed to be called from within the implementation of the backchannel authentication endpoint of the service in order to generate a successful response to the client application.

    The description of the /backchannel/authentication API describes the timing when this API should be called and the meaning of request parameters. See [AUTH_REQ_ID ISSUE] in USER_IDENTIFICATION.

    The response from /backchannel/authentication/issue API has some parameters. Among them, it is action parameter that the authorization server implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the authorization server implementation must take the steps described below.


    INTERNAL_SERVER_ERROR

    When the value of action is INTERNAL_SERVER_ERROR, it means that an error occurred in Authlete.

    From a viewpoint of the client application, this is an error on the server side. Therefore, the authorization server implementation should generate a response to the client application with "500 Internal Server Error" and application/json.

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the service implementation should generate and return to the client application.

    HTTP/1.1 500 Internal Server Error
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
     
    {responseContent}

    INVALID_TICKET

    When the value of action is INVALID_TICKET, it means that the ticket included in the API call was invalid. For example, it does not exist or has expired.

    From a viewpoint of the client application, this is an error on the server side. Therefore, the authorization server implementation should generate a response to the client application with "500 Internal Server Error" and application/json.

    You can build an error response in the same way as shown in the description for the case of INTERNAL_SERVER_ERROR.


    OK

    When the value of action is OK, it means that Authlete has succeeded in preparing JSON that contains an auth_req_id. The JSON should be used as the response body of the response which is returned to the client from the backchannel authentication endpoint. The value of the responseContent paramter is the JSON.

    The following illustrates the response which the authorization server implementation should generate and return to the client application.

    HTTP/1.1 200 OK
    Content-Type: text/html;charset=UTF-8
    Cache-Control: no-store
    Pragma: no-cache
     
    {responseContent}

    /backchannel/authentication/fail API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/backchannel/authentication/fail \
    -H 'Content-Type: application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d  '{ "ticket": "holsZhINBhum6j6MYE4yZefHuQN_kd609veKCst31p0", "reason": "ACCESS_DENIED" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // Extract the ticket issued by '/backchannel/authentication' API.
    String ticket = extractTicket();
    
    // The reason of the failure of the backchannel authentication request.
    BackchannelAuthenticationFailRequest.Reason reason = BackchannelAuthenticationFailRequest.Reason.ACCESS_DENIED
    
    BackchannelAuthenticationFailRequest request = new BackchannelAuthenticationFailRequest()
      .setTicket(ticket)
      .setReason(reason)
    ;
    
    api.backchannelAuthenticationFail(request);
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    // Extract the ticket issued by '/backchannel/authentication' API.
    String ticket = extractTicket();
    
    // The reason of the failure of the backchannel authentication request.
    BackchannelAuthenticationFailReason reason = BackchannelAuthenticationFailReason.ACCESS_DENIED;
    
    BackchannelAuthenticationFailRequest request = new BackchannelAuthenticationFailRequest();
    request.Ticket = ticket;
    request.Reason = reason;
    
    await api.BackchannelAuthenticationFail(request);
    

    Sample Response

    {
      "type": "backchannelAuthenticationFailResponse",
      "resultCode": "A185001",
      "resultMessage": "[A185001] Successfully generated an error response for the backchannel authentication request.",
      "action": "FORBIDDEN",
      "responseContent": "{\"error\":\"access_denied\"}"
    }
    

    The API prepares JSON that contains an error. The JSON should be used as the response body of the response which is returned to the client from the backchannel authentication endpoint.

    Request

    POST /api/backchannel/authentication/fail

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    ticket YES

    The ticket which should be deleted on a call of Authlete's /backchannel/authentication/fail API. This request parameter is not mandatory but optional. If this request parameter is given and the ticket belongs to the service, the specified ticket is deleted from the database. Giving this parameter is recommended to clean up the storage area for the service.

    reason NO

    The reason of the failure of the backchannel authentication request. This request parameter is not mandatory but optional. However, giving this parameter is recommended. If omitted, SERVER_ERROR is used as a reason.

    errorDescription NO

    The description of the error. This corresponds to the error_description property in the response to the client.

    errorUri NO

    The URI of a document which describes the error in detail. If this optional request parameter is given, its value is used as the value of the error_uri property.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • INTERNAL_SERVER_ERROR
    • BAD_REQUEST
    • FORBIDDEN
    responseContent string

    The content that the authorization server implementation is to return to the client application. Its format varies depending on the value of action parameter. See description for details.

    Description

    This API is supposed to be called from within the implementation of the backchannel authentication endpoint of the service in order to generate an error response to the client application.

    The response from /backchannel/authentication/fails API has some parameters. Among them, it is action parameter that the authorization server implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the authorization server implementation must take the steps described below.


    INTERNAL_SERVER_ERROR

    When the value of action is INTERNAL_SERVER_ERROR, it means that (1) the reason request parameter of the API call was SERVER_ERROR, (2) an error occurred on Authlete side, or (3) the request parameters of the API call were wrong. In this case, the authorization server implementation should return a "500 Internal Server Error" response to the client application. However, in most cases, commercial implementations prefer to use other HTTP status code than 5xx.


