Response from Authlete's /api/auth/token API.
More...
Properties | |
| TokenAction | Action [get, set] |
| The next action that the token endpoint should take. More... | |
| string | ResponseContent [get, set] |
| The response content which can be used as the entity body of the response returned to the client application. More... | |
| string | Username [get, set] |
The value of the "username" request parameter contained in the token request from the client application. More... | |
| string | Password [get, set] |
The value of the "password" request parameter contained in the token request from the client application. More... | |
| string | Ticket [get, set] |
A ticket issued from Authlete's /api/auth/token API. The value is to be used as the value of the "ticket" rquest parameter when you call /api/auth/token/issue API or /api/auth/token/fail API. More... | |
| string | AccessToken [get, set] |
The newly issued access token. This property returns a non-null value only when the Action property returns TokenAction.OK. More... | |
| long | AccessTokenExpiresAt [get, set] |
| The date in milliseconds since the Unix epoch (1970-Jan-1) at which the access token will expire. More... | |
| long | AccessTokenDuration [get, set] |
| The duration of the access token in seconds. More... | |
| string | RefreshToken [get, set] |
The newly issued refresh token. This property returns a non-null value only when the Action property returns TokenAction.OK and the service is configured to support the refresh token flow. More... | |
| long | RefreshTokenExpiresAt [get, set] |
| The date in milliseconds since the Unix epoch (1970-Jan-1) at which the refresh token will expire. More... | |
| long | RefreshTokenDuration [get, set] |
| The duration of the refresh token in seconds. More... | |
| string | IdToken [get, set] |
The newly issued ID token. An ID token is issued from a token endpoint when the authorization code flow is used and "openid" is included in the scope list. More... | |
| GrantType | GrantType [get, set] |
| The grant type of the token request. More... | |
| long | ClientId [get, set] |
| The ID of the client application associated with the access token. More... | |
| string | ClientIdAlias [get, set] |
The client ID alias. If no alias is assigned to the client application, this property returns null. More... | |
| bool | IsClientIdAliasUsed [get, set] |
| The flag which indicates whether the client ID alias was used when the token request was made. More... | |
| string | Subject [get, set] |
| The subject (= unique identifier) of the user (= resource owner) of the access token. More... | |
| string[] | Scopes [get, set] |
| The scopes covered by the access token. More... | |
| Property[] | Properties [get, set] |
| Extra properties associated with the access token. More... | |
| string | JwtAccessToken [get, set] |
| The newly issued access token in JWT format. More... | |
| string[] | Resources [get, set] |
The resources specified by the resource request parameters in the token request. See RFC 8707 (Resource Indicators for OAuth 2.0) for details. More... | |
| string[] | AccessTokenResources [get, set] |
| The target resources of the access token being issued. See RFC 8707 (Resource Indicators for OAuth 2.0) for details. More... | |
 Properties inherited from ApiResponse | |
| string | ResultCode [get, set] |
The code of the result of an Authlete API call. For example, "A004001". More... | |
| string | ResultMessage [get, set] |
| The message of the result of an Authlete API call. For example, "[A001202] /client/get/list,
Authorization header is missing." More... | |
Detailed Description
Response from Authlete's /api/auth/token API.
Authlete's /api/auth/token API returns JSON which can be mapped to this class. The token endpoint implementation should retrieve the value of the "action" response parameter (which can be obtained via the Action property of this class) from the response and take the following steps according to the value.
When the value of the Action property is TokenAction.INVALID_CLIENT, it means that authentication of the client failed. In this case, the HTTP status of the response to the client application should be either "400 Bad Request" or "401 Unauthorized". This requirement comes from 5.2. Error Response of RFC 6749. The description about "invalid_client" shown below is an excerpt from RFC 6749.
Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the "Authorization" request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code and include the "WWW-Authenticate" response header field matching the authentication scheme used by the client.
In either case, the JSON string returned by the ResponseContent property can be used as the entity body of the response to the client application. The following illustrates the response which the token endpoint implementation should generate and return to the client application.
When the value of the Action property is TokenAction.INTERNAL_SERVER_ERROR, it means that the request from your system was wrong or that an error occurred in Authlete. In either case, from a viewpoint of the client application, it is an error on the server side. Therefore, the token endpoint implementation should generate a response to the client application with the HTTP status of "500 Internal Server Error".
In this case, the ResponseContent property returns a JSON string which describes the error, so it can be used as the entity body of the response. The following illustrates the response which the token endpoint implementation should generate and return to the client application.
When the value of the Action property is TokenAction.BAD_REQUEST, it means that the request from the client application is invalid. The HTTP status of the response returned to the client application must be "400 Bad Request" and the content type must be "application/json".
In this case, the ResponseContent property returns a JSON string which describes the error, so it can be used as the entity body of the response. The following illustrates the response which the token endpoint implementation should generate and return to the client application.
