- Generated by
1.8.18
|
Authlete
|
Request to Authlete's /api/auth/authorization/issue API.
More...
Properties | |
| string | Ticket [get, set] |
The ticket issued by Authlete's /api/auth/authorization API to the authorization server implementation. It is the value returned from AuthorizationResponse.Ticket. The ticket is necessary to call Authlete's /api/auth/authorization/issue API. This request parameter is mandatory. More... | |
| string | Subject [get, set] |
The subject (= unique identifier) of the end-user who has granted authorization to the client application. This request parameter is required unless the authorization request has come with response_type=none (which means the cient application did not request any token to be returned). See 4. None Response Type of OAuth 2.0 Multiple Response Type Encoding Practices for details about response_type=none. More... | |
| string | Sub [get, set] |
The value of the "sub" claim used in the ID token which is to be issued. If this property returns null or its value is empty, the value of the Subject property is used as the value of the "sub" claim. The main purpose of this Sub property is to hide the actual value of the subject from client applications. More... | |
| long | AuthTime [get, set] |
| The time when the authentication of the end-user occurred. It should represent the elapsed time since the Unix epoch (1970-Jan-1) in seconds. More... | |
| string | Acr [get, set] |
| The Authentication Context Class Reference performed for the end-user authentication. More... | |
| string | Claims [get, set] |
| The claims of the end-user (= pieces of information about the end-user) in JSON format. This request parameter is optional. More... | |
| Property[] | Properties [get, set] |
| Extra properties that you want to associate with an access token and/or an authorization code which will be issued. This request parameter is optional. More... | |
| string[] | Scopes [get, set] |
Scopes that should be associated with an authorization code and/or an access token. If null (the default value) is set, the scopes specified in the original authorization request from the client application are used. In other cases, the scopes set to this property will replace the original scopes contained in the original request. This request parameter is optional. More... | |
| string | IdtHeaderParams [get, set] |
| JSON that represents additional JWS header parameters for ID tokens that may be issued based on the authorization request. More... | |
Request to Authlete's /api/auth/authorization/issue API.
|
getset |
The Authentication Context Class Reference performed for the end-user authentication.
|
getset |
The time when the authentication of the end-user occurred. It should represent the elapsed time since the Unix epoch (1970-Jan-1) in seconds.
|
getset |
The claims of the end-user (= pieces of information about the end-user) in JSON format. This request parameter is optional.
The authorization server implementation is required to retrieve claims of the subject (= information about the end-user) from its database and format them in JSON format.
For example, if "given_name" claim, "family_name" claim and "email" claim are requested, the authorization server implementation should generate a JSON object like the following and set its string representation to this Claims property.
See 5.1. Standard Claims of OpenID Connect Core 1.0 for details about the format.
|
getset |
JSON that represents additional JWS header parameters for ID tokens that may be issued based on the authorization request.
Since version 1.4.0.
|
getset |
Extra properties that you want to associate with an access token and/or an authorization code which will be issued. This request parameter is optional.
Extra properties will be returned to the client application together with an access token unless they are marked as hidden. For example, if you set one extra property as follows:
The property will be contained in the final response from the authorization server as follows:
The above example is an excerpt from 5.1. Successful Response in RFC 6749.
Keys listed below should not be used and they would be ignored on Authlete side even if they were used. It's because they are reserved in RFC 6749 and OpenID Connect Core 1.0.
access_token token_type expires_in refresh_token scope error error_description error_uri id_token Note that there is an upper limit on the total size of extra properties. On Authlete side, the properties will be (1) converted to a multidimensional string array, (2) converted to JSON, (3) encrypted by AES/CBC/PKCS5Padding, (4) encoded by base64url, and then stored into the database. The length of the resultant string must not exceed 65,535 in bytes. This is the upper limit, but we think it is big enough.
You can know extra properties associated with an access token by calling Authlete's /api/auth/introspection API.
|
getset |
Scopes that should be associated with an authorization code and/or an access token. If null (the default value) is set, the scopes specified in the original authorization request from the client application are used. In other cases, the scopes set to this property will replace the original scopes contained in the original request. This request parameter is optional.
Even scopes that are not included in the original authorization request can be specified. However, as an exception, "openid" scope is ignored on Authlete side if it is not included in the original request (to be exact, if "openid" was not included in the parameters request parameter of the request to /api/auth/authorization API). It is because the existence of the "openid" scope considerably changes the validation steps and because adding "openid" triggers generation of an ID token (although the client application has not requested it) and the behavior is a major violation against the specification.
If you add the "offline_access" scope although it is not included in the original request, keep in mind that the specification requires explicit consent from the end-user for the scope (11. Offline Access of OpenID Connect Core 1.0). When "offline_access" is included in the original authorization request, the current implementation of Authlete's /api/auth/authorization API checks whether the authorization request has come along with the "prompt" request parameter and its value includes "consent". However, note that the implementation of Authlete's /api/auth/authorization/issue API does not perform the same validation even if the "offline_access" scope is newly added via this Scopes property.
|
getset |
The value of the "sub" claim used in the ID token which is to be issued. If this property returns null or its value is empty, the value of the Subject property is used as the value of the "sub" claim. The main purpose of this Sub property is to hide the actual value of the subject from client applications.
Note that the value of the Subject property is used as the value of the subject associated with the access token regardless of whether this Sub property holds a non-empty value or not.
|
getset |
The subject (= unique identifier) of the end-user who has granted authorization to the client application. This request parameter is required unless the authorization request has come with response_type=none (which means the cient application did not request any token to be returned). See 4. None Response Type of OAuth 2.0 Multiple Response Type Encoding Practices for details about response_type=none.
This property is used as the value of the subject associated with the access token (if one is issued) and as the value of the "sub" claim in the ID token (if one is issued).
Note that, if the Sub property returns a non-empty value, it is used as the value of the "sub" claim in the ID token. However, even in such a case, the value of the subject associated with the access token is still the value of this Subject property.
|
getset |
The ticket issued by Authlete's /api/auth/authorization API to the authorization server implementation. It is the value returned from AuthorizationResponse.Ticket. The ticket is necessary to call Authlete's /api/auth/authorization/issue API. This request parameter is mandatory.
1.8.18