    BAD_REQUEST

    When the value of action is BAD_REQUEST, the authorization server implementation should return a "400 Bad Request" response to the client application.


    FORBIDDEN

    When the value of action is FORBIDDEN, it means that the reason request parameter of the API call was ACCESS_DENIED. In this case, the backchannel authentication endpoint of the authorization server implementation should return a "403 Forbidden" response to the client application.

    /backchannel/authentication/complete API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/backchannel/authentication/complete \
    -H 'Content-Type: application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "ticket": "ZZxECt-wZTJUWKdAUZ8okwglXLFUTWeGcuKdktSbSsI", "result": "AUTHORIZED", "subject": "john" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // Extract the ticket issued by '/backchannel/authentication' API.
    String ticket = extractTicket();
    
    // The result of the end-user authentication and authorization.
    BackchannelAuthenticationCompleteRequest.Result result = BackchannelAuthenticationCompleteRequest.Result.AUTHORIZED;
    
    // Get the subject (= unique identifier) of the end-user.
    String subject = getSubject();
    
    BackchannelAuthenticationCompleteRequest request = new BackchannelAuthenticationCompleteRequest()
      .setTicket(ticket)
      .setResult(result)
      .setSubject(subject)
    ;
    
    api.backchannelAuthenticationComplete(request);
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    // Extract the ticket issued by '/backchannel/authentication' API.
    string ticket = ExtractTicket();
    
    // The result of the end-user authentication and authorization.
    BackchannelAuthenticationCompleteResult result = BackchannelAuthenticationCompleteResult.AUTHORIZED;
    
    // Get the subject (= unique identifier) of the end-user.
    string subject = GetSubject();
    
    BackchannelAuthenticationCompleteRequest request = new BackchannelAuthenticationCompleteRequest();
    request.Ticket  = ticket;
    request.Result  = result;
    request.Subject = subject;
    
    await api.BackchannelAuthenticationComplete(request);
    

    Sample Response

    {
      "type": "backchannelAuthenticationCompleteResponse",
      "resultCode": "A198001",
      "resultMessage": "[A198001] Successfully updated the database so that the token endpoint can generate tokens (mode = ping, result = AUTHORIZED).",
      "accessTokenDuration": 0,
      "action": "NOTIFICATION",
      "authReqId": "gwHSu6EOjpsYtH3pKgUdQzMIjkql6KYpCAsUFZR9Gl0",
      "clientId": 57297408867,
      "clientIdAliasUsed": false,
      "clientName": "My Client",
      "clientNotificationEndpoint": "https://server.example.com/notification",
      "clientNotificationToken": "my-client-notification-token",
      "deliveryMode": "PING",
      "idTokenDuration": 0,
      "refreshTokenDuration": 0,
      "responseContent": "{\"auth_req_id\":\"gwHSu6EOjpsYtH3pKgUdQzMIjkql6KYpCAsUFZR9Gl0\"}"
    }
    

    This API returns information about what action the authorization server should take after it receives the result of end-user's decision about whether the end-user has approved or rejected a client application's request on the authentication device.

    Request

    POST /api/backchannel/authentication/complete

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    ticket YES

    The ticket issued by Authlete's /backchannel/authentication API.

    result YES

    The result of the end-user authentication and authorization. One of the following. Details are described in the description.

    • TRANSACTION_FAILED
    • ACCESS_DENIED
    • AUTHORIZED
    subject YES

    The subject (= unique identifier) of the end-user.

    sub NO

    The value of the sub claim that should be used in the ID token.

    acr NO

    The reference of the authentication context class which the end-user authentication satisfied.

    claims NO

    Additional claims which will be embedded in the ID token.

    properties NO

    The extra properties associated with the access token.

    scopes NO

    Scopes to replace the scopes specified in the original backchannel authentication request with. When nothing is specified for this parameter, replacement is not performed.

    errorDescription NO

    The description of the error. If this optional request parameter is given, its value is used as the value of the error_description property, but it is used only when the result is not AUTHORIZED. To comply with the specification strictly, the description must not include characters outside the set %x20-21 / %x23-5B / %x5D-7E.

    errorUri NO

    The URI of a document which describes the error in detail. This corresponds to the error_uri property in the response to the client.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • SERVER_ERROR
    • NO_ACTION
    • NOTIFICATION
    responseContent string

    The content that the authorization server implementation is to return to the client application. Its format varies depending on the value of action parameter. See description for details.

    clientId i64

    The client ID of the client application that has made the backchannel authentication request.

    clientIdAlias string

    The client ID alias of the client application that has made the backchannel authentication request.

    clientIdAliasUsed boolean

    true if the value of the client_id request parameter included in the backchannel authentication request is the client ID alias. false if the value is the original numeric client ID.

    clientName string

    The name of the client application which has made the backchannel authentication request.

    deliveryMode string

    The backchannel token delivery mode.

    clientNotificationEndpoint string

    The client notification endpoint to which a notification needs to be sent. This corresponds to the client_notification_endpoint metadata of the client application.

    clientNotificationToken string

    The client notification token which needs to be embedded as a Bearer token in the Authorization header in the notification. This is the value of the client_notification_token request parameter included in the backchannel authentication request.

