URI Access Paths

Owned by Kari Mattsson
Last updated: 08 Feb 2023 by Teresa Silvennoinen (Unlicensed)
3 min read

Trivore ID publishes several paths for various purposes. This document is the canonical up-to-date central repository for that information.

It is important to have all paths documented, as load-balancers and web application firewalls require this information. All relevant path information is collected to the following table.



#

URI Path

Usage notes

#

URI Path

Usage notes



General





/

The root path is normally redirected to Management UI path /ui, but could be redirected to some other address, too. If redirection is done, then the target is most often the company web home page.



/ui

General public WebUI access path for all organisations. The Management UI resides here. It is possible to block Management UI per source IP addresses, and allow it only from some sources.



/api/rest/v1

Version 1 of general REST API access. Organisation information must be present in credentials (user_account_sign-in_name@namespaceCode). Access to REST API should normally be public, but may be limited to certain public source addresses.



/apidoc

OpenAPI (Swagger and Re:Doc) documentation to document the API at path /api/rest/v1



/ui?ns={nsCode}

Optional Namespace private WebUI sign-in access path for namespace {nsCode}. If enabled, this access should normally be public.

The alternate paths are direct paths to desired sign-in display style on desired organisation. Optional parameter examples: /ui?ns=trivore-corp









OpenID Connect

Paths below below are related to OAuth 2.0 and OpenID Connect 1.0.



/.well-known/openid-configuration

This is the OpenID Connect 1.0 service discovery metadata path.



/openid

This is the root path for all OpenID Connect and OAuth functionality. Sub-paths are described in the image on page "OpenID Connect".



/openid/register

Dynamically register the client



/openid/jwks.json

JWT signature keys



/openid/auth

Request user credentials and consent



/openid/token

Perform OAuth flow to obtain id_token, access_token, and refresh_token (variations exist)



/openid/userinfo

Get additional user attributes with access token



/openid/logout

Sign-out from Relyting Party (a.k.a. sign-out from single service), and optionally also from OT (this is also known as single sign-out from all services).



/openid/logout

Revoke user credentials. This invokes a mandatory sign-in.









Base functions and integrations

Paths below enable some very important and in practice mandatory use cases.



/resetPassword

Process for forgotten password, or lost access to 2FA credentials. Optional parameter examples after /resetPassword?:

  • ns=namespacecode

  • username=my.email@example.com

  • lu=https://sign-in.example.com

  • ns=company&username=my.email@example.com



/changePassword

Process to change current user account password.

Optional parameter examples after /changePassword?

  • ns=namespacecode

  • username=my.email@example.com



/verifyemail

Used for email address verification. Example path is as follows:

/verifyemail?ui=5a6ad3327aad9804bb..&ru=https%3A%2F%2Fid.t5.fi



/implicit/callback

Redirect URI; technical use



/saml/idpselect

SAML information. If no SAML user directories have been enabled, the answer page is pretty empty.



/openid/strongidentification?successRedirectUri={URI}&failureRedirectUri={URI}&access_token={token}

Initiate strong identification (such as suomi.fi)for currently signed-in user account



/api/suomi.fi/valtuudet/hpa

Initiate acting on behalf of a natural person at suomi.fi-valtuudet; strong identification is required, and if there is no current session, one is initiated



/api/suomi.fi/valtuudet/ypa

Initiate acting on behalf of a legal entity at suomi.fi-valtuudet; strong identification is required, and if there is no current session, one is initiated



/rp/suomi.fi-valtuudet/callback

Callback path when returning from suomi.fi-valtuudet service









Diagnostics and monitoring





/alive

Simple service availability diagnosis on each server node. This path is mostly for load-balancers. Normal answer is "Yes, I am alive." with HTTP 200.



/diagnostic.jsp

HTTP header diagnostic information. Disabled by default.









Miscellaneous UI paths

Paths below enable some use cases. Using any them is not mandatory in any way.



/#!accounts/new

Add new user account. This path is available for user accounts with role Account Admin. Obviously works only when signed in on web user interface.



/#!accounts/{username}

Edit user account with sign in username {username}. This path is available for user accounts with role Account Admin. Obviously works only when signed in on web user interface.



/?restartApplication

Restart the application to enforce synchronising browser and application. Troubleshooting usage only, not for general usage.









Miscellaneous service paths





/dlr

SMS delivery notifications. This is for tracking the delivery of text messages sent out.



/VAADIN

All Vaadin framework resources used by Trivore ID. This is a fixed path and mandatory for the web user interface to work.







Some information might be available in more than one format. This applies to /info/ access paths. Other formats are accessible by adding “?format={json|xml|text}” to the end of the URI. Select one of the formats: json, xml, or text. For plain text, “?format=text” should be added. JSON is selected as the default data representation format.