- Generated by
1.8.18
|
Authlete
|
Request to Authlete's /api/backchannel/authentication/complete API.
More...
Properties | |
| string | Ticket [get, set] |
The ticket which is necessary to call Authlete's /api/backchannel/authentication/complete API. This request parameter is mandatory. More... | |
| BackchannelAuthenticationCompleteResult | Result [get, set] |
| The result of end-user authentication and authorization. This request parameter is mandatory. More... | |
| string | Subject [get, set] |
| The subject (= unique identifier) of the end-user who has granted authorization to the client application. More... | |
| string | Sub [get, set] |
The value of the "sub" claim used in the ID token. If this property returns null or its value is empty, the value of the Subject property is used as the value of the "sub" claim. The main purpose of this Sub property is to hide the actual value of the subject from client applications. More... | |
| long | AuthTime [get, set] |
The time at which the end-user was authenticated. When this request parameter holds a positive number, the "auth_time" claim will be embedded in the ID token. More... | |
| string | Acr [get, set] |
The reference of the authentication context class which the end-user authentication satisfied. When this request parameter holds a non-null value, the "acr" claim will be embedded in the ID token. More... | |
| string | Claims [get, set] |
| Additional claims which will be embedded in the ID token. More... | |
| Property[] | Properties [get, set] |
| Extra properties that you want to associate with the access token. This request parameter is optional. More... | |
| string[] | Scopes [get, set] |
Scopes that should be associated with the access token. If null (the default value) is set, the scopes specified in the original backchannel authentication request are used. In other cases, the scopes set to this property will replace the original scopes contained in the original request. More... | |
| string | IdtHeaderParams [get, set] |
| JSON that represents additional JWS header parameters for the ID token. More... | |
| string | ErrorDescription [get, set] |
The description of the error. This corresponds to the error_description property in the response to the client. More... | |
| Uri | ErrorUri [get, set] |
The URI of a document which describes the error in detail. This corresponds to the error_uri property in the response to the client. More... | |
Request to Authlete's /api/backchannel/authentication/complete API.
After the implementation of the backchannel authentication endpoint returns JSON containing an auth_req_id to the client, the authorization server starts a background process that communicates with the authentication device of the end-user. On the authentication device, end-user authentication is performed and the end-user is asked whether they give authorization to the client or not. The authorization server will receive the result of end-user authentication and authorization from the authentication device.
After the authorization server receives the result from the authentication device, or even in the case where the server gave up receiving a response from the authentication device for some reasons, the server should call the /api/backchannel/authentication/complete API to tell Authlete the result.
When the end-user was authenticated and authorization was granted to the client by the end-user, the authorization server should call the API with result=BackchannelAuthenticationCompleteResult.AUTHORIZED. In this successful case, the subject request parameter is mandatory. If the token delivery mode is "push", the API will generate an access token, an ID token and optionally a refresh token. On the other hand, if the token delivery mode is "poll" or "ping", the API will just update the database record so that /api/auth/token API can generate tokens later.
When the authorization server received the decision of the end-user from the authentication device and it indicates that the end-user has rejected to give authorization to the client, the authorization server should call the API with result=BackchannelAuthenticationCompleteResult.ACCESS_DENIED. In this case, if the token delivery mode is "push", the API will generate an error response that contains the error response parameter and optionally the error_description and error_uri response parameters (if the errorDescription and errorUri request parameters have been given). On the other hand, if the token delivery mode is "poll" or "ping", the API will just update the database record so that /api/auth/token API can generate an error response later. In any token delivery mode, the value of the error parameter will become access_denied.
When the authorization server could not get the result of end-user authentication and authorization from the authentication device for some reasons, the authorization server should call the API with result=BackchannelAuthenticationCompleteResult.TRANSACTION_FAILED. In this error case, the API will behave in the same way as in the case of ACCESS_DENIED. The only difference is that transaction_failed is used as the value of the error parameter.
Since version 1.3.0.
|
getset |
The reference of the authentication context class which the end-user authentication satisfied. When this request parameter holds a non-null value, the "acr" claim will be embedded in the ID token.
|
getset |
The time at which the end-user was authenticated. When this request parameter holds a positive number, the "auth_time" claim will be embedded in the ID token.
The value should be the number of seconds since the Unix epoch (1970-01-01).
|
getset |
Additional claims which will be embedded in the ID token.
The authorization server implementation is required to retrieve values of requested claims of the end-user from its database and format them in JSON format.
For example, if "given_name" claim, "family_name" claim and "email" claim are requested, the authorization server implementation should generate a JSON object like the following and set its string representation to this Claims property.
See 5.1. Standard Claims of OpenID Connect Core 1.0 for details about the format.
|
getset |
The description of the error. This corresponds to the error_description property in the response to the client.
If this optional request parameter is given, its value is used as the value of the error_description property, but it is used only when the result is not BackchannelAuthenticationCompleteResult.AUTHORIZED.
To comply with the specification strictly, the description must not include characters outside the set x20-21 / x23-5B / x5D-7E.
|
getset |
The URI of a document which describes the error in detail. This corresponds to the error_uri property in the response to the client.
If this optional request parameter is given, its value is used as the value of the error_uri property, but it is used only when the result is not BackchannelAuthenticationCompleteResult.AUTHORIZED.
|
getset |
JSON that represents additional JWS header parameters for the ID token.
Since version 1.5.0.
|
getset |
Extra properties that you want to associate with the access token. This request parameter is optional.
Keys of extra properties will be used as labels of top-level entries in a JSON response returned from the authorization server. An example is example_parameter, which you can find in 5.1. Successful Response in RFC 6749. The following code snippet is an example to set one extra property having example_parameter as its key and example_value as its value.
Note that there is an upper limit on the total size of extra properties. On Authlete side, the properties will be (1) converted to a multidimensional string array, (2) converted to JSON, (3) encrypted by AES/CBC/PKCS5Padding, (4) encoded by base64url, and then stored into the database. The length of the resultant string must not exceed 65,535 in bytes. This is the upper limit, but we think it is big enough.
|
getset |
The result of end-user authentication and authorization. This request parameter is mandatory.
|
getset |
Scopes that should be associated with the access token. If null (the default value) is set, the scopes specified in the original backchannel authentication request are used. In other cases, the scopes set to this property will replace the original scopes contained in the original request.
Even scopes that are not included in the original request can be included.
Note that because the CIBA specification requires openid as a mandatory scope, openid should be always included.
|
getset |
The value of the "sub" claim used in the ID token. If this property returns null or its value is empty, the value of the Subject property is used as the value of the "sub" claim. The main purpose of this Sub property is to hide the actual value of the subject from client applications.
Note that the value of the Subject property is used as the value of the subject associated with the access token regardless of whether this Sub property holds a non-empty value or not. In other words, this Sub property affects only the "sub" claim in the ID token.
|
getset |
The subject (= unique identifier) of the end-user who has granted authorization to the client application.
This property is used as the value of the subject associated with the access token and as the value of the "sub" claim in the ID token.
Note that, if the Sub property returns a non-empty value, it is used as the value of the "sub" claim in the ID token. However, even in the case, the value of the subject associated with the access token is still the value of this Subject property.
|
getset |
The ticket which is necessary to call Authlete's /api/backchannel/authentication/complete API. This request parameter is mandatory.
The ticket previously issued by Authlete's /api/backchannel/authentication API.
1.8.18