Response from Authlete's /api/backchannel/authentication/complete API.
More...
Properties | |
| BackchannelAuthenticationCompleteAction | Action [get, set] |
| The next action that the authorization server implementation should take. More... | |
| string | ResponseContent [get, set] |
| The content of the notification. More... | |
| long | ClientId [get, set] |
| The client ID of the client application. More... | |
| string | ClientIdAlias [get, set] |
| The client ID alias of the client application. More... | |
| bool | IsClientIdAliasUsed [get, set] |
| The flag which indicates whether the client ID alias was used in the backchannel authentication request. More... | |
| string | ClientName [get, set] |
| The name of the client application. More... | |
| DeliveryMode | DeliveryMode [get, set] |
| The backchannel token delivery mode. More... | |
| Uri | ClientNotificationEndpoint [get, set] |
| The client notification endpoint to which a notification needs to be sent. More... | |
| string | ClientNotificationToken [get, set] |
The client notification token which needs to be embedded as a Bearer token in the Authorization header in the notification. More... | |
| string | AuthReqId [get, set] |
The value of the auth_req_id which is associated with the ticket. More... | |
| string | AccessToken [get, set] |
| The newly issued access token. This property holds a non-null value only when the backchannel token delivery mode is "push" and an access token has been issued successfully. More... | |
| string | RefreshToken [get, set] |
| The newly issued refresh token. This property holds a non-null value only when the backchannel token delivery mode is "push" and a refresh token has been issued successfully. More... | |
| string | IdToken [get, set] |
| The newly issued ID token. This property holds a non-null value only when the backchannel token delivery mode is "push" and an ID token has been issued successfully. More... | |
| long | AccessTokenDuration [get, set] |
| The duration of the access token in seconds. If an access token has not been issued, this property holds 0. More... | |
| long | RefreshTokenDuration [get, set] |
| The duration of the refresh token in seconds. If a refresh token has not been issued, this property holds 0. More... | |
| long | IdTokenDuration [get, set] |
| The duration of the ID token in seconds. If an ID token has not been issued, this property holds 0. More... | |
| string | JwtAccessToken [get, set] |
| The newly issued access token in JWT format. More... | |
| string[] | Resources [get, set] |
The resources specified by the resource request parameters or by the More... | |
 Properties inherited from ApiResponse | |
| string | ResultCode [get, set] |
The code of the result of an Authlete API call. For example, "A004001". More... | |
| string | ResultMessage [get, set] |
| The message of the result of an Authlete API call. For example, "[A001202] /client/get/list,
Authorization header is missing." More... | |
Detailed Description
Response from Authlete's /api/backchannel/authentication/complete API.
Authlete's /api/backchannel/authentication/complete API returns JSON which can be mapped to this class. The authorization server implementation should retrieve the value of the action response parameter (which can be obtained via the Action property) from the response and take the following steps according to the value.
When the value of the Action property is BackchannelAuthenticationCompleteAction.NOTIFICATION, it means that the authorization server must send a notification to the client notification endpoint.
According to the CIBA Core specification, the notification is an HTTP POST request whose request body is JSON and whose Authorization header contains the client notification token, which was included in the backchannel authentication request as the value of the client_notification_token request parameter, as a bearer token.
When the backchannel token delivery mode is "ping", the request body of the notification is JSON which contains auth_req_id property only. When the backchannel token delivery mode is "push", the request body will additionally contain an access token, an ID token and other properties. Note that when the backchannel token delivery mode is "poll", a notification does not have to be sent to the client notification endpoint.
In error cases, in the "ping" mode, however, the content of a notification is not different from the content in successful cases. That is, the notification contains the auth_req_id property only. The client will know the error when it accesses the token endpoint. On the other hand, in the "push" mode, in error cases, the content of a notification will include the error property instead of an access token and an ID token. The client will know the error by detecting that error is included in the notification.
In any case, ResponseContent holds JSON which can be used as the request body of the notification.