When the value of the Action property is TokenAction.PASSWORD, it means that the request from the client application is valid and the value of the "grant_type" request parameter was "password". This indicates that the flow is Resource Owner Password Credentials Flow.
In this case, the Username property returns the value of the "username" request parameter and the Password property returns the value of the "password" request parameter which were contained in the token request from the client application. The token endpoint implementation must validate the credentials of the resource owner (= end-user) and take either of the actions below according to the validation result.
(1) When the credentials are valid, call Authlete's /api/auth/token/issue API to generate an access. The API requires a "ticket" request parameter and a "subject" request parameter. Use the value returned from the TokenResponse.Ticket property as the value for the "ticket" request parameter.
The response from /api/auth/token/issue API (TokenIssueResponse) contains data (an access token and others) which should be returned to the client application. Use the data to generate a response to the client application.
(2) When the credentials are invalid, call Authlete's /api/auth/token/fail API with reason=INVALID_RESOURCE_OWNER_CREDENTIALS to generate an error response for the client application. The API requires a "ticket" request parameter. Use the value returned from the TokenResponse.Ticket property as the value for the "ticket" request parameter.
The response from /api/auth/token/fail API (TokenFailResponse) contains error information which should be returned to the client application. Use it to generate a response to the client application.
When the value of the Action property is TokenAction.OK, it means that the request from the client application is valid, and an access token and optionally an ID token are ready to be issued. The HTTP status of the response returned to the client application must be "200 OK" and the content type must be "application/json".
In this case, the ResponseContent property returns a JSON string which contains an access token (and optionally an ID token), so it can be used as the entity body of the response. The following illustrates the response which the token endpoint implementation should generate and return to the client application.
Property Documentation
◆ AccessToken
|
getset |
The newly issued access token. This property returns a non-null value only when the Action property returns TokenAction.OK.
◆ AccessTokenDuration
|
getset |
The duration of the access token in seconds.
◆ AccessTokenExpiresAt
|
getset |
The date in milliseconds since the Unix epoch (1970-Jan-1) at which the access token will expire.
◆ AccessTokenResources
|
getset |
The target resources of the access token being issued. See RFC 8707 (Resource Indicators for OAuth 2.0) for details.
Since version 1.4.0.
◆ Action
|
getset |
The next action that the token endpoint should take.
◆ ClientId
|
getset |
The ID of the client application associated with the access token.
◆ ClientIdAlias
|
getset |
The client ID alias. If no alias is assigned to the client application, this property returns null.
◆ GrantType
◆ IdToken
|
getset |
The newly issued ID token. An ID token is issued from a token endpoint when the authorization code flow is used and "openid" is included in the scope list.
◆ IsClientIdAliasUsed
|
getset |
The flag which indicates whether the client ID alias was used when the token request was made.
◆ JwtAccessToken
|
getset |
The newly issued access token in JWT format.
If the authorization server is configured to issue JWT-based access tokens (= if the AccessTokenSignAlg property of the Service holds a non-null value), a JWT-based access token is issued along with the original random-string one.
Regarding the detailed format of the JWT-based access token, see the description of the Service class.
Since version 1.3.0.
◆ Password
|
getset |
The value of the "password" request parameter contained in the token request from the client application.
◆ Properties
|
getset |
Extra properties associated with the access token.
◆ RefreshToken
|
getset |
The newly issued refresh token. This property returns a non-null value only when the Action property returns TokenAction.OK and the service is configured to support the refresh token flow.
◆ RefreshTokenDuration
|
getset |
The duration of the refresh token in seconds.
◆ RefreshTokenExpiresAt
|
getset |
The date in milliseconds since the Unix epoch (1970-Jan-1) at which the refresh token will expire.
◆ Resources
|
getset |
The resources specified by the resource request parameters in the token request. See RFC 8707 (Resource Indicators for OAuth 2.0) for details.
Since version 1.4.0.
◆ ResponseContent
|
getset |
The response content which can be used as the entity body of the response returned to the client application.
◆ Scopes
|
getset |
The scopes covered by the access token.
◆ Subject
|
getset |
The subject (= unique identifier) of the user (= resource owner) of the access token.
Even if an access token was issued by the call of /api/auth/token API, this property returns null if the flow of the token request was Client Credentials Flow (grant_type=client_credentials) because access tokens are not associated with any specific end-user in the flow.
◆ Ticket
|
getset |
A ticket issued from Authlete's /api/auth/token API. The value is to be used as the value of the "ticket" rquest parameter when you call /api/auth/token/issue API or /api/auth/token/fail API.
◆ Username
|
getset |
The value of the "username" request parameter contained in the token request from the client application.
The documentation for this class was generated from the following file:
- Authlete/Dto/TokenResponse.cs