    authReqId string

    The auth_req_id which is associated with the ticket.

    accessToken string

    The issued access token.

    refreshToken string

    The issued refresh token.

    idToken string

    The issued ID token.

    accessTokenDuration i32

    The duration of the access token in seconds.

    refreshTokenDuration i32

    The duration of the refresh token in seconds.

    idTokenDuration i32

    The duration of the ID token in seconds.

    jwtAccessToken string

    The issued access token in JWT format.

    resources URL array

    The resources specified by the resource request parameters or by the resource property in the request object in the preceding backchannel authentication request. This parameter is available since Authlete 2.2.

    authorizationDetails JSON

    The authorization details. This represents the value of the authorization_details request parameter which is defined in "OAuth 2.0 Rich Authorization Requests". This parameter is available since Authlete 2.2.

    Description

    After the implementation of the backchannel authentication endpoint returns JSON containing an auth_req_id to the client, the authorization server starts a background process that communicates with the authentication device of the end-user. On the authentication device, end-user authentication is performed and the end-user is asked whether they give authorization to the client or not. The authorization server will receive the result of end-user authentication and authorization from the authentication device.

    After the authorization server receives the result from the authentication device, or even in the case where the server gave up receiving a response from the authentication device for some reasons, the server should call the /backchannel/authentication/complete API to tell Authlete the result.

    When the end-user was authenticated and authorization was granted to the client by the end-user, the authorization server should call the API with result=AUTHORIZED. In this successful case, the subject request parameter is mandatory. If the token delivery mode is push, the API will generate an access token, an ID token and optionally a refresh token. On the other hand, if the token delivery mode is poll or ping, the API will just update the database record so that /auth/token API can generate tokens later.

    When the authorization server received the decision of the end-user from the authentication device and it indicates that the end-user has rejected to give authorization to the client, the authorization server should call the API with result=ACCESS_DENIED. In this case, if the token delivery mode is push, the API will generate an error response that contains the error response parameter and optionally the error_description and error_uri response parameters (if the errorDescription and errorUri request parameters have been given). On the other hand, if the token delivery mode is poll or ping, the API will just update the database record so that /auth/token API can generate an error response later. In any token delivery mode, the value of the error parameter will become access_denied.

    When the authorization server could not get the result of end-user authentication and authorization from the authentication device for some reasons, the authorization server should call the API with result=TRANSACTION_FAILED. In this error case, the API will behave in the same way as in the case of ACCESS_DENIED. The only difference is that expired_token is used as the value of the error parameter.

    The response from /backchannel/authentication/complete API has various parameters. Among them, it is action parameter that the authorization server implementation should check first because it denotes the next action that the authorization server implementation should take. According to the value of action, the service implementation must take the steps described below.


    SERVER_ERROR

    When the value of action is SERVER_ERROR, it means either (1) that the request from the authorization server to Authlete was wrong, or (2) that an error occurred on Authlete side.

    When the backchannel token delivery mode is ping or push, SERVER_ERROR is used only when an error is detected before the record of the ticket (which is included in the API call to /backchannel/authentication/complete) is retrieved from the database successfully. If an error is detected after the record of the ticket is retrieved from the database, NOTIFICATION is used instead of SERVER_ERROR.

    When the backchannel token delivery mode is poll, SERVER_ERROR is used regardless of whether it is before or after the record of the ticket is retrieved from the database.


    NO_ACTION

    When the value of action is NO_ACTION, it means that the authorization server does not have to take any immediate action.

    NO_ACTION is returned when the backchannel token delivery mode is poll. In this case, the client will receive the final result at the token endpoint.


    NOTIFICATION

    When the value of action is NOTIFICATION, it means that the authorization server must send a notification to the client notification endpoint.

    According to the CIBA Core specification, the notification is an HTTP POST request whose request body is JSON and whose Authorization header contains the client notification token, which was included in the backchannel authentication request as the value of the client_notification_token request parameter, as a bearer token.

    When the backchannel token delivery mode is ping, the request body of the notification is JSON which contains the auth_req_id property only. When the backchannel token delivery mode is push, the request body will additionally contain an access token, an ID token and other properties. Note that when the backchannel token delivery mode is poll, a notification does not have to be sent to the client notification endpoint.

    In error cases, in the ping mode, however, the content of a notification is not different from the content in successful cases. That is, the notification contains the auth_req_id property only. The client will know the error when it accesses the token endpoint. On the other hand, in the push mode, in error cases, the content of a notification will include the error property instead of an access token and an ID token. The client will know the error by detecting that error is included in the notification.

    In any case, the responseContent is JSON which can be used as the request body of the notification.

    The client notification endpoint that the notification should be sent to the value of the clientNotificationEndpoint parameter. Likewise, the client notification token that the notification should include as a bearer token is the clientNotificationToken parameter. With these methods, the notification can be built like the following.

    POST {clientNotificationEndpoint} HTTP/1.1
    HOST: {The host of clientNotificationEndpoint}
    Authorization: Bearer {notificationToken}
    Content-Type: application/json
    
    {responseContent}
    

    Device Flow

    The following APIs are supposed to be used for implementing Device Flow (RFC 8628) endpoints.

