OAuth 2.0 / OpenID Connect

Authcore is complaint to OAuth 2.0 and OpenID Connect standards. The OAuth 2.0 protocol provides API access control via scoped access tokens, and OpenID Connect provides user authentication and single sign-on (SSO) funcitonality.

Endpoints

post
Authorization

https://auth.acme.com/oauth/authorize
This is a starting point for browser-based OpenID Connect flows such as the implicit and authorization code flows. This request authenticates the user and returns tokens along with an authorization grant to the client application as a part of the callback response.
Request
Response
Request
Query Parameters
state
required
string
A value to be returned in the token. The client application can use it to remember the state of its interaction with the end user at the time of the authentication call.
scope
required
string
Currently empty.
response_type
required
string
Any combination of code, token, and id_token.
redirect_uri
required
string
Callback location where the authorization code or tokens should be sent. It must match the preset value in client application configuration.
code_challenge_method
optional
string
Method used to derive the code challenge for PKCE. Valid value: S256
code_challenge
optional
string
A challenge for PKCE. The challenge is verified in the access token request.
client_id
required
string
The ID in client application configuration.
Response
200: OK

post
Token

https://auth.acme.com/oauth/token
This endpoint returns access tokens, ID tokens, and refresh tokens, depending on the request parameters. For password, client credentials, and refresh token flows, calling /token is the only step of the flow. For the authorization code flow, calling /token is the second step of the flow.
Request
Response
Request
Body Parameters
code
optional
string
Required if grant_type is authorization_code. The value is what was returned from the authorization endpoint.
code_verifier
optional
string
Required if grant_type is authorization_code and code_challenge was specified in the original authorization request. This value is the code verifier for PKCE.
grant_type
required
string
Can be one of the following: authorization_code, or refresh_token.
redirect_uri
optional
string
Required if grant_type is authorization_code. Specifies the callback location where the authorization was sent.
refresh_token
optional
string
Required if grant_type is refresh_token.
Response
200: OK
{
"access_token": "access_token",
"token_type": "token_type",
"expires_in": 987654321,
"scope": "",
"refresh_token": "",
"id_token": "id_token"
}

get

https://auth.acme.com/.well-known/openid-configuration
Returns OpenID Connect metadata about your authorization server.
Request
Response
Request
Response
200: OK
{
"issuer": "https://auth.acme.com",
"authorization_endpoint": "https://auth.acme.com/oauth/authorize",
"token_endpoint": "https://auth.acme.com/oauth/token",
"jwks_uri": "https://auth.acme.com/.well-known/jwks.json",
"response_types_supported": [
"code",
"code id_token",
"id_token",
"token id_token"
]
}

get
JSON Web Key Set

https://auth.acme.com/.well-known/jwks.json
Returns a JSON Web Key Set (JWKS) that contains the public keys that can be used to verify the signatures of tokens that you receive from your authorization server.
Request
Response
Request
Response
200: OK
{
"keys": [
{
"use": "sig",
"kty": "EC",
"kid": "hN351AH04N2BBba3N6PgNcVloRohu6KkDRDMcvr5k28",
"crv": "P-256",
"alg": "ES256",
"x": "KY6MShC7UrSkekyczKKvZQXuxFKDRd0DEgV6r9XeDAY",
"y": "aGDz074Md6DQU2rRSY0jif6kawW6r22Q4jzi6Se75Wk"
}
]
}