...
The user is given a link to start the authorization process, including mandatory parameters
Parameter | Description |
---|
response_type=code | Specifies the application is requesting an authorization code grant (value = always “code”) |
client_id=CLIENT_ID | The clientId which has been setup for the application |
redirect_uri=CALLBACK_URL | Where Faces redirects the user after an authorization code is granted (full URI, including http:// https:// or other prefix) |
https://hurricane.umbrellanet.ch/uf-test/oauth/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=CALLBACK_URL
...
The application requests an access token from the API, by passing the authorization code along with authentication details using HTTP POST:
Parameter | Description |
---|
CLIENT_ID:CLIENT_SECRET | The clientId and clientSecret which has been setup for the application, sent as HTTP Basic authentication |
code=THE_AUTH_CODE | The authorization code received in step 3 |
redirect_uri=CALLBACK_URL | The same callback url as used in step 2 |
grant_type=authorization_code | Specifies that you are wanting to trade an authorization_code for a long-lived request token. |
Code Block |
---|
language | bash |
---|
title | Example Request using cURL |
---|
|
# https://CLIENT_ID:CLIENT_SECRET@hurricane.umbrellanet.ch/uf-test/oauth/token?grant_type=authorization_code&code=THE_AUTH_CODE&redirect_uri=CALLBACK_URL
curl -v -X POST \
-H "Content-type: application/x-www-form-urlencoded" \
-u client-id:client-secret \
-d "grant_type=authorization_code" \
-d "code=THE_AUTH_CODE" \
-d "redirect_uri=CALLBACK_URL" \
https://hurricane.umbrellanet.ch/uf-test/oauth/token |
...
ID token
TODO
In addition(or instead) of our OAuth API scopes, we do also support scopes resulting in generation of an ID-Token, which will be returned in Step 4 as well as Step 5 of the Authorization flow.
If only an ID-Token is desired, the OAuth process may be called with response_type=token which will trigger the OAuth 2.0 Implicit flow and only generate a short-lived access token without providing a refresh token.
Scope | Description |
---|
openid | Required scope, triggers generation of an ID token containing the Faces-UUID of the profile in an “openid” attribute |
profile | Outputs the user profile in a “profile” attribute containing a displayname and (depending on availability) firstname / name / phone |
email | Outputs the users e-mail address as “email” attribute |
agencyid | Outputs the UUID of the associated users travel agency (the main agency if access to multiple agencies is granted in case of an administrator) in the “agencyid” attribute of the token |
The ID-Token will be presented in form of a JSON Web Token and will be cryptographically signed using our Service Provider Certificate available at <faces_url>/saml/metadata,
i.e. https://hurricane.umbrellanet.ch/uf-test/saml/metadata
Code Block |
---|
language | js |
---|
title | Access Token with additional id_token |
---|
|
{
"access_token": "f88a7119-b585-4c9c-9867-88a40aae41f8",
"token_type": "bearer",
"refresh_token": "bab32afe-acf8-4a8e-ba7c-ed567daa0ee4",
"expires_in": 3599,
"scope": "email openid profile",
"id_token": "eyJhbGciOiJSUzI1NiJ9.eyJvcGVuaWQiOiIzZDkyMDVjYS1mMjY0LTRhZDgtYjFhYy1lNjQ1NTU3ZWFhOTkiLCJwcm9maWxlIjp7ImZpcnN0bmFtZSI6IlJlbW8iLCJwaG9uZSI6Iis0MTQ0MTIzNDU2NyIsImRpc3BsYXluYW1lIjoiSGVyciBSZW1vIFLDpGJlciIsIm5hbWUiOiJSw6RiZXIifSwiZW1haWwiOiJyZW1vLnRlc3RAdW1icmVsbGEuY2gifQ.ni2_4eszvqV5JgWBzJNmQ8jq225_7i-TiMAFzSGDSkPt6J5CTPSQF5wsq_Og5tOzd39nybGfwRzDyAkAOWinU2_djUv58gMx095U77ccSlSVYca6sn8t8WL62v8AOPSO9h8ok52nQpjtZFWcni4KABlcCKd_feT_5KjAmsRQwf7NZ0gqkoP3Y4Ymo454N8ezu822slF-ub4UdA1VBHDZuCJtQWbdsT2Cfep1NWRf3by_uP2s6yxHcHmQ0R_kYwXKMW2SbxyGo821cN-sxXYmppb4ipDtPKC7ANUYc5wZQ2Gp0gAenMIfxooz0njkEWKKMq3pwZWNJnWHDwVsluqI_w"
} |
Decoded ID-Token
The following extract depicts a decoded ID-Token from the value of "id_token" in the response above
Code Block |
---|
|
{
"openid": "3d9205ca-f264-4ad8-b1ac-e645557eaa99",
"profile": {
"firstname": "Remo",
"phone": "+41441234567",
"displayname": "Herr Remo Räber",
"name": "Räber"
},
"email": "remo.test@umbrella.ch"
} |
Profiles API
...