# OAUTH 2.0 information

The Signicat identity broker supports the most commonly used OAUTH 2.0 flows: Authorisation Code Grant and Grant.

# Authorisation Code grant flow

The Authorisation Code grant type is used by clients to exchange an authorisation code for an access token. See https://oauth.net/2/grant-types/authorization-code/ (opens new window) for a detailed description of the flow.\

Example of authorisation request

<base_url>/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=code&scope=<scope>
ID Value Description
client_id Unique identifier Identifies the client at the Signicat Identity Broker. This must be agreed upon between your service and Signicat before starting the integration.
redirect_uri URL The URL on your service that will receive the response.
response_type "code" This value must be set to "code" to retrieve an Authorisation Token.
scope Optional field Via some OAuth servers, the client can specify the scope of the request.

Example of authorisation response

<redirect_uri>?code=<authorization_token>

Before the <authorisation_token> is sent, the user must first authenticate themselves via an identity provider.

# Example messages for Access Token endpoint

Access Token request (POST method)

<base_url>/access_token?client_id=<client_id>&client_secret=<client_secret>&grant_type=authorization_code&code=<code>&redirect_uri=<redirect_uri>

The parameters should be send in the request body with Content-Type header: application/x-www-form-urlencoded.

ID Value Description
client_id Unique identifier Identifies the client at the Signicat Identity Broker. This must be agreed upon between your service and Signicat before starting the integration.
redirect_uri URL The URL on your service that will receive the response.
grant_type "authorisation_code" Must be set to this value to receive an Access Token.
client_secret Unique identifier A secret key agreed upon between your service and the Signicat Identity Broker.
code Unique identifier This is the Authorisation Token returned by the Signicat Identity Broker from the authorisation endpoint.

Access Token response (JSON format)

{
  "access_token":"<access_token>",
  "token_type":"bearer",
  "expires_in":3600,
  "refresh_token":"<refresh_token>",
}

ID Value Description
access_token Unique identifier The Access Token returned by the Signicat Identity Broker.
token_type "Bearer"
expires_in Integer Defines the time (in seconds) when the Access Token will expire.
refresh_token Unique identifier The Refresh Token returned by the Signicat Identity Broker.

# Example messages for user info endpoint

User info request (GET method)

<base_url>/<access_token>

User Info response (JSON format)

{ "nameId": "<some_name>",
    "userAttributes" :
    [
        "name": ["<attribute_value1>", <attribute_value2>, ...],
    ]
}

# Implicit grant flow

This flow can be used by applications running in the browser that cannot securely store a shared secret. In this case, the access token is directly returned upon user authentication and authorisation.

See https://oauth.net/2/grant-types/implicit/ (opens new window) for a detailed description of the flow.

# Example messages for Authorisation endpoint

Authorisation request

<base_url>/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=token&scope=<scope>&state=<state>
ID Value Description
client_id Unique identifier Identifies the client at the Signicat Identity Broker. This must be agreed upon between your service and Signicat before starting the integration.
redirect_uri URL The URL on your application that will receive the response.
response_type "Token" This value must be set to "token" to retrieve an Access Token.
scope Optional field At some OAuth servers, the client can specify the scope of the request.
state

Recommended unique identifier

An opaque value used by the client to prevent cross-site request forgery.

Authorisation response

<redirect_uri>?code=<access_token>&state=<state>&token_type=bearer&expires_in=<expires_in>
ID Value Description
access_token Unique identifier The Access Token returned by the Signicat identity broker.
state Unique identifier The same value as sent in the request.
token_type “Bearer”
expires_in Integer

Defines the time (usually in seconds) when the Access Token will expire.

Last updated: 9/20/23, 12:13:17 PM UTC