The Connectis identity broker supports the most commonly used OAUTH 2.0 flows: Authorisation Code Grant and Grant.
The Authorisation Code grant type is used by clients to exchange an authorisation code for an access token. See https://oauth.net/2/grant-types/authorization-code/ for a detailed description of the flow.
Example of authorisation request:
<base_url>/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=code&scope=<scope>
ID | Value | Description |
client_id | Unique identifier | Identifies the client at the Connectis Identity Broker. This must be agreed upon between your service and Connectis before starting the integration. |
redirect_uri | Url | The url on your service that will receive the response. |
response_type | "code" | This value must be set to "code" to retrieve an Authorisation Token. |
scope | Optional field | Via some OAuth servers, the client can specify the scope of the request. |
Example of authorisation response:
<redirect_uri>?code=<authorization_token>
Before the <authorisation_token> is sent, the user must first authenticate himself/herself via an identity provider.
Access Token request (POST method):
<base_url>/access_token?client_id=<client_id>&client_secret=<client_secret>&grant_type=authorization_code&code=<code>&redirect_uri=<redirect_uri>
The parameters should be send in the request body with Content-Type header: application/x-www-form-urlencoded.
ID | Value | Description |
client_id | Unique identifier | Identifies the client at the Connectis Identity Broker. This must be agreed upon between your service and Connectis before starting the integration. |
redirect_uri | Url | The url on your service that will receive the response. |
grant_type | "authorisation_code" | Must be set to this value to receive an Access Token. |
client_secret | Unique identifier | A secret key agreed upon between your service and the Connectis Identity Broker. |
code | Unique identifier | This is the Authorisation Token returned by the Connectis Identity Broker from the authorisation endpoint. |
Access Token response (JSON format):
{"access_token":"<access_token>","token_type":"bearer","expires_in":3600,"refresh_token":"<refresh_token>",}
ID | Value | Description |
access_token | Unique identifier | The Access Token returned by the Connectis Identity Broker. |
token_type | "Bearer" | |
expires_in | Integer | Defines the time (in seconds) when the Access Token will expire. |
refresh_token | Unique identifier | The Refresh Token returned by the Connectis Identity Broker. |
User info request (GET method):
<base_url>/<access_token>
User Info response (JSON format):
{ "nameId": "<some_name>","userAttributes" :["name": ["<attribute_value1>", <attribute_value2>, ...],]}
This flow can be used by applications running in the browser that cannot securely store a shared secret. In this case, the access token is directly returned upon user authentication and authorisation.
See https://oauth.net/2/grant-types/implicit/ for a detailed description of the flow.
Authorisation request:
<base_url>/authorize?client_id=<client_id>&redirect_uri=<redirect_uri>&response_type=token&scope=<scope>&state=<state>
ID | Value | Description |
client_id | Unique identifier | Identifies the client at the Connectis Identity Broker. This must be agreed upon between your service and Connectis before starting the integration. |
redirect_uri | Url | The url on your application that will receive the response. |
response_type | "Token" | This value must be set to "token" to retrieve an Access Token. |
scope | Optional field | At some OAuth servers, the client can specify the scope of the request. |
state | Recommended unique identifier | An opaque value used by the client to prevent cross-site request forgery. |
Authorisation response:
<redirect_uri>?code=<access_token>&state=<state>&token_type=bearer&expires_in=<expires_in>
ID | Value | Description |
access_token | Unique identifier | The Access Token returned by the Connectis identity broker. |
state | Unique identifier | The same value as sent in the request. |
token_type | “Bearer” | |
expires_in | Integer | Defines the time (usually in seconds) when the Access Token will expire. |