OAuth 2.0 endpoints
Endpoints provide OAuth clients the ability to communicate with the OAuth server or authorization server within a definition. All endpoints can be accessed through URLs. The syntax of the URLs is specific to the purpose of the access.
API protection definition naming follows standard Advanced Access Control naming convention.
https://<hostname:port>/<junction>/sps/oauth/oauth20
For example:
https://server.oauth.com/mga/sps/oauth/oauth20
The following table describes the endpoints used in an API protection definition. There is only a single set of endpoints. Not all authorization grant types use all three endpoints in a single OAuth 2.0 flow.
Endpoint name Description Example Authorization endpoint An authorization URL where the resource owner grants authorization to the OAuth client to access the protected resource. https://server.oauth.com/mga/sps/oauth/oauth20/authorize Token endpoint Token request URL where the OAuth client exchanges an authorization grant for an access token and an optional refresh token. https://server.oauth.com/mga/sps/oauth/oauth20/token Clients manager endpoint A URL for resource owners to manage their trusted clients. The resource owner can use the clients manager endpoint to access and modify the list of clients that are authorized to access the protected resource. The trusted clients manager shows the client name and permitted scope of an authorized client. The list does not show clients that are disabled or deleted from the definition. The resource owner can optionally remove trusted client information from the list. In doing so, the resource owner is prompted for consent to authorize the next time the OAuth client attempts to access the protected resource.
https://server.oauth.com/mga/sps/oauth/oauth20/clients Session endpoint A URL where an access_token can be exchanged for a web session. The client uses the endpoint to obtain an authenticated web session for the resource owner that is typically used in hybrid mobile application scenarios. The session endpoint is disabled by default and can be enabled using advanced configuration. The client must send a POST request with the access_token in the body. POST /mga/sps/oauth/oauth20/session HTTP/1.1Host: server.oauth.com
Content-Type: application/x-www-form-urlencoded
access_token=abc123...https://server.oauth.com/mga/sps/oauth/oauth20/session Authorization grant management endpoint A URL where we can view your authorization grants and the tokens and attributes of each authorization grant.
http://server.oauth.com/mga/sps/mga/user/mgmt/html/device/device_selection.html Logout endpoint A URL where we can end a session by revoking an access_token. The token must be provided in the Authorization header or a session cookie must be used. http://server.oauth.com/mga/sps/oauth/oauth20/logout Introspect endpoint A URL where an access_token can be inspected by an oauth_client. For more details, see OAuth introspection. The introspect endpoint is disabled by default and can be enabled using the advanced configuration. https://server.oauth.com/mga/sps/oauth/oauth20/introspect Revocation endpoint A URL where we can revoke OAuth tokens issued to a client. For more details, see OAuth revocation endpoint. https://server.oauth.com/mga/sps/oauth/oauth20/revoke Metadata endpoint Final portion of URL is a path parameter that is the name of your API Protection definition. Template file available: <locale>/oauth20/metadata.json
If a custom template is needed per definition use:
<Locale>/oauth20/<Your_API_Definition_Name>/metadata.json
Example:
{"issuer":"https://mywebseal.com",
"authorization_endpoint":"https://mywebseal.com/sps/oauth/oauth20/authorize",
"token_endpoint":"htps://mywebseal.com/sps/oauth/oauth20/token",
"userinfo_endpoint":"https://mywebseal.com/sps/oauth/oauth20/userinfo",
"jwks_uri":"http://mywebseal.com/sps/oauth/oauth20/jwks/testDef",
"response_types_supported":["token","id_token","token id_token","code"],
"response_modes_supported":["fragment","form_post"],
"grant_types_supported":"implicit","password","authorization_code"],
"id_token_signing_alg_values_supported:["RS256"],
"introspect_endpoint":"https://mywebseal.com/sps/oauth/oauth20/introspect",
"revocation_endpoint":"https://mywebseal.com/sps/oauth/oauth20/revoke"}
https://server.oauth.com/mga/sps/oauth/oauth20/metadata/<Definition_Name> Userinfo Endpoint The Userinfo endpoint is an OAuth 2.0 protected resource that returns claims about the authenticated end-user. These claims are normally represented by a JSON object that contains a collection of name and value pairs for each claim. For more info, see http://openid.net/specs/openid-connect-core-1_0.html#UserInfo https://server.oauth.com/mga/sps/oauth/oauth20/userinfo JWKS Uri The URL of the JSON Web Key (JWK) Set document for the OpenID Provider. This data contains the signing key (or keys) the Relying Party uses to validate signatures from the OpenID Provider. Optionally, the JWK Set can contain the Server's encryption key (or keys), which Relying Parties use to encrypt requests to the Server. https://server.oauth.com/mga/sps/oauth/oauth20/jwks/<Definition_Name> Client Registration Endpoint The Client Registration Endpoint where an application can request a clientId in order to make OAuth/OIDC requests. This is also the endpoint to retrieve a registered client's definition, or delete it. https://server.oauth.com/mga/sps/oauth/oauth20/register/<Definition_Name> Device Authorize Endpoint Endpoint initially visited by the device client to obtain a device code and user code. https://server.oauth.com/mga/sps/oauth/oauth20/device_authorize User Authorize Endpoint Endpoint visited by a user to verify a user_code so a device client may obtain an authorization grant for the user. https://server.oauth.com/mga/sps/oauth/oauth20/user_authorize Authorization grants management API endpoint An API to list all of a user's grants. https://server.oauth.com/mga/sps/mga/user/mgmt/grant Authorization grant management API endpoint An API to retrieve a specific grant based on a grant ID. This API can also be used to delete a grant. https://server.oauth.com/mga/sps/mga/user/mgmt/grant/{grantId}
Parent topic: OAuth 2.0 and OIDC support