The client notification endpoint that the notification should be sent to is held by the ClientNotificationEndpoint property. Likewise, the client notification token that the notification should include as a bearer token is held by the ClientNotificationToken property. With these properties, the notification can be built like the following.
When the value of the Action property is BackchannelAuthenticationCompleteAction.NO_ACTION, it means that the authorization server does not have to take any immediate action.
The Action property holds NO_ACTION only when the backchannel token delivery mode is "poll". In this case, the client will receive the final result at the token endpoint.
When the value of the Action property is BackchannelAuthenticationCompleteAction.SERVER_ERROR, it means either (1) that the request from the authorization server to Authlete was wrong, or (2) that an error occurred on Authlete side.
When the backchannel token delivery mode is "ping" or "push", SERVER_ERROR is used only when an error is detected before the record of the ticket (which is included in the API call to /api/backchannel/authentication/complete) is retrieved from the database successfully. If an error is detected after the record of the ticket is retrieved from the database, NOTIFICATION is used instead of SERVER_ERROR.
When the backchannel token delivery mode is "poll", SERVER_ERROR is used regardless of whether it is before or after the record of the ticket is retrieved from the database.
Since version 1.3.0.
Property Documentation
◆ AccessToken
|
getset |
The newly issued access token. This property holds a non-null value only when the backchannel token delivery mode is "push" and an access token has been issued successfully.
◆ AccessTokenDuration
|
getset |
The duration of the access token in seconds. If an access token has not been issued, this property holds 0.
◆ Action
|
getset |
The next action that the authorization server implementation should take.
◆ AuthReqId
|
getset |
The value of the auth_req_id which is associated with the ticket.
◆ ClientId
|
getset |
The client ID of the client application.
◆ ClientIdAlias
|
getset |
The client ID alias of the client application.
◆ ClientName
|
getset |
The name of the client application.
◆ ClientNotificationEndpoint
|
getset |
The client notification endpoint to which a notification needs to be sent.
This corresponds to the client_notification_endpoint metadata of the client application.
◆ ClientNotificationToken
|
getset |
The client notification token which needs to be embedded as a Bearer token in the Authorization header in the notification.
This is the value of the client_notification_token request parameter included in the backchannel authentication request.
◆ DeliveryMode
|
getset |
The backchannel token delivery mode.
◆ IdToken
|
getset |
The newly issued ID token. This property holds a non-null value only when the backchannel token delivery mode is "push" and an ID token has been issued successfully.
◆ IdTokenDuration
|
getset |
The duration of the ID token in seconds. If an ID token has not been issued, this property holds 0.
◆ IsClientIdAliasUsed
|
getset |
The flag which indicates whether the client ID alias was used in the backchannel authentication request.
◆ JwtAccessToken
|
getset |
The newly issued access token in JWT format.
If the authorization server is configured to issue JWT-based access tokens (= if AccessTokenSignAlg of Service is a non-null value), a JWT-based access token is issued along with the original random-string one.
Regarding the detailed format of the JWT-based access token, see the description of the Service class.
◆ RefreshToken
|
getset |
The newly issued refresh token. This property holds a non-null value only when the backchannel token delivery mode is "push" and a refresh token has been issued successfully.
◆ RefreshTokenDuration
|
getset |
The duration of the refresh token in seconds. If a refresh token has not been issued, this property holds 0.
◆ Resources
|
getset |
The resources specified by the resource request parameters or by the
resource property in the request object in the preceding backchannel authentication request. If both are given, the values in the request object take precedence. See RFC 8707 (Resource Indicators for OAuth 2.0) for details.
Since version 1.4.0.
◆ ResponseContent
|
getset |
The content of the notification.
When the Action property holds BackchannelAuthenticationCompleteAction.NOTIFICATION, this property holds JSON which should be used as the request body of the notification.
In successful cases, when the backchannel token delivery mode is "ping", the JSON contains auth_req_id. On the other hand, when the backchannel token delivery mode is "push", the JSON contains an access token, an ID token, and optionally a refresh token (and some other properties).
The documentation for this class was generated from the following file:
- Authlete/Dto/BackchannelAuthenticationCompleteResponse.cs
