Links

OAUTH 2.0 information

Here is some further relevant information on the OAuth 2.0 protocol.
The Signicat identity broker supports the most commonly used OAUTH 2.0 flows: Authorisation Code Grant and Grant.

Authorisation Code grant flow

The Authorisation Code grant type is used by clients to exchange an authorisation code for an access token. See https://oauth.net/2/grant-types/authorization-code/ for a detailed description of the flow.
Example of authorisation request
<base_url>/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=code&scope=<scope>
ID
Value
Description
client_id
Unique identifier
Identifies the client at the Signicat Identity Broker. This must be agreed upon between your service and Signicat before starting the integration.
redirect_uri
URL
The URL on your service that will receive the response.
response_type
"code"
This value must be set to "code" to retrieve an Authorisation Token.
scope
Optional field
Via some OAuth servers, the client can specify the scope of the request.
Example of authorisation response
<redirect_uri>?code=<authorization_token>
Before the <authorisation_token> is sent, the user must first authenticate themselves via an identity provider.

Example messages for Access Token endpoint

Access Token request (POST method)
<base_url>/access_token?client_id=<client_id>&client_secret=<client_secret>&grant_type=authorization_code&code=<code>&redirect_uri=<redirect_uri>
The parameters should be send in the request body with Content-Type header: application/x-www-form-urlencoded.
ID
Value
Description
client_id
Unique identifier
Identifies the client at the Signicat Identity Broker. This must be agreed upon between your service and Signicat before starting the integration.
redirect_uri
URL
The URL on your service that will receive the response.
grant_type
"authorisation_code"
Must be set to this value to receive an Access Token.
client_secret
Unique identifier
A secret key agreed upon between your service and the Signicat Identity Broker.
code
Unique identifier
This is the Authorisation Token returned by the Signicat Identity Broker from the authorisation endpoint.
Access Token response (JSON format)
{
"access_token":"<access_token>",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"<refresh_token>",
}
ID
Value
Description
access_token
Unique identifier
The Access Token returned by the Signicat Identity Broker.
token_type
"Bearer"
expires_in
Integer
Defines the time (in seconds) when the Access Token will expire.
refresh_token
Unique identifier
The Refresh Token returned by the Signicat Identity Broker.

Example messages for user info endpoint

User info request (GET method)
<base_url>/<access_token>
User Info response (JSON format)
{ "nameId": "<some_name>",
"userAttributes" :
[
"name": ["<attribute_value1>", <attribute_value2>, ...],
]
}

Implicit grant flow

This flow can be used by applications running in the browser that cannot securely store a shared secret. In this case, the access token is directly returned upon user authentication and authorisation.
See https://oauth.net/2/grant-types/implicit/ for a detailed description of the flow.

Example messages for Authorisation endpoint

Authorisation request
<base_url>/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=token&scope=<scope>&state=<state>
ID
Value
Description
client_id
Unique identifier
Identifies the client at the Signicat Identity Broker. This must be agreed upon between your service and Signicat before starting the integration.
redirect_uri
URL
The URL on your application that will receive the response.
response_type
"Token"
This value must be set to "token" to retrieve an Access Token.
scope
Optional field
At some OAuth servers, the client can specify the scope of the request.
state
Recommended unique identifier
An opaque value used by the client to prevent cross-site request forgery.
Authorisation response
<redirect_uri>?code=<access_token>&state=<state>&token_type=bearer&expires_in=<expires_in>
ID
Value
Description
access_token
Unique identifier
The Access Token returned by the Signicat identity broker.
state
Unique identifier
The same value as sent in the request.
token_type
“Bearer”
expires_in
Integer
Defines the time (usually in seconds) when the Access Token will expire.