Discovery Endpoint

The discovery endpoint can be used to retrieve metadata about your IdentityServer - it returns information like the issuer name, key material, supported scopes etc.

Example

http://vidiflow.colosseum.azure.arvato-systems-media.net/vpms3/authservice/.well-known/openid-configuration

Authorize Endpoint

The authorize endpoint can be used to request tokens or authorization codes via the browser. This process typically involves authentication of the end-user and optionally consent.

Token Endpoint

The token endpoint can be used to programmatically request tokens. It supports the password, authorization_code, client_credentials,  refresh_token and urn:ietf:params:oauth:grant-type:device_code grant types.

Furthermore the token endpoint can also be extended to support other extension grant types.

Userinfo Endpoint

The userInfo endpoint can be used to retrieve identity information about a user.

The caller needs to send a valid access token representing the user. Depending on the granted scopes, the UserInfo endpoint will return the mapped claims (at least the openid scope is required).

End Session Endpoint

The end session endpoint can be used to trigger single sign-out.

To use the end session endpoint a client application will redirect the user’s browser to the end session URL. All applications that the user has logged into via the browser during the user’s session can participate in the sign-out.

Check Session Endpoint

After signing in a user with OpenID Connect the client application may need to periodically check if the user is still logged in with the OpenID provider.

Core OpenID Connect enables clients to silently check for that, by repeating the original OpenID authentication request with the optional prompt=none parameter appended to it. This instructs the server to return a new ID token without any user interaction, unless the user is no longer authenticated or client access was revoked (signalled by a login_required, consent_required or the catch-all interaction_required error).

Revocation Endpoint

The revocation endpoint allows revoking access tokens (reference tokens only) and refresh token. It implements the token revocation specification (RFC 7009).

Introspection Endpoint

The introspection endpoint is an implementation of RFC 7662.

It can be used to validate reference tokens (or JWTs if the consumer does not have support for appropriate JWT or cryptographic libraries). The introspection endpoint requires authentication - since the client of an introspection endpoint is an API, you configure the secret on the ApiResource.

Device Authorization Endpoint

The device authorization endpoint can be used to request device and user codes. This endpoint is used to start the device flow authorization process.

Identity Token

The ID Token,  which also known as Identity Token, Security Tokens, Authentication Tokens or even Software Tokens, is a security token that contains claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims. The ID Token is represented as a JSON Web Token (JWT). This means that:

• identity information about the user is encoded right into the token and

• the token can be definitively verified to prove that it hasn’t been tampered with.

ID Tokens MUST be signed using JWS and optionally both signed and then encrypted using JWS and JWE respectively on the OpenId Provider (OP), thereby providing authentication, integrity, non-repudiation, and optionally, confidentiality.

Example

{
  "nbf": 1626232241,
  "exp": 1626243041,
  "iss": "https://vidiflow.colosseum.azure.arvato-systems-media.net/vpms3/authservice",
  "aud": [
    "identityscope",
    "https://vidiflow.colosseum.azure.arvato-systems-media.net/vpms3/authservice/resources"
  ],
  "jti": "DA986AA663BE2559A548A9752D268F5A",
  "sid": "5FD058EFA7ECC9F713356AA0616D6F43",
  "iat": 1626232241
  "client_id": "authServiceClient",
  "sub": "7b38b7f2-b100-4167-b884-006caa62dd64",
  "auth_time": 1626232241,
  "idp": "local",
  "vidispine_user": "alice",
  "display_name": "Alice",
  "AspNet.Identity.SecurityStamp": "TZZDHXEK6KX4NB63GIAOALNIKNJ7G3E7",
  "role": [
    "PF_MetadataEditor",
    "PF_MetadataUser",
    "EM_USER",
    "CP_VIEWER"
  ],
  "preferred_username": "alice",
  "name": "alice"
}

Access Token

An access token is a credential that can be used by an application to access an API. Access Tokens can be either an opaque string or a JSON web token. They inform the API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that has been granted.

Access Tokens should be used as a Bearer credential and transmitted in an HTTP AuthorizationHeader to the API.  A bearer token means that the bearer can access authorized resources without further identification.

Example

{
  "nbf": 1626232241,
  "exp": 1626243041,
  "iss": "https://vidiflow.colosseum.azure.arvato-systems-media.net/vpms3/authservice",
  "aud": [
    "identityscope",
    "https://vidiflow.colosseum.azure.arvato-systems-media.net/vpms3/authservice/resources"
  ],
  "client_id": "authServiceClient",
  "sub": "7b38b7f2-b100-4167-b884-006caa62dd64",
  "auth_time": 1626232241,
  "idp": "local",
  "jti": "DA986AA663BE2559A548A9752D268F5A",
  "sid": "5FD058EFA7ECC9F713356AA0616D6F43",
  "iat": 1626232241,
  "scope": [
    "identityscope"
  ],
  "amr": [
    "pwd"
  ]
}

Refresh Token

Since access tokens have finite lifetimes, refresh tokens allow requesting new access tokens without user interaction.

Refresh tokens are supported for the following flows: authorization code, hybrid and resource owner password credential flow. The clients needs to be explicitly authorized to request refresh tokens by setting AllowOfflineAccess to true.

There are currently 2 lifetime settings for the Refresh Token

• AbsoluteRefreshTokenLifetime
  Maximum lifetime of a refresh token in seconds. Defaults to 2592000 seconds / 30 days. Zero allows refresh tokens that, when used with RefreshTokenExpiration = Sliding only expire after the SlidingRefreshTokenLifetime is passed.
  

• SlidingRefreshTokenLifetime
  Sliding lifetime of a refresh token in seconds. Defaults to 1296000 seconds / 15 days