    /device/authorization API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/device/authorization \
    -H 'Content-Type: application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "parameters": "client_id=57297408867&scope=address", "clientId": "57297408867", "clientSecret":"J_3C7P0nDTP7CwCg_HyPQh7bTQ1696CC8GWot-EjesZmdBiU5Gsidq5Ve3tMaN2x2_VcKV1UE1U3ZdGKRuTs7A" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // Extract request parameters that the device authorization endpoint of 
    // this authorization serever implementation received from the client application.
    String parameters = extractRequestParameters();
    
    // The credentials of the client application extracted from 'Authorization' header.
    String clientId     = extractClientId();
    String clientSecret = extractClientSecret();
    
    DeviceAuthorizationRequest request = new DeviceAuthorizationRequest()
      .setParameters(parameters)
      .setClientId(clientId)
      .setClientSecret(clientSecret)
    ;
    
    api.deviceAuthorization(request);
    
    # This API is not supported yet.
    
    // This API is not supported yet.
    

    Sample Response

    {
      "type": "deviceAuthorizationResponse",
      "resultCode": "A220001",
      "resultMessage": "[A220001] The device authorization request was processed successfully.",
      "action": "OK",
      "clientId": 57297408867,
      "clientIdAliasUsed": false,
      "clientName": "My Client",
      "deviceCode": "4TdpxKor9Nohv4X35HvLDFwhSEZcRaKVWn1pvMvUWhk",
      "expiresIn": 600,
      "interval": 5,
      "responseContent": "{\"user_code\":\"JSRBJDCF\",\"device_code\":\"4TdpxKor9Nohv4X35HvLDFwhSEZcRaKVWn1pvMvUWhk\",\"interval\":5,\"verification_uri\":\"https://example.com/device_flow/verification\",\"expires_in\":600}",
      "scopes": [{ "defaultEntry": false, "name": "address" }],
      "userCode": "JSRBJDCF",
      "verificationUri": "https://example.com/device_flow/verification"
    }
    

    This API parses request parameters of a device authorization request and returns necessary data for the authorization server implementation to process the device authorizaiton request further.

    Request

    POST /api/device/authorization

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    parameters YES

    Parameters of a device authorization request which are the request parameters that the device authorization endpoint of the authorization server implementation received from the client application.

    The value of parameters is the entire entity body (which is formatted in application/x-www-form-urlencoded) of the request from the client application.

    clientId NO

    The client ID extracted from Authorization header of the device authorization request from the client application.

    If the device authorization endpoint of the authorization server implementation supports Basic Authentication as a means of client authentication, and the request from the client application contained its client ID in Authorization header, the value should be extracted and set to this parameter.

    clientSecret NO

    The client secret extracted from Authorization header of the device authorization request from the client application.

    If the device authorization endpoint of the authorization server implementation supports Basic Authentication as a means of client authentication, and the request from the client application contained its client secret in Authorization header, the value should be extracted and set to this parameter.

    clientCertificate NO

    The client certificate used in the TLS connection between the client application and the device authorization endpoint of the authorization server.

    clientCertificatePath NO

    The client certificate path presented by the client during client authentication. Each element is a string in PEM format.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • INTERNAL_SERVER_ERROR
    • BAD_REQUEST
    • UNAUTHORIZED
    • OK
    responseContent string

    The content that the authorization server implementation is to return to the client application. Its format varies depending on the value of action parameter. See description for details.

    clientId string

    The client ID of the client application that has made the device authorization request.

    clientIdAlias string

    The client ID alias of the client application that has made the device authorization request.

    clientIdAliasUsed boolean

    true if the value of the client_id request parameter included in the device authorization request is the client ID alias. false if the value is the original numeric client ID.

    clientName string

    The name of the client application which has made the device authorization request.

    clientAuthMehtod string

    The client authentication method that should be performed at the device authorization endpoint. One of the values listed in Client Authentication Method

    scopes string array

    The scopes requested by the device authorization request.

    Basically, this method returns the value of the scope request parameter in the device authorization request. However, because unregistered scopes are dropped on Authlete side, if the scope request parameter contains unknown scopes, the list returned by this method becomes different from the value of the scope request parameter.

    Note that description property and descriptions property of each scope object in the array contained in this property is always null even if descriptions of the scopes are registered.

    claimNames string array

    The names of the claims which were requested indirectly via some special scopes. See 5.4. Requesting Claims using Scope Values in OpenID Connect Core 1.0 for details.

    This property is always null if the scope request parameter of the device authorization request does not include the openid scope even if special scopes (such as profile) are included in the request (unless the openid scope is included in the default set of scopes which is used when the scope request parameter is omitted).

    acrs string array

    The list of ACR values requested by the device authorization request.

    Basically, this method returns the value of the acr_values request parameter in the device authorization request. However, because unsupported ACR values are dropped on Authlete side, if the acr_values request parameter contains unrecognized ACR values, the list returned by this method becomes different from the value of the acr_values request parameter.

