11719 views June 9, 2017 May 11, 2020 9

The following endpoint URLs are available for communicating with the OpenID Connect provider through Signicat.


The Authorization Endpoint performs authentication of the end-user. Authentication is done using the request parameters listed below:

  • scope: Required. The OpenID scope value specifies the behavior.
  • response_type: Required. The Response Type value determines the authorization processing flow to be used, including what parameters are returned from the endpoints used. When using the Authorization Code Flow, this value is “code”.
  • client_id: Required. Client Identifier valid at the Authorization Server.
  • redirect_uri: Required. Redirection URI to which the response will be sent. This URI must exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider. When using the Authorization Code Flow, the https scheme should be used (http may be used).
  • state: Required. Opaque value used to maintain state between the request and the callback.
  • nonce: Optional. String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
  • prompt: Optional. Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the end-user for re-authentication and consent. The values are:
    • none: The Authorization Server must not display any authentication or consent user interface pages. An error is returned if and end-user is not already authenticated or the Client does not have a pre-configured consent for the requested Claims, or does not fulfill other conditions for processing the request. Examples of error codes; login_required or interaction_required.
    • login: The Authorization Server should prompt the end-user for re-authentication. If it cannot re-authenticate the end-user, it must return an error typically login_required.
    • consent: The Authorization Server should prompt the end-user for consent before returning information to the Client. If consent is not obtained, it must return an error, typically consent_required.
    • select_account: The Authorization Server should prompt the end-user to select a user account. This enables an end-user who has multiple accounts at the Authorization Server to select among the multiple accounts that they might have current sessions for. If the selected account can’t be obtained, it must return an error, typically account_selection_required.
  • max_age: Optional. Maximum Authentication Age specifies the allowable elapsed time in seconds since the last time the end-user was actively authenticated.
  • ui_locales: Optional. The end-user’s preferred languages and scripts for the user interface as a space-separated list (for instance: “fr en”).
  • id_token_hint: Optional. ID Token previously issued by the Authorization Server being passed as a hint about the end-user’s current or past authenticated session with the client.
  • login_hint:  Optional. Hint to the Authorization Server about the login identifier the end-user might use to log in. Note that each attribute requires its own login hint. These need to be specified in the request using the format in the example Authorization Request below. Please contact Signicat to get the correct values of hints for a particular authentication method.
  • acr_values:  Optional. Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing the Authentication Requested. The full name of these values will depend on your configuration, but the format is urn:signicat:oidc:method:<name-of-method> for methods and urn:signicat:oidc:portal:<name-of-portal> for portals.
  • signicat_profile: The graphical profile to use for this request. Please contact Signicat for the list of possible values for your Client.
  • request: Used for providing the authorization request parameters to Signicat in the form of a signed and/or encrypted JWT, to prevent the theft or modification of sensitive parameters.


Example Authorization Request

GET /oidc/authorize?
    &scope=openid profile email


To obtain an Access Token, an ID Token, and optionally a Refresh Token, the Client sends a Token request to the Token Endpoint to obtain a Token Response.

Example Token Request
POST /oidc/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Authorization: Basic czZCaGRSa3FOMzpnWDFmQmFOM2JW
Example Token Response
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
    "access_token": SIAV32hkKG
    "token_type": "Bearer",
    "refresh_token": "8xLOxBtZ8",
    "expires_in": 3600,
    "id_token": "eyJ ... zcifQ.ewo ... NzAKfQ.ggW8h ... Mzqg"


To obtain the requested Claims from the UserInfo Endpoint, the Client makes a request using an Access Token obtained through OpenID Connect Authentication.

Example UserInfo Request
POST /oidc/userinfo HTTP/1.1
Accept: application/json
Authorization: Bearer fAAdL01c6QWDbPs9HrWHz5e7nRWVAnxqTTP7i88G

Example UserInfo Response for Valid Access Token

Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
    "sub": "bob"
    "groupIDs": ["bobsdepartment","administrators"],
    "given_name": "Bob",
    "name": "Bob Smith",
    "email": "",
    "phone_number": "+1 (604) 55-555-66-777",
    "address": {"formatted": "123 Main St., Anytown, TX 77777"},
    "picture": ""

Was this helpful?