OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. OpenID Connect allows easy integration with applications of all types including Web, Mobile, and JavaScript applications to request information about authenticated user sessions from IdP.

If you wish to use any third-party client libraries or if you want to write your own client then you can use our endpoints directly to authenticate users on your website or application.
This page contains detailed information about the OpenID Connect endpoints that miniOrange exposes on its authorization servers.
For OAuth endpoints go to - https://developers.miniorange.com/docs/idp/api/oauth-api.



  • You need to create a free trial account with us (Go to https://idp.miniorange.com/signup/).
  • You should have an account on the application where you want to single sign-on.

Steps to integrate miniOrange SSO API for OpenID Connect

You just need to make two calls:
[1]. one GET request to the Authorization endpoint.
[2]. one POST request to get access_token and id_token (id token contains information about the end-user).
Now you just need to verify the JWT token and parse user info with the help of that id_token.

Authorization Request

You need to send ​a GET request to the authorization endpoint.
Example: (https://<your-domain>/rest/openidresponse)

Create a REST service or similar on your application to handle the response from Authorization Endpoint.

[GET] https://login.xecurify.com/moas/idp/openidsso?

    Sample Request:

    Sample Response:
        code: kuwbrec8_sacca
        state: yAwL-57K10sIIpGeVO7nR7ZAnzdsj01uGothExyVpmo

This API helps you to obtain the code parameter after the user authenticates with the account credentials using an authorization grant.

Parameter Value
Request Type GET (browser redirect)
Request Parameter client_id (Client ID obtained from miniOrange)
redirect_uri Callback URL of your application
scope openid/ email/ profile (scope of authorization or level of access)
Parameter Value
code you will receive a code that you have to use in exchange for the token in the next API call.
state A value to be returned in the token. The client application can use it to remember the state of its interaction with the end-user at the time of the authentication call.
     //Import our miniOrange API(copy all the JAR files in a lib folder and add them to build path)
     //Step 1 : Make a token request using code and state parameter received on the redirect uri.

         String token = AuthServerRequest.sendTokenRequest(code, state);
     Example string token JSON :

     //Step 2 : OPTIONAL. Validate id_token on your side.
     <Your java code for validating id_token from the JWK set>

     //Step 3: Make a user_info request. Fetch access_token from the JSON string token received in Step 1.

       String user_info = AuthServerRequest.sendUserInfoRequest(access_token);

     Example user info JSON :
     "email":"demo@miniorange.co.in","name":"Demo User","family_name":"User",

         Return user_info; //Proceed your login flow with the user_info scopes.

Getting Access Token and JWT Token

You need to make ​a POST request to the token endpoint.

[POST] https://login.xecurify.com/moas/rest/oauth/token
Parameter Value
grant_type authorization_code
client_id <client-id-goes-here>
client_secret <client-secret-goes-here>
redirect_url <callback-URL-goes-here>
code <code-received-in-step1>
Parameter Value
id_token ​Contains user attributes and signature which you have to validate with provided public certificate.
access_token Valid for 1 hour and can be used to access user info or other endpoints until it is expired.

id_token contains the following JSON attributes:

Field Description
iss https URI that indicates the issuer
sub identifier of the user at the issuer
aud client_id of the requesting client
nonce the nonce parameter value received from the client
exp expiration time of this token
iat time when this token was issued
auth_time time the authentication happened
at_hash the first half of a hash of the access token

Verify JWT token and parse user details for SSO

On your Callback endpoint, you can read and parse the JWT token (User info). Structure of JSON Web Token (JWT): JSON Web Tokens consist of three parts separated by dots (.)(eg - xxxx.yyyyyyyyyyyy.zzzzzz), which are:

(a). Header: Contains signature algorithm name used to sign the payload.

(b). Payload: Contains user attributes.

(c). Signature: Signature value of the payload

Payload in the JWT token contains the following attributes:

Field Description
Email Email of the user
Phone Contact number of the user
Name Full name of the user

You will need to download a certificate from App > Manage Apps, and clicking Certificate link against your configured application. This certificate will be used for signature validation of JWT response.

Once you have the user info JSON. You can initiate your login by passing the email/username information to your local authentication functionality.

Endpoints Explained

  • Authorization Endpoint : The authorization endpoint is the only one where the end-user interacts with the OpenID Connect provider. The other endpoints are meant for handling direct back - channel requests from the client application.

  • Token Endpoint : The token endpoint authenticates the client application and lets it exchange the code received from the authorization endpoint for an ID token and access token.

  • Introspection Endpoint : It verifies if a token is active or not
    and to which user that token is assigned to.

  • Discovery Endpoint : Contains URL and information of all the endpoints mentioned above, including a path to JSON JWK set.

  • Provider JWK Set Endpoint : The JWK endpoint contains keys to sign and validate the id_token on the server and client-side respectively.

  • SLO Endpoint : On user logout event from client application send BROWSER REDIRECT to OpenID connect single logout endpoint.