    If the request does not include the acr_values request parameter, the value of the default_acr_values client metadata is used.

    deviceCode string The device verification code. This corresponds to the device_code property in the response to the client.
    userCode string The end-user verification code. This corresponds to the user_code property in the response to the client.
    verificationUri string The end-user verification URI. This corresponds to the verification_uri property in the response to the client.
    verificationUriComplete string The end-user verification URI that includes the end-user verification code. This corresponds to the verification_uri_complete property in the response to the client.
    expiresIn i32 The duration of the issued device verification code and end-user verification code in seconds. This corresponds to the expires_in property in the response to the client.
    interval string The minimum amount of time in seconds that the client must wait for between polling requests to the token endpoint. This corresponds to the interval property in the response to the client.
    resources string array

    The resources specified by the resource request parameters. See Resource Indicators for OAuth 2.0 for details. This parameter is available since Authlete 2.2.

    authorizationDetails string

    The authorization details. This represents the value of the authorization_details request parameter which is defined in OAuth 2.0 Rich Authorization Requests. This parameter is available since Authlete 2.2.

    warnings string The warnings raised during processing the device authorization request.

    Description

    This API is supposed to be called from the within the implementation of the Device authorization endpoint of the service. The service implementation should retrieve the value of action from the response and take the following steps according to the value.


    INTERNAL_SERVER_ERROR

    When the value of action is INTERNAL_SERVER_ERROR, it means that the API call from the authorization server implementation was wrong or that an error occurred in Authlete.

    In either case, from a viewpoint of the client application, it is an error on the server side. Therefore, the authorization server implementation should generate a response to the client application with "500 Internal Server Error"s and application/json.

    The parameter responseContent contains a JSON string which describes t he error, so it can be used as the entity body of the response.

    The following illustrates the response which the authorization server implementation should generate and return to the client application.

    HTTP/1.1 500 Internal Server Error
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
    
    {responseContent}

    BAD_REQUEST

    When the value of action is BAD_REQUEST, it means that the device authorization request from the client application was wrong.

    The authorization server implementation should generate a response to the client application with "400 Bad Request" and application/json.

    The responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the authorization server implementation should generate and return to the client application.

    HTTP/1.1 400 Bad Request
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
    
    {responseContent}

    UNAUTHORIZED

    When the value of action is UNAUTHORIZED, it means that client authentication of the device authorization request failed.

    The authorization server implementation should generate a response to the client application with "401 Unauthorized" and application/json.

    The parameter responseContent contains a JSON string which describes the error, so it can be used as the entity body of the response.

    The following illustrates the response which the authorization server implementation must generate and return to the client application.

    HTTP/1.1 401 Unauthorized
    WWW-Authenticate: (challenge)
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
    
    {responseContent}

    OK

    When the value of action is OK, it means that the device authorization request from the client application is valid.

    The authorization server implementation should generate a response to the client application with "200 OK" and application/json.

    The responseContent a JSON string which can be used as the entity body of the response.

    The following illustrates the response which the authorization server implementation should generate and return to the client application.

    HTTP/1.1 200 OK
    Content-Type: application/json
    Cache-Control: no-store
    Pragma: no-cache
    
    {responseContent}

    /device/verification API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/device/verification \
    -H 'Content-Type: application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "userCode": "JSRBJDCF" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // Extract the user code issued by '/device/authorization' API.
    String userCode = extractUserCode();
    
    DeviceVerificationRequest request = new DeviceVerificationRequest().setUserCode(userCode);
    
    api.deviceVerification(request);
    
    # This API is not supported yet.
    
    // This API is not supported yet.
    

    Sample Response

    {
      "type": "deviceVerificationResponse",
      "resultCode": "A224001",
      "resultMessage": "[A224001] The user code is valid.",
      "action": "VALID",
      "clientId": 57297408867,
      "clientIdAliasUsed": false,
      "clientName": "My Client",
      "expiresAt": 1587713531000,
      "scopes": [{ "defaultEntry": false, "name": "address" }]
    }
    

    The API returns information associated with a user code.

    Request

    POST /api/device/verification

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    userCode YES A user code.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • SERVER_ERROR
    • NOT_EXIST
    • EXPIRED
    • VALID
    clientId string

    The client ID of the client application to which the user code has been issued.

    clientIdAlias string

    The client ID alias of the client application to which the user code has been issued.

    clientIdAliasUsed boolean

    true if the value of the client_id request parameter included in the device authorization request is the client ID alias. false if the value is the original numeric client ID.

    clientName string

    The name of the client application to which the user code has been issued.

    scopes string array

    The scopes requested by the device authorization request.

    Note that description property and descriptions property of each scope object in the array contained in this property is always null even if descriptions of the scopes are registered.

    claimNames string array

    The names of the claims which were requested indirectly via some special scopes. See 5.4. Requesting Claims using Scope Values in OpenID Connect Core 1.0 for details.

