OAuth 2.0 / OpenID Connect

Authcore is complaint to OAuth 2.0 and OpenID Connect standards. The OAuth 2.0 protocol provides API access control via scoped access tokens, and OpenID Connect provides user authentication and single sign-on (SSO) funcitonality.

Endpoints

Authorization

POST https://auth.acme.com/oauth/authorize

This is a starting point for browser-based OpenID Connect flows such as the implicit and authorization code flows. This request authenticates the user and returns tokens along with an authorization grant to the client application as a part of the callback response.

Query Parameters

Name
Type
Description

state

string

A value to be returned in the token. The client application can use it to remember the state of its interaction with the end user at the time of the authentication call.

scope

string

Currently empty.

response_type

string

Any combination of code, token, and id_token.

redirect_uri

string

Callback location where the authorization code or tokens should be sent. It must match the preset value in client application configuration.

code_challenge_method

string

Method used to derive the code challenge for PKCE. Valid value: S256

code_challenge

string

A challenge for PKCE. The challenge is verified in the access token request.

client_id

string

The ID in client application configuration.

Token

POST https://auth.acme.com/oauth/token

This endpoint returns access tokens, ID tokens, and refresh tokens, depending on the request parameters. For password, client credentials, and refresh token flows, calling /token is the only step of the flow. For the authorization code flow, calling /token is the second step of the flow.

Request Body

Name
Type
Description

code

string

Required if grant_type is authorization_code. The value is what was returned from the authorization endpoint.

code_verifier

string

Required if grant_type is authorization_code and code_challenge was specified in the original authorization request. This value is the code verifier for PKCE.

grant_type

string

Can be one of the following: authorization_code, or refresh_token.

redirect_uri

string

Required if grant_type is authorization_code. Specifies the callback location where the authorization was sent.

refresh_token

string

Required if grant_type is refresh_token.

{
    "access_token": "access_token",
    "token_type": "token_type",
    "expires_in": 987654321,
    "scope": "",
    "refresh_token": "",
    "id_token": "id_token"
}

GET https://auth.acme.com/.well-known/openid-configuration

Returns OpenID Connect metadata about your authorization server.

{
  "issuer": "https://auth.acme.com",
  "authorization_endpoint": "https://auth.acme.com/oauth/authorize",
  "token_endpoint": "https://auth.acme.com/oauth/token",
  "jwks_uri": "https://auth.acme.com/.well-known/jwks.json",
  "response_types_supported": [
    "code",
    "code id_token",
    "id_token",
    "token id_token"
  ]
}

JSON Web Key Set

GET https://auth.acme.com/.well-known/jwks.json

Returns a JSON Web Key Set (JWKS) that contains the public keys that can be used to verify the signatures of tokens that you receive from your authorization server.

{
  "keys": [
    {
      "use": "sig",
      "kty": "EC",
      "kid": "hN351AH04N2BBba3N6PgNcVloRohu6KkDRDMcvr5k28",
      "crv": "P-256",
      "alg": "ES256",
      "x": "KY6MShC7UrSkekyczKKvZQXuxFKDRd0DEgV6r9XeDAY",
      "y": "aGDz074Md6DQU2rRSY0jif6kawW6r22Q4jzi6Se75Wk"
    }
  ]
}

PreviousAPI OverviewNextJavascript

Last updated