link

# Finalise operation

# OIDC

click-to-zoom

Requests Responses Notes
GET <COMPLETE_URL> AUTHORIZATION_CODE Signicat's server sends an authorisation code (including other information) by redirecting the customer's app to the CUSTOMER_CALLBACK_URL.

The customer's backend then needs to verify that it was the client who initiated the authentication process, by using the data it received from Signicat's server (especially comparing the state information)
POST <SIGNICAT_TOKEN_ENDPOINT> HTTP/1.1 Content-Type: application/json Authorization: Basic <CUSTOMER_BASIC_AUTH_HEADER> #body client_id=<CUSTOMER_CLIENT_ID>& redirect_uri=<CUSTOMER_CALLBACK_URL>& grant_type=authorization_code& code=<AUTHORIZATION_CODE> { "access_token": "<ACCESS_TOKEN>", "token_type": "Bearer", ... } Authorisation code is exchanged for access token
GET <SIGNICAT_USERINFO_ENDPOINT> HTTP/1.1 Content-Type: application/json Authorization: Bearer <ACCESS_TOKEN> { "deviceId": "<DEVICE_ID>" ... } deviceId is retrieved from Signicat

# SAML

Requests Responses Notes
GET <COMPLETE_URL> { "SAMLResponse": "PFJlc3BvbnNlIHh....", "target": "https://www.signicat.com" } The customer's server (as specified in the CUSTOMER_REDIRECT_URL) receives a SAML response from Signicat. The SAML response contains only attributes about the device.

The most important attribute is the deviceId that can be found as signicat.unique-id.

An example deviceId is saml.attribute.signicat.unique-id = e7dcff4bf4544c9f9e387d507c3630a5.

The SAML response will need to be verified.

# Further reading

Last updated: 8/9/2021, 1:34:03 PM