OAuth Provider Identity Service

OAuth Provider is an identity service uses an existing identity service as a authentication source to create an OAuth Server for authentication and authorization. The OAuth Provider retrieves the service configuration from the source and saves the attributes in the Fabric Identity Sessions. The OAuth Provider also supports OpenID Connect (OIDC) for authentication. For more information about OpenID, refer to OpenID documentation.

From V9 ServicePack 2, the consent screen contains a Remember Consent option. For more information, refer to Remember Consent.

Configuring a Quantum Fabric OAuth Provider Identity Service

Prerequisites

Make sure that you have an existing identity service that you can use as a user authentication source. For more information about creating an identity service, refer to Configure Identity Service.

IMPORTANT:
Only Custom, User Repository, and Microsoft AD LDAP identity services are supported as User Authentication Sources.

Creating an OAuth Provider

  1. While configuring the identity service, from the Type of Identity list, select OAuth Provider.
  2. From the User Authentication Source list, select an identity service that you want to use as the authentication source for the OAuth Provider. The Service Configuration details appear.

    IMPORTANT: Only Custom, User Repository, and Microsoft AD LDAP identity services are supported as User Authentication Sources.

  3. Configure the parameters (fields) for the service. For more information about the parameters, refer to the following sections.
  4. After you configure all the required parameters, click SAVE.
  5. Link the service to a Fabric app, and then publish the app. For more information, refer to How to use an existing Identity Service and Publish.

NOTE:
After you link the service to a Fabric app, you can use the service in the Data Panel of Quantum Visualizer.

How to use a Quantum Fabric OAuth Provider

You can use the OAuth Provider in multiple flows. For more information, refer to the following sections.

NOTE:
For more information about integrating the OAuth Provider, User Repository, and OAuth 2.0 Identity services to create a basic login form, refer to the Base Camp article: Exploring Quantum OAuth Provider.

OAuth Provider APIs

After you create an OAuth Provider service, you can use the following APIs.

IMPORTANT:
To use OIDC features, make sure that you add openid to the scope of the client.

Authorization API

The authorization API is used to obtain consent from a user to authorize access to their specified account resources.

Syntax

POST https://<<accountnumber>>.auth.konycloud.com/oidc/authorize/<provider_name>?client_id=<appkey>&scope=<scopes>&response_type=code&redirect_uri=<valid redirect uri>&prompt=<value>
Parameter Required Description
provider_name Yes

The name of the OAuth Provider service.

client_id Yes The App Key string that you obtain from the Publish page.
response_type Yes

If the value of response_type is code, the API launches a Basic flow. You must send a POST request to the token endpoint to acquire the tokens.

scope Yes

Specifies the information that can be accessed by the client. The scope parameters need to be separated by a blank space. For example: openid email profile

The scope parameter supports the following values:

  • openid: Indicates that the client uses OpenID Connect to verify the user's identity
  • profile: Indicates that the client can access the user's profile information
  • email: Indicates that the client can read the user's email address
  • access_offline: Indicates that the client needs a refresh token for offline access to the resource
redirect_uri Yes

Specifies the URL (HTTP endpoint) to which the response is sent.

If you selected Specify URL list in the Redirect URL on successful authentication parameter, the redirect_uri value must match one of the authorized URLs. Otherwise, a redirect_uri_mismatch error occurs.

prompt Optional

A list of string values that specifies whether the authorization server prompts the user for re-authentication and consent. The values must be separated by a blank space.

The prompt parameter supports the following values:

  • consent: The authorization server prompts you for consent before returning information to the client.
  • login: If you have already signed in, and passed login as an input to prompt, the authorization server prompts you to sign in again.

NOTE: If you invoke the authorization API without passing the parameter prompt, the API takes consent as the value by default.

  • none: The authorization server does not display any authentication or user consent screens. You can use none to check for existing authentication and consent.
    If the user is not already authenticated, and has not authorized consent for the requested scopes, an error occurs when none is selected.

Token API

The token API is used to obtain the access token for a user.

Syntax

POST https://<<accountnumber>>.auth.konycloud.com/oidc/token/<provider_name>

Query Parameters

Parameter Required Description
provider_name Yes

The name of the OAuth Provider service.

 

Request Body Parameters

Parameter Required Description
code Yes

The value of the authorization code.

grant_type Yes

The method that is used to obtain the access token.

For the authorization flow, the grant type must be code.

scope Yes

The types of information about the resource that can be accessed by the client.

redirect_uri Yes

The URL to which the response is sent. The redirect_uri should be the HTTP endpoint on your server that receives the response from Quantum OAuth Provider.

If you are using Fabric services, make sure that the redirect_uri is the callback URL of the Fabric server.

client-id Yes

The app key of the Fabric app that contains the OAuth Provider service.

client-secret Yes

The app secret of the Fabric app that contains the OAuth Provider service.

 

Request Header Parameters

Parameter Required Description
Content-Type Yes

The type of content that is sent in the request.

Make sure that the value of the Content-Type is application/x-www-form-urlencoded.

X-Kony-RequestId Optional

An identifier for the request that is sent to the OAuth Provider service. You can provide any value for this parameter.

This parameter is only required when the Authentication Source is Custom.

Accept Yes The value of the header must be in application/json. The client needs the response in JSON.

 

Sample Response

200 OK
{
   "access_token":"eyAi.....",
    "token_type":"Bearer",
    "expires_in":1799,
    "scope":"profile"
}

Profile API

The profile API fetches the profile details of the user whose access token is specified.

Syntax

GET https://<<accountnumber>>.auth.konycloud.com/oidc/profile

Request Header Parameters

Parameter Required Description
Content-Type Yes

The type of content that is sent in the request.

