Versions Compared

Old Version 15

changes.mady.by.user Kari Mattsson

Saved on

compared with

New Version Current

changes.mady.by.user Teresa Silvennoinen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

TIS Trivore ID publishes several paths for various purposes. This document is the canonical up-to-date central repository for that information.

It is important to have all paths documented, as load-balancers and web application firewalls require this information. All relevant path information is collected to the following table.


#

URI Path

Usage notes


General



/

The root path is normally redirected to Management UI path /ui, but could be redirected to some other address, too. If redirection is done, then the target is most often the company web home page.


/ui

General public WebUI access path for all organisations. The Management UI resides here. It is possible to block Management UI per source IP addresses, and allow it only from some sources.


/api/rest/v1

Version 1 of general REST API access. Organisation information must be present in credentials (user_account_sign-in_name@namespaceCode). Access to REST API should normally be public, but may be limited to certain public source addresses.


/apidoc

OpenAPI (Swagger and Re:Doc) documentation to document the API at path /api/rest/v1


/ui?ns={nsCode}

Optional Namespace private WebUI sign-in access path for namespace {nsCode}. If enabled, this access should normally be public.

The alternate paths are direct paths to desired sign-in display style on desired organisation. Optional parameter examples: /ui?ns=trivore-corp





OpenID Connect

Paths below below are related to OAuth 2.0 and OpenID Connect 1.0.


/.well-known/openid-configuration

This is the OpenID Connect 1.0 service discovery metadata path.


/openid

This is the root path for all OpenID Connect and OAuth functionality. Sub-paths are described in the image on page "OpenID Connect".


/openid/register

Dynamically register the client


/openid/jwks.json

JWT signature keys


/openid/auth

Request user credentials and consent


/openid/token

Perform OAuth flow to obtain id_token, access_token, and refresh_token (variations exist)


/openid/userinfo

Get additional user attributes with access token


/openid/logout

Sign-out from Relyting Party (a.k.a. sign-out from single service), and optionally also from OT (this is also known as single sign-out from all services).


/openid/logout

Revoke user credentials. This invokes a mandatory sign-in.





Base functions and integrations

Paths below enable some very important and in practice mandatory use cases.


/resetPassword

Process for forgotten password, or lost access to 2FA credentials. Optional parameter examples after /resetPassword?:

  • ns=namespacecode

  • username=my.email@example.com

  • lu=https://sign-in.example.com

  • ns=company&username=my.email@example.com


/changePassword

Process to change current user account password.

Optional parameter examples after /changePassword

?

  • ns=namespacecode

  • username=my.email@example.com

/manage2FA

FUTURE

Process to manage one’s personal 2FA functionality (SMS and TOTP) on a custom embeddable user interface.

Optional parameter examples after /manage2FAns=company&

?

  • ns=namespacecode

  • username=my.email@example.com

    • username=my.email@example.com


    /verifyemail

    Used for email address verification. Example path is as follows:

    /verifyemail?ui=5a6ad3327aad9804bb..&ru=https%3A%2F%2Fid.t5.fi


    /implicit/callback

    Redirect URI; technical use


    /saml/idpselect

    SAML information. If no SAML user directories have been enabled, the answer page is pretty empty.


    /openid/strongidentification?successRedirectUri={URI}&failureRedirectUri={URI}&access_token={token}

    Initiate strong identification (such as suomi.fi)for currently signed-in user account


    /api/suomi.fi/valtuudet/hpa

    Initiate acting on behalf of a natural person at suomi.fi-valtuudet; strong identification is required, and if there is no current session, one is initiated


    /api/suomi.fi/valtuudet/ypa

    Initiate acting on behalf of a legal entity at suomi.fi-valtuudet; strong identification is required, and if there is no current session, one is initiated


    /rp/suomi.fi-valtuudet/callback

    Callback path when returning from suomi.fi-valtuudet service





    Diagnostics and monitoring



    /alive

    Simple service availability diagnosis on each server node. This path is mostly for load-balancers. Normal answer is "Yes, I am alive." with HTTP 200.


    /diagnostic.jsp

    HTTP header diagnostic information. Disabled by default.





    Miscellaneous UI paths

    Paths below enable some use cases. Using any them is not mandatory in any way.


    /#!accounts/new

    Add new user account. This path is available for user accounts with role Account Admin. Obviously works only when signed in on web user interface.


    /#!accounts/{username}

    Edit user account with sign in username {username}. This path is available for user accounts with role Account Admin. Obviously works only when signed in on web user interface.


    /?restartApplication

    Restart the application to enforce synchronising browser and application. Troubleshooting usage only, not for general usage.





    Miscellaneous service paths



    /dlr

    SMS delivery notifications. This is for tracking the delivery of text messages sent out.


    /VAADIN

    All Vaadin framework resources used by

    TIS

    Trivore ID. This is a fixed path and mandatory for the web user interface to work.




    Some information might be available in more than one format. This applies to /info/ access paths. Other formats are accessible by adding “?format={json|xml|text}” to the end of the URI. Select one of the formats: json, xml, or text. For plain text, “?format=text” should be added. JSON is selected as the default data representation format.