    This property is always null if the scope request parameter of the device authorization request does not include the openid scope even if special scopes (such as profile) are included in the request (unless the openid scope is included in the default set of scopes which is used when the scope request parameter is omitted).

    acrs string array The list of ACR values requested by the device authorization request.
    expiresAt i64 The expiration date in milliseconds since the Unix epoch (1970-01-01) at which the user code will expire.
    resources string array

    The resources specified by the resource request parameters in the preceding device authorization request. See Resource Indicators for OAuth 2.0 for details. This parameter is available since Authlete 2.2.

    authorizationDetails string

    The authorization details. This represents the value of the authorization_details request parameter in the preceding device authorization request which is defined in OAuth 2.0 Rich Authorization Requests. This parameter is available since Authlete 2.2.

    Description

    After receiving a response from the device authorization endpoint of the authorization server, the client application shows the end-user the user code and the verification URI which are included in the device authorization response. Then, the end-user will access the verification URI using a web browser on another device (typically, a smart phone). In normal implementations, the verification endpoint will return an HTML page with an input form where the end-user inputs a user code. The authorization server will receive a user code from the form.

    After receiving a user code, the authorization server should call Authlete's /device/verification API with the user code. And then, the authorization server implementation should retrieve the value of action parameter from the API response and take the following steps according to the value.


    SERVER_ERROR
    When the value of action is SERVER_ERROR, it means that an error occurred on Authlete side. The authorization server implementation should tell the end-user that something wrong happened and urge her to re-initiate a device flow.

    NOT_EXIST
    When the value of action is NOT_EXIST, it means that the user code does not exist. The authorization server implementation should tell the end-user that the user code is invalid and urge her to retry to input a valid user code.

    EXPIRED
    When the value of action is EXPIRED, it means that the user code has expired. The authorization server implementation should tell the end-user that the user code has expired and urge her to re-initiate a device flow.

    VALID
    When the value of action is VALID, it means that the user code exists, has not expired, and belongs to the service. The authorization server implementation should interact with the end-user to ask whether she approves or rejects the authorization request from the device.

    /device/complete API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/device/complete \
    -H 'Content-Type: application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "userCode": "JSRBJDCF", "result": "AUTHORIZED", "subject": "john" }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    // Extract the user code issued by '/device/authorization' API.
    String userCode = extractUserCode();
    
    // The result of the end-user authentication and authorization.
    DeviceCompleteRequest.Result result = DeviceCompleteRequest.Result.AUTHORIZED;
    
    // Get the subject (= unique identifier) of the end-user.
    String subject = getSubject();
    
    DeviceCompleteRequest request = new DeviceCompleteRequest()
      .setUserCode(parameters)
      .setResult(result)
      .setSubject(subject)
    ;
    
    api.deviceComplete(request);
    
    # This API is not supported yet.
    
    // This API is not supported yet.
    

    Sample Response

    {
      "type": "deviceCompleteResponse",
      "resultCode": "A241001",
      "resultMessage": "[A241001] The API call was processed successfully.",
      "action": "SUCCESS"
    }
    

    This API returns information about what action the authorization server should take after it receives the result of end-user's decision about whether the end-user has approved or rejected a client application's request.

    Request

    POST /api/device/complete

    Content-Type

    application/x-www-form-urlencoded
    application/json

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    userCode YES

    The user code input by the end-user.

    result YES

    The result of the end-user authentication and authorization. One of the following. Details are described in the description.

    • TRANSACTION_FAILED
    • ACCESS_DENIED
    • AUTHORIZED
    subject YES

    The subject (= unique identifier) of the end-user.

    sub NO

    The value of the sub claim that should be used in the ID token.

    authTime NO

    The time at which the end-user was authenticated.

    acr NO

    The reference of the authentication context class which the end-user authentication satisfied.

    claims NO

    Additional claims which will be embedded in the ID token.

    properties NO

    The extra properties associated with the access token.

    scopes NO

    Scopes to replace the scopes specified in the original device authorization request with. When nothing is specified for this parameter, replacement is not performed.

    errorDescription NO

    The description of the error. If this optional request parameter is given, its value is used as the value of the error_description property, but it is used only when the result is not AUTHORIZED. To comply with the specification strictly, the description must not include characters outside the set %x20-21 / %x23-5B / %x5D-7E.

    errorUri NO

    The URI of a document which describes the error in detail. If this optional request parameter is given, its value is used as the value of the error_uri property, but it is used only when the result is not AUTHORIZED.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • SERVER_ERROR
    • USER_CODE_NOT_EXIST
    • USER_CODE_EXPIRED
    • INVALID_REQUEST
    • SUCCESS

    Description

    In the device flow, an end-user accesses the verification endpoint of the authorization server where she interacts with the verification endpoint and inputs a user code. The verification endpoint checks if the user code is valid and then asks the end-user whether she approves or rejects the authorization request which the user code represents.

    After the authorization server receives the decision of the end-user, it should call Authlete's /device/complete API to tell Authlete the decision.

    When the end-user was authenticated and authorization was granted to the client by the end-user, the authorization server should call the API with result=AUTHORIZED. In this successful case, the subject request parameter is mandatory. The API will update the database record so that /auth/token API can generate an access token later.

    If the scope parameter of the device authorization request included the openid scope, an ID token is generated. In this case, sub, authTime, acr and claims request parameters in the API call to /device/complete affect the ID token.

