OAuth 2.0 application

OAuth2.0/OpenID Connect – FAQ

Question: The authorization request which is sent to Identify contains the scope: openid. However the Identify returns the error code: invalid_scope like this sample:

What could be going wrong here? Answer: “openid” is the special scope to define the current OAuth2.0 […]

Hosted forms

What is hosted form Hosted form is a customized html page of Identify Runtime to allow a user to edit html, binding, CSS and JavaScript of that page using REST API or Safewhere Admin and its content is stored in the SharedConfigurationSettings table. Because of security issue, the hardest part of hosted form […]

OAuth 2.0 samples

New samples  AspnetWebMvc   This is a web application using ASP.NET MVC framework. In this sample, it shows how to execute OAuth 2.0 requests using code flow, implicit flow and hybrid flow.   Link: https://github.com/Safewhere/OIDC/blob/master/src/CSharp/AspnetWebMvc   NancyOwinClient  This is a web application using Nancy framework. […]

Enhancements and bug fixes – version 5.5

Enhanced verification URI on device-pairing flow  There are two enhancements on device-pairing flow of Identify version 5.5.   It supports “verification_uri_complete” on device authorization response which is designed for non-textual transmission.   If user_code exists in verification url, fills it into the user code textbox with a message “please confirm that the code […]

Support more options for parameter “prompt” on authorization request

According to OpenId Connect Core specification, authentication request could optionally support prompt parameter for some specific login flows. This parameter specifies whether the Identify OAuth 2.0 server prompts the End-User for re-authentication.  On version 5.4, there are 2 options (‘login’ and ‘none’) supported. From version 5.5, we added […]

Hybrid flow

Hybrid flow is another new OAuth 2.0 feature for which Identify has support from version 5.5. The specification is at https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth.   In short, this flow is a combination of the code flow and the implicit flow. It allows the user-agent to retrieve an identity token immediately […]

Registration endpoint

Identify added support for dynamic endpoint which allows clients to be dynamically registered with Identify OAuth 2.0 authorization server. The specification is described at https://tools.ietf.org/html/rfc7591.  Dynamic client registration request  The endpoint is “https://[tenant_url]/admin/oauth2/register.idp”. A registration request has the following parameters:  API: https://[tenant_url]/admin/oauth2/register.idp   Method: POST Content-Type: application/json   Accept: […]

Authorization endpoint

From version 5.5, Identify OAuth 2.0 supports the authorization request’s “max_age” parameter as specified in https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest  The “max_age” parameter specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by Identify. If the elapsed time is greater than this […]

Userinfo endpoint

We reworked the userinfo endpoint to make it issue proper claims as stated by the specification in version 5.5. Identify supports requesting claims using scope values. Thus, instead of returning all the user’s claims as we did previously, it selectively returns […]

issuer endpoint

On previous versions, we used Identify Entity Id as issuer of Identify OAuth 2.0 but it was actually not really compliant to specification. We fixed it to use Identify runtime’s url (which is https://#identifydomain/runtime/oauth2) from version 5.5. With that change, […]