Overview
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. OpenID Connect allows easy integration with applications of all types including Web, Mobile, and JavaScript applications to request information about authenticated user sessions from IdP.
If you wish to use any third-party client libraries or if you want to write your own client then you can use our endpoints directly to authenticate users on your website or application.
This page contains detailed information about the OpenID Connect endpoints that miniOrange exposes on its authorization servers.
For OAuth endpoints go to - https://developers.miniorange.com/docs/idp/api/oauth-api.
Endpoints
-
Authorization Endpoint :
https://login.xecurify.com/moas/idp/openidsso -
Token Endpoint :
https://login.xecurify.com/moas/rest/oauth/token -
Introspection Endpoint :
https://login.xecurify.com/moas/rest/oauth/introspect -
Discovery Endpoint :
https://login.xecurify.com/moas/.well-known/openid-configuration -
JWK (JSON Web Key) Set Endpoint :
https://login.xecurify.com/moas/.well-known/jwks -
Single Logout (SLO) Endpoint :
https://login.xecurify.com/moas/idp/oidc/logout?post_logout_redirect_uri=<YOUR-APP-LOGOUT-URL>
Pre-requisites
- You need to create a free trial account with us (Go to https://idp.miniorange.com/signup/).
- You should have an account on the application where you want to single sign-on.
Steps to integrate miniOrange SSO API for OpenID Connect
You just need to make two calls:
[1]. one GET request to the Authorization endpoint.
[2]. one POST request to get access_token and id_token (id token contains information about the end-user).
Now you just need to verify the JWT token and parse user info with the help of that id_token.
Authorization Request
You need to send a GET request to the authorization endpoint.
Example: (https://<your-domain>/rest/openidresponse)
Create a REST service or similar on your application to handle the response from Authorization Endpoint.
[GET] https://login.xecurify.com/moas/idp/openidsso?
client_id=<client-id-goes-here>
&redirect_uri=<callback-url-goes-here>
&scope=openid/email/profile
&response_type=code
&state=<security_token>SAMPLE REQUEST AND RESPONSE
Sample Request:
http://localhost:8080/moas/idp/openidsso?response_type=code&client_id=Anzjx4Sf3aVe6gg&
redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fsampleapp%2Foidcresponse&scope=openid+email+profile
&state=yAwL-57K10sIIpGeVO7nR7ZAnzdsj01uGothExyVpmo&nonce=ayLpTaFf-YzqtX3Jq_lTSKJmc7AUh5ELNwoIRs1XPmc
Sample Response:
code: kuwbrec8_sacca
state: yAwL-57K10sIIpGeVO7nR7ZAnzdsj01uGothExyVpmo
This API helps you to obtain the code parameter after the user authenticates with the account credentials using an authorization grant.
REQUEST PARAMETERS
| Parameter | Value |
|---|---|
| Request Type | GET (browser redirect) |
| Request Parameter | client_id (Client ID obtained from miniOrange) |
| redirect_uri | Callback URL of your application |
| scope | openid/ email/ profile (scope of authorization or level of access) |
RESPONSE PARAMETERS
| Parameter | Value |
|---|---|
| code | you will receive a code that you have to use in exchange for the token in the next API call. |
| state | A value to be returned in the token. The client application can use it to remember the state of its interaction with the end-user at the time of the authentication call. |
//Import our miniOrange API(copy all the JAR files in a lib folder and add them to build path)
//Step 1 : Make a token request using code and state parameter received on the redirect uri.
