Versions Compared

Version Old Version 3 New Version Current
Changes made by

Antti Kallio

Antti Kallio

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Permalink: https://doc.oneportal.fi/x/DoCB

Click this button to view the example in Postman:

...

Requirements for the external service:

  • Has registered itself as a confidential OpenID Client in the onePortal service. It must have the clientid and clientsecret values.

  • The client configuration should have "Generate Access Token as a signed JWT" enabled. This adds more metadata into the access token itself, which the external service or the end user may read.

  • A onePortal administrator must enable Password Grant for this client.

  • The service must be able to receive the username and password values from its clients to use during access token generation.

  • The service will use the Bearer tokens for user authentication.

Pre-requirements:

  • Users of the external service have onePortal User accounts. They have an username and a password.

Step 1

The external service's users wish to use the external service. They need an access token. To do this, they will call the external service's login endpoint, and will give their current username and password in this request.

...

The example request shows the parameters and authentication needed to convert the username and password into an access token.

Request
Request
Code Block
title
POST /openid/token? HTTP/1.1
Host: {{oneportal-server}}
Content-Type: application/x-www-form-urlencoded
Authorization: Basic {{base64(client_id:client_secret)}}

grant_type=password&username={{username}}&password={{password}}


Response
Code Block
title
languagejsResponse
{
    "access_token": "eyJraWQiOiJTa....3yNlGaq574",
    "token_type": "Bearer",
    "expires_in": 604799,
    "refresh_token": "xCMj...foZ8"
}

...

The external service will now have to verify this access token. It can

  • Parse the access token, and verify the 'aud' value which should match the client_id (if the JWT option was selected in client configuration); this quick check verifies that the user's access token is indeed intended for this service and not for some other onePortal client, however it does not verify that the token is valid

  • Call the onePortal introspect API to verify that the access token is valid and active

The example request shows the parameters and authentication needed to perform the introspect call.

...

Introspect request
Code Block
POST /openid/introspect HTTP/1.1
Host: {{oneportal-server}}
Content-Type: application/x-www-form-urlencoded
Authorization: Basic {{base64(client_id:client_secret)}}

token=eyJra...fYDAQZthnKA&token_type_hint=access_token


Introspect response
Code Block
languagejstitleIntrospect response
{
    "active": true,
    "clientId": "2915...4846",
    "username": "user1234",
    "tokenType": "access_token",
    "exp": 1555758374,
    "sub": "58cfb...ec5f"
}

...