Overview

The OAuth 2.0 authorization enables a third-party application to obtain limited access to miniOrange resources. This page gives an overview of the OAuth 2.0 authorization scenarios that miniOrange supports. It mainly includes Authorization, Token API, Get user info Endpoint, Revoke Token API Reference and Refresh Token Grant API Reference.
If you wish to use any third-party client libraries or if you want to write your own client then you can use our endpoints directly to authenticate users on your website or application.

This page contains detailed information about the OAuth endpoints that miniOrange exposes on its authorization servers.
For Openid Connect endpoints go to - https://developers.miniorange.com/docs/idp/api/openid-api.

Endpoints

Pre-requisites

  • You need to create a free trial account with us (Go to https://idp.miniorange.com/signup/).
  • You should have an account on the application where you want to single sign-on.

Steps to integrate miniOrange SSO API for Oauth

OAuth 2.0 secure delegated authorization protocol works by providing Authorization code the requesting client application.
The authorization code is a temporary code that the client will exchange for an access token (and refresh token if requested).
Later client can exchange the refresh token for a new access token, if current access token is expired.
Get user info endpoint can be used to obtain user details.

Authorization Request

You need to send ​a GET request to the authorization endpoint.
Example: (https://<your-domain>/rest/openidresponse)

Create a REST service or similar on your application to handle the response from Authorization Endpoint.

[GET] https://login.xecurify.com/moas/idp/openidsso?
        client_id=​<client-id-goes-here>
        &redirect_uri=​<callback-url-goes-here>
        &scope=email/profile
        &response_type=code
        &state=<security_token>
SAMPLE REQUEST AND RESPONSE

    Sample Request:
        http://localhost:8080/moas/idp/openidsso?response_type=code&client_id=Anzjx4Sf3aVe6gg&
        redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fsampleapp%2Foidcresponse&scope=email+profile
        &state=yAwL-57K10sIIpGeVO7nR7ZAnzdsj01uGothExyVpmo&nonce=ayLpTaFf-YzqtX3Jq_lTSKJmc7AUh5ELNwoIRs1XPmc

    Sample Response:
        code: kuwbrec8_sacca
        state: yAwL-57K10sIIpGeVO7nR7ZAnzdsj01uGothExyVpmo

This API helps you to obtain the code parameter after the user authenticates with the account credentials using an authorization grant.

REQUEST PARAMETERS
Parameter Value
Request Type GET (browser redirect)
Request Parameter client_id (Client ID obtained from miniOrange)
redirect_uri Callback URL of your application
scope email/ profile (scope of authorization or level of access)
RESPONSE PARAMETERS
Parameter Value
code you will receive a code that you have to use in exchange for the token in the next API call.
state A value to be returned in the token. The client application can use it to remember the state of its interaction with the end-user at the time of the authentication call.
     //Import our miniOrange API(copy all the JAR files in a lib folder and add them to build path)
     //Step 1 : Make a token request using code and state parameter received on the redirect uri.

         String token = AuthServerRequest.sendTokenRequest(code, state);
     /**
     Example string token JSON :
     {"scope":"email","expires_in":3600,"token_type":"bearer",
     "access_token":"2f6fyjXdQRgVU9w"}
     **/

Getting Access Token and JWT Token

You need to make ​a POST request to the token endpoint.

[POST] https://login.xecurify.com/moas/rest/oauth/token
REQUEST PARAMETERS
Parameter Value
grant_type authorization_code
client_id <client-id-goes-here>
client_secret <client-secret-goes-here>
redirect_url <callback-URL-goes-here>
code <code-received-in-step1>
RESPONSE PARAMETERS
Parameter Value
access_token Valid for 1 hour and can be used to access user info or other endpoints until it is expired.

Fetching User Details From User Info Endpoint

This API can be used to fetch user profile information with access token which was assigned to the user.
A GET request is sent to user info endpoint i.e., https://login.xecurify.com/moas/rest/oauth/getuserinfo.
In response user attributes in JSON format are recieved.

Revoking Access Token

If at any point user decides to revoke the granted access token, this can be done by sending a GET request to the Revocation endpoint.
In response either a success message or a failure message is received as shown below -

[Response] - {"message":"Token has been revoked successfully.","status":"SUCCESS"} OR
{"message":"Access token is either invalid or expired.","status":"FAILED"}

Exchanging Refresh Token For Access Token

The token endpoint is used by clients to exchange a refresh token for an access token when the access token has expired. This allows clients to continue to have a valid access token without further interaction with the user. This API returns access token or JWT token which is valid for 1 hour and can be used for other API access.

A POST request is made to the token endpoint with 'grant_type' set to 'refresh_token'.

[Response] - {"access_token":"","token_type":"Bearer","expires_in":3600} 

access_token: Valid for 1 hour and can be used to access user info or other endpoints until it is expired.


Endpoints Explained

  • Authorization Endpoint : The authorization endpoint is the only one where the end-user interacts with the OpenID Connect provider. The other endpoints are meant for handling direct back - channel requests from the client application.

  • Token Endpoint : The token endpoint authenticates the client application and lets it exchange the code received from the authorization endpoint for an access token.

  • User info Endpoint : The endpoint is used to obtain end user details. User attributes in JSON format are received in response.

  • Introspection Endpoint : It verifies if a token is active or not and to which user that token is assigned to.

  • Discovery Endpoint : Contains URL and information of all the endpoints mentioned above, including a path to JSON JWK set.

  • Revocation Endpoint : The endpoint is used to revoke the granted access token. It invalidates the access token.

  • SLO Endpoint : On user logout event from client application send BROWSER REDIRECT to OpenID connect single logout endpoint.