String token = AuthServerRequest.sendTokenRequest(code, state);
/**
Example string token JSON :
{"scope":"openid","expires_in":3600,"token_type":"bearer",
"id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEifQ.eyJhdXRoX3RpbWUiOiJUaHUgQXBy
IDE2IDEzOjA2OjE4IElTVCAyMDE1IiwiZXhwIjoxNDMwMTY5Nzc4LCJzdWIiOiJkZW1vQG1pbmlvcmFuZ2UuY28uaW4iLCJub25jZSI6IkJ1U1
MxSjktZllmaDgwYmVDOVdwM2Vwc1BCdHRpLVdmS09xdGlmWnMxa0UiLCJhdF9oYXNoIjoiMmY2ZnlqWGRRUmdWVTl3IiwiYXVkIjpbIkFuemp4
NFNmM2FWZTZnZyJdLCJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3QiLCJpYXQiOjE0MjkxNjk3Nzh9.P6VXffhTX9B62tjupP8tWdv9eYpXCBnDt
ramHDDF2pYujcgNPntX1OrEieD1Uvswdk2qagOfm0HbfG3OtGa6xZ8Ixpqg7RDUusPRHFptcgSw9YlZtyv1CyIIh_eQ4yrfo2oHfwW-5aDIUO5
tNmjoWrEK4NzR1fWYXRmL5eyu51o",
"access_token":"2f6fyjXdQRgVU9w"}
**/
//Step 2 : OPTIONAL. Validate id_token on your side.
<Your java code for validating id_token from the JWK set>
//Step 3: Make a user_info request. Fetch access_token from the JSON string token received in Step 1.
String user_info = AuthServerRequest.sendUserInfoRequest(access_token);
/**
Example user info JSON :
{"sub":"demo@miniorange.co.in","primaryPhone":"+917XXXXXXX",
"email":"demo@miniorange.co.in","name":"Demo User","family_name":"User",
"preferred_username":"demo@miniorange.co.in","given_name":"Demo"}
**/
Return user_info; //Proceed your login flow with the user_info scopes.Getting Access Token and JWT Token
You need to make a POST request to the token endpoint.
[POST] https://login.xecurify.com/moas/rest/oauth/tokenREQUEST PARAMETERS
| Parameter | Value |
|---|---|
| grant_type | authorization_code |
| client_id | <client-id-goes-here> |
| client_secret | <client-secret-goes-here> |
| redirect_url | <callback-URL-goes-here> |
| code | <code-received-in-step1> |
RESPONSE PARAMETERS
| Parameter | Value |
|---|---|
| id_token | Contains user attributes and signature which you have to validate with provided public certificate. |
| access_token | Valid for 1 hour and can be used to access user info or other endpoints until it is expired. |
ID TOKEN
id_token contains the following JSON attributes:
| Field | Description |
|---|---|
| iss | https URI that indicates the issuer |
| sub | identifier of the user at the issuer |
| aud | client_id of the requesting client |
| nonce | the nonce parameter value received from the client |
| exp | expiration time of this token |
| iat | time when this token was issued |
| auth_time | time the authentication happened |
| at_hash | the first half of a hash of the access token |
Verify JWT token and parse user details for SSO
On your Callback endpoint, you can read and parse the JWT token (User info). Structure of JSON Web Token (JWT): JSON Web Tokens consist of three parts separated by dots (.)(eg - xxxx.yyyyyyyyyyyy.zzzzzz), which are:
(a). Header: Contains signature algorithm name used to sign the payload.
(b). Payload: Contains user attributes.
(c). Signature: Signature value of the payload
Payload in the JWT token contains the following attributes:
| Field | Description |
|---|---|
| Email of the user | |
| Phone | Contact number of the user |
| Name | Full name of the user |
You will need to download a certificate from App > Manage Apps, and clicking Certificate link against your configured application. This certificate will be used for signature validation of JWT response.
Once you have the user info JSON. You can initiate your login by passing the email/username information to your local authentication functionality.
Endpoints Explained
-
Authorization Endpoint : The authorization endpoint is the only one where the end-user interacts with the OpenID Connect provider. The other endpoints are meant for handling direct back - channel requests from the client application.
-
Token Endpoint : The token endpoint authenticates the client application and lets it exchange the code received from the authorization endpoint for an ID token and access token.
-
Introspection Endpoint : It verifies if a token is active or not
and to which user that token is assigned to. -
Discovery Endpoint : Contains URL and information of all the endpoints mentioned above, including a path to JSON JWK set.
-
Provider JWK Set Endpoint : The JWK endpoint contains keys to sign and validate the id_token on the server and client-side respectively.
-
SLO Endpoint : On user logout event from client application send BROWSER REDIRECT to OpenID connect single logout endpoint.