Versions Compared

Old Version 3

changes.mady.by.user Remo Räber

Saved on

compared with

New Version 4

changes.mady.by.user Remo Räber

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The user is given a link to start the authorization process, including mandatory parameters

ParameterDescription
response_type=codeSpecifies the application is requesting an authorization code grant (value = always “code”)
client_id=CLIENT_IDThe clientId which has been setup for the application
redirect_uri=CALLBACK_URLWhere Faces redirects the user after an authorization code is granted (full URI, including http:// https:// or other prefix)

https://hurricane.umbrellanet.ch/uf-test/oauth/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=CALLBACK_URL

...

The application requests an access token from the API, by passing the authorization code along with authentication details using HTTP POST:

ParameterDescription
CLIENT_ID:CLIENT_SECRETThe clientId and clientSecret which has been setup for the application, sent as HTTP Basic authentication
code=THE_AUTH_CODEThe authorization code received in step 3
redirect_uri=CALLBACK_URLThe same callback url as used in step 2
grant_type=authorization_codeSpecifies that you are wanting to trade an authorization_code for a long-lived request token.
Code Block
languagebash
titleExample Request using cURL
# https://CLIENT_ID:CLIENT_SECRET@hurricane.umbrellanet.ch/uf-test/oauth/token?grant_type=authorization_code&code=THE_AUTH_CODE&redirect_uri=CALLBACK_URL
curl -v -X POST \
    -H "Content-type: application/x-www-form-urlencoded" \
    -u client-id:client-secret \
    -d "grant_type=authorization_code" \
    -d "code=THE_AUTH_CODE" \
    -d "redirect_uri=CALLBACK_URL" \
    https://hurricane.umbrellanet.ch/uf-test/oauth/token

...

Anchor
IDToken
IDToken
ID token

TODO

In addition(or instead) of our OAuth API scopes, we do also support scopes resulting in generation of an ID-Token, which will be returned in Step 4 as well as Step 5 of the Authorization flow.
If only an ID-Token is desired, the OAuth process may be called with response_type=token which will trigger the OAuth 2.0 Implicit flow and only generate a short-lived access token without providing a refresh token.

ScopeDescription
openidRequired scope, triggers generation of an ID token containing the Faces-UUID of the profile in an “openid” attribute
profileOutputs the user profile in a “profile” attribute containing a displayname and (depending on availability) firstname / name / phone
emailOutputs the users e-mail address as “email” attribute
agencyidOutputs the UUID of the associated users travel agency (the main agency if access to multiple agencies is granted in case of an administrator)  in the “agencyid” attribute of the token

The ID-Token will be presented in form of a JSON Web Token and will  be cryptographically signed using our Service Provider Certificate available at <faces_url>/saml/metadata,
i.e. https://hurricane.umbrellanet.ch/uf-test/saml/metadata

Code Block
languagejs
titleAccess Token with additional id_token
{
  "access_token": "f88a7119-b585-4c9c-9867-88a40aae41f8",
  "token_type": "bearer",
  "refresh_token": "bab32afe-acf8-4a8e-ba7c-ed567daa0ee4",
  "expires_in": 3599,
  "scope": "email openid profile",
  "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJvcGVuaWQiOiIzZDkyMDVjYS1mMjY0LTRhZDgtYjFhYy1lNjQ1NTU3ZWFhOTkiLCJwcm9maWxlIjp7ImZpcnN0bmFtZSI6IlJlbW8iLCJwaG9uZSI6Iis0MTQ0MTIzNDU2NyIsImRpc3BsYXluYW1lIjoiSGVyciBSZW1vIFLDpGJlciIsIm5hbWUiOiJSw6RiZXIifSwiZW1haWwiOiJyZW1vLnRlc3RAdW1icmVsbGEuY2gifQ.ni2_4eszvqV5JgWBzJNmQ8jq225_7i-TiMAFzSGDSkPt6J5CTPSQF5wsq_Og5tOzd39nybGfwRzDyAkAOWinU2_djUv58gMx095U77ccSlSVYca6sn8t8WL62v8AOPSO9h8ok52nQpjtZFWcni4KABlcCKd_feT_5KjAmsRQwf7NZ0gqkoP3Y4Ymo454N8ezu822slF-ub4UdA1VBHDZuCJtQWbdsT2Cfep1NWRf3by_uP2s6yxHcHmQ0R_kYwXKMW2SbxyGo821cN-sxXYmppb4ipDtPKC7ANUYc5wZQ2Gp0gAenMIfxooz0njkEWKKMq3pwZWNJnWHDwVsluqI_w"
} 

Decoded ID-Token

The following extract depicts a decoded ID-Token from the value of "id_token" in the response above

Code Block
languagejs
{
  "openid": "3d9205ca-f264-4ad8-b1ac-e645557eaa99",
  "profile": {
    "firstname": "Remo",
    "phone": "+41441234567",
    "displayname": "Herr Remo Räber",
    "name": "Räber"
  },
  "email": "remo.test@umbrella.ch"
} 

Anchor
ProfilesAPI
ProfilesAPI
Profiles API

...