Make sure that the value of the Content-Type is application/x-www-form-urlencoded.

X-Kony-RequestId Optional

An identifier for the request that is sent to the OAuth Provider service. You can provide any value for this parameter.

This parameter is only required when the Authentication Source is Custom.

Authorization Yes

Specifies the access token (bearer token) of the user whose profile details you want to fetch.

The value of this parameter must be in the following format:
Bearer <access token>

Logout API

The logout API signs the user out of the service and destroys the respective access token.

Syntax

POST https://<<accountnumber>>.auth.konycloud.com/oidc/logout/<provider_name>?target_url=<redirect_url>
Parameter Required Description
provider_name Yes

The name of the OAuth Provider service.

target_url Optional

The URL that is loaded after a successful sign-out.

If you do not pass the target_url parameter, the API displays a logout success message. Otherwise, it redirects to the specified URL.

Discover API

The Discover API obtains information about the provider configuration by using the well-known configuration URL.

Syntax

GET https://<<accountnumber>>.auth.konycloud.com/.well-known/openid-configuration?provider=<provider_name>&client_id=<app_key>

Query Paramters

Parameter Required Description
provider_name Yes The name of the OAuth Provider service.
client_id Yes

The app key of the Fabric app that contains the OAuth Provider service.

 

Sample Response

{
	"issuer": "https://1000000.auth.konycloud.com",
	"authorization_endpoint": "https://1000000.auth.konycloud.com/oidc/authorize/OAuthProvCustom",
	"token_endpoint": "https://1000000.auth.konycloud.com/oidc/token/OAuthProvCustom",
	"userinfo_endpoint": "https://1000000.auth.konycloud.com/oidc/profile",
	"scopes_supported":
	[
		"address",
		"phone",
		"openid",
		"profile",
		"offline_access",
		"email"
	],
	"response_types_supported":
	[
		"code"
	],
	"grant_types_supported":
	[
		"authorization_code",
		"client_credentials",
		"password"
	],
	"introspection_endpoint": "https://1000000.auth.konycloud.com/oidc/introspect",
	"introspection_endpoint_auth_methods_supported":
	[
		"client_secret_post"
	],
	"jwks_uri": "https://1000000.auth.konycloud.com/metadata/tHza2-kiYNyjZHet=="
}

Introspection API

The Introspection API checks whether the specified token is valid and active.

Syntax

POST https://<<accountnumber>>.auth.konycloud.com/oidc/introspect/<provider_name>

Query Parameters

Parameter Required Description
provider_name Yes The name of the OAuth Provider service.

 

Request Body Parameters

Parameter Required Description
client-id Yes

The app key of the Fabric app that contains the OAuth Provider service.

client-secret Yes

The app secret of the Fabric app that contains the OAuth Provider service.

 

Request Header Parameters

Parameter Required Description
Content-Type Yes

The app key of the Fabric app that contains the OAuth Provider service.

X-Kony-Authorization

OR

Authorization

Yes

The token that you want to validate.

You can validate the following tokens:

  • access_token
  • id_token
  • refresh_token

 

Sample Response

{
  "active": true,
  "client_id": "FmUE4Dx11KMnO4TheWHO",
  "username": "johndoe",
  "exp": 1437275311
}

Refresh Token

The refresh token is used to obtain a new access_token and id_token for the user. To use the refresh token, make a POST call to the token endpoint with the respective parameters.

IMPORTANT:
To use the Refresh Token, make sure that you add access_offline to the scope.

Syntax

POST https://<<accountnumber>>.auth.konycloud.com/oidc/token/<provider_name>

Query Parameters

Parameter Required Description
provider_name Yes The name of the OAuth Provider service.

 

Request Body Parameters

Parameter Required Description
grant_type Yes

The method that is used to obtain the access token.

For the refresh flow, the grant type must be refresh_token.

refresh_token Yes

The value of the refresh token.

You can obtain the refresh token from the token endpoint after signing in.

scope Yes

The types of information about the resource that can be accessed by the client.

Make sure that you add openid and access_offline to the scope.

redirect_uri Yes

The URL to which the response is sent. The redirect_uri should be the HTTP endpoint on your server that receives the response from Quantum OAuth Provider.

If you are using Fabric services, make sure that the redirect_uri is the callback URL of the Fabric server.

client-id Yes

The app key of the Fabric app that contains the OAuth Provider service.

client-secret Yes

The app secret of the Fabric app that contains the OAuth Provider service.

 

Sample Response

{
	"access_token": "alwejkfljvnjfasdlkcpdovherbg",
	"token_type": "Bearer",
	"id_token": "2307bco9weyq79dy667byco7rg3",
	"expires_in": 1799,
	"scope": "openid offline_access"
}

 

Editing the consent screen

While configuring the OAuth Provider identity service, you can also configure the consent screen. The option to configure the consent screen is available in the Advanced section of the service configuration page.

To edit the consent screen, click EDIT.

You can edit the following elements of the consent screen:

  • Screen title: The title of the window that displays the consent screen.
    The default value is Request for Authorization.
  • Permissions: The set of permissions that require authorization of consent.
    You can use the HTML tags that are specified on the edit screen to format the content.
  • Button Text: The text that is displayed on the DENY and AUTHORIZE buttons

Remember Consent

From V9 ServicePack 2, the consent screen contains a Remember Consent option. If the user enables the option and provides their consent for the app, the OAuth provider does not display the consent screen for subsequent sign-ins. Therefore, the user does not have to provide consent every time they sign-in to the app.

NOTE: The OAuth Provider uses cookies that specify whether the user has provided consent for the app. Cookies are specific to a browser, therefore, if the user signs-in to the app from a different browser, the consent screen is displayed, and they need to provide consent for the app.