    When the authorization server receives the decision of the end-user and it indicates that she has rejected to give authorization to the client, the authorization server should call the API with result=ACCESS_DENIED. In this case, the API will update the database record so that the /auth/token API can generate an error response later. If errorDescription and errorUri request parameters are given to the /device/complete API, they will be used as the values of error_description and error_uri response parameters in the error response from the token endpoint.

    When the authorization server could not get decision from the end-user for some reasons, the authorization server should call the API with result=TRANSACTION_FAILED. In this error case, the API will behave in the same way as in the case of ACCESS_DENIED. The only difference is that expired_token is used as the value of the error response parameter instead of access_denied.

    After receiving a response from the /device/complete API, the implementation of the authorization server should retrieve the value of action from the response and take the following steps according to the value.


    SERVER_ERROR
    When the value of action is SERVER_ERROR, it means that an error occurred on Authlete side. The authorization server implementation should tell the end-user that something wrong happened and urge her to re-initiate a device flow.

    USER_CODE_NOT_EXIST
    When the value of action is USER_CODE_NOT_EXIST, it means that the user code included in the API call does not exist. The authorization server implementation should tell the end-user that the user code has been invalidated and urge her to re-initiate a device flow.

    USER_CODE_EXPIRED
    When the value of action is USER_CODE_EXPIRED, it means that the user code included in the API call has expired. The authorization server implementation should tell the end-user that the user code has expired and urge her to re-initiate a device flow.

    INVALID_REQUEST
    When the value of action is INVALID_REQUEST, it means that the API call is invalid. Probably, the authorization server implementation has some bugs.

    SUCCESS
    When the value of action is SUCCESS, it means that the API call has been processed successfully. The authorization server should return a successful response to the web browser the end-user is using.

    Token Operations

    /auth/token/get/list API

    Sample Request

    curl -v https://api.authlete.com/api/auth/token/get/list/john?start=0\&end=3 \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    int start = 0;
    int end   = 3;
    
    api.getTokenList(start, end);
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    int start = 0;
    int end   = 3;
    
    await api.GetTokenList(start, end);
    

    Sample Response

    {
      "accessTokens": [
        {
          "accessTokenExpiresAt": 1527583747000,
          "accessTokenHash": "kjjduowWXMPiHt1AjxbgkqWANOsVWQfKYCyFO76q1MU",
          "clientId": 11867130158,
          "createdAt": 1527497347000,
          "grantType": "AUTHORIZATION_CODE",
          "lastRefreshedAt": 0,
          "refreshTokenExpiresAt": 1528361347000,
          "refreshTokenHash": "hCkIkuS6py0drpe5XOybw0MxkgsYNOk2q3dtilLiI64",
          "scopes": ["openid"],
          "subject": "john"
        }, 
        {...},
        {...}
      ],
      "client": {...}
      "end": 3,
      "start": 0,
      "totalCount": 15
    }
    

    Get a list of access tokens.

    Request

    GET /api/auth/token/get/list

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    clientIdentifier NO

    Client Identifier (client ID or client ID alias).

    subject NO

    Unique user ID.

    start NO

    Start index of search results (inclusive). The default value is 0.

    end NO

    End index of search results (exclusive). The default value is 5.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    start i32

    Start index of search results (inclusive).

    end i32

    End index of search results (exclusive).

    totalCount i32

    The total number of access tokens that meet the conditions.

    client Client

    The client associated with the access tokens.

    subject string

    The identifier of the user associated with the access tokens.

    accessTokens AccessToken array

    An array of access tokens.

    /auth/token/create API

    Sample Request

    curl -v -X POST https://api.authlete.com/api/auth/token/create \
    -H 'Content-Type:application/json' \
    -u '10167240235:LFpGEwpyHKNYMeMHg-H339X8gXdVlix-GoCHQAjAMaE' \
    -d '{ "grantType": "AUTHORIZATION_CODE", "clientId": 57297408867, "subject": "john", "scopes": [ "openid" ] }'
    
    AuthleteApi api = AuthleteApiFactory.getDefaultApi();
    
    TokenCreateRequest request = new TokenCreateRequest()
      .setGrantType(GrantType.AUTHORIZATION_CODE)
      .setClientId(57297408867)
      .setSubject("john")
      .setScopes({ "openid" });
    
    api.tokenCreate(request);
    
    # This API is not supported yet.
    
    IAuthleteConfiguration conf = new AuthletePropertiesConfiguration();
    IAuthleteApi api            = new AuthleteApi(conf);
    
    TokenCreateRequest request = new TokenCreateRequest();
    request.GrantType = GrantType.AUTHORIZATION_CODE;
    request.ClientId  = 57297408867;
    request.Subject   = "john";
    request.Scopes    = { "openid" };
    
    await api.TokenCreate(request);
    

    Sample Response

    {
      "type": "tokenCreateResponse",
      "resultCode": "A109001",
      "resultMessage": "[A109001] An access token was created successfully: authorization_code, client = 57297408867",
      "accessToken": "ILuFMMKP-oTY9hFVSUKo9NKiyOwyrcSvxNicxSQ9maA",
      "action": "OK",
      "clientId": 57297408867,
      "expiresAt": 1511246182637,
      "expiresIn": 86400,
      "grantType": "AUTHORIZATION_CODE",
      "refreshToken": "zRMu25sREDJS9qRZUr3j9Qb_hrUZxSUQRkahi0giyyZ",
      "subject": "john",
      "tokenType": "Bearer"
    }
    

    Create an access token.

    Request

    GET /api/auth/token/create
    POST /api/auth/token/create

    Content-Type

    application/x-www-form-urlencoded (POST only)
    application/json (POST only)

    Authorization

    Basic Authentication with API key & API secret of a service.

    Parameters

    Name Required Description
    grantType YES

    The grant type for a newly created access token. One of the following. REFRESH_TOKEN is not allowed.

    • AUTHORIZATION_CODE
    • IMPLICIT
    • PASSWORD
    • CLIENT_CREDENTIALS

    When grantType is either IMPLICIT or CLIENT_CREDENTIALS, a refresh token is not issued.

    See the description of grant types for details about the values above.

    clientId YES

    The ID of the client application which will be associated with a newly created access token.

    subject CONDITIONALLY REQUIRED

    The subject (= unique identifier) of the user who will be associated with a newly created access token. This parameter is required unless the grant type is CLIENT_CREDENTIALS. The value must consist of only ASCII characters and its length must not exceed 100.

    scopes NO

    The scopes which will be associated with a newly created access token. Scopes that are not supported by the service cannot be specified and requesting them will cause an error.

    accessTokenDuration NO

    The duration of a newly created access token in seconds. If the value is 0, the duration is determined according to the settings of the service.

    refreshTokenDuration NO

    The duration of a newly created refresh token in seconds. If the value is 0, the duration is determined according to the settings of the service.

    A refresh token is not created (1) if the service does not support REFRESH_TOKEN, or (2) if the specified grant type is either IMPLICIT or CLIENT_CREDENTIALS.

    properties NO

    Extra properties to associate with a newly created access token. Note that properties parameter is accepted only when the HTTP method of the request is POST and Content-Type of the request is application/json, so don't use GET method or application/x-www-form-urlencoded if you want to specify properties. See Extra Properties for details.

    clientIdAliasUsed NO

    A boolean request parameter which indicates whether to emulate that the client ID alias is used instead of the original numeric client ID when a new access token is created.

    This has an effect only on the value of the aud claim in a response from UserInfo endpoint. When you access the UserInfo endpoint (which is expected to be implemented using Authlete's /api/auth/userinfo API and /api/auth/userinfo/issue API) with an access token which has been created using Authlete's /api/auth/token/create API with this property (clientIdAliasUsed) true, the client ID alias is used as the value of the aud claim in a response from the UserInfo endpoint.

    Note that if a client ID alias is not assigned to the client when Authlete's /api/auth/token/create API is called, this property (clientIdAliasUsed) has no effect (it is always regarded as false).

    accessToken NO

    The value of the new access token.

    The /api/auth/token/create API generates an access token. Therefore, callers of the API do not have to specify values of newly created access tokens. However, in some cases, for example, if you want to migrate existing access tokens from an old system to Authlete, you may want to specify values of access tokens. In such a case, you can specify the value of a newly created access token by passing a non-null value as the value of accessToken request parameter. The implementation of the /api/auth/token/create uses the value of the accessToken request parameter instead of generating a new value when the request parameter holds a non-null value.

    Note that if the hash value of the specified access token already exists in Authlete's database, the access token cannot be inserted and the /api/auth/token/create API will report an error.

    refreshToken NO

    The value of the new refresh token.

    The /api/auth/token/create API may generate a refresh token. Therefore, callers of the API do not have to specify values of newly created refresh tokens. However, in some cases, for example, if you want to migrate existing refresh tokens from an old system to Authlete, you may want to specify values of refresh tokens. In such a case, you can specify the value of a newly created refresh token by passing a non-null value as the value of refreshToken request parameter. The implementation of the /api/auth/token/create uses the value of the refreshToken request parameter instead of generating a new value when the request parameter holds a non-null value.

    Note that if the hash value of the specified refresh token already exists in Authlete's database, the refresh token cannot be inserted and the /api/auth/token/create API will report an error.

    accessTokenPersistent NO

    Get whether the access token expires or not. By default, all access tokens expire after a period of time determined by their service.

    If this request parameter is true then the access token will not automatically expire and must be revoked or deleted manually at the service. If this request parameter is true, the accessTokenDuration request parameter is ignored.

    Response

    Content-Type

    application/json

    Parameters

    Name Type Description
    resultCode string

    The code which represents the result of the API call. The value is one of the result codes listed in Result Codes.

    resultMessage string

    A short message which explains the result of the API call.

    action string

    The next action that the authorization server implementation should take. One of the following. Details are described in the description.

    • INTERNAL_SERVER_ERROR
    • BAD_REQUEST
    • FORBIDDEN
    • OK
    accessToken string

    The newly issued access token.

    clientId i64

    The ID of the client application which is associated with the access token.

    expiresAt i64

    The time at which the access token expires.

    expiresIn i64

    The duration of the newly issued access token in seconds.

    grantType GrantType

    The grant type for the newly issued access token.

    properties