Overview#

Authorization Endpoint defined in RFC 6749#

Authorization endpoint defined in RFC 6749, used to obtain an Authorization Grant from the Resource Owner: Example:
https://openam.example.com:8443/openam/oauth2/authorize

Token Endpoint defined in RFC 6749#

Token Endpoint defined in RFC 6749, used to obtain an access token from the authorization server Example:
https://openam.example.com:8443/openam/oauth2/access_token

Token Info Endpoint#

Endpoint not defined in RFC 6749, used to validate tokens, and to retrieve information such as scopes

Given an Access Token, a Resource Server can perform an HTTP GET on /oauth2/tokeninfo?access_token=token-id to retrieve a JSON object indicating token_type, expires_in, scope, and the access_token ID.

Example:

https://openam.example.com:8443/openam/oauth2/tokeninfo

The Authorization Endpoint and Token Endpoint endpoints function as described in RFC 6749.

The Authorization Endpoint endpoint is protected by the policy created during OAuth 2.0 authorization server configuration, which grants all authenticated users access.

Resource Servers — or any party having the token ID — can get token information through this endpoint without authenticating. This means any application or user can validate the token without having to be registered with OpenAM.

OpenAM OpenID Connect Endpoints#

Discovering Provider configuration URI Endpoint#

OpenAM exposes Endpoints for discovering information about the provider configuration, and about the provider for a given end user.
https://openam.example.com:8443/openam/.well-known/openid-configuration
allows clients to retrieve Identity Provider (IDP) configuration by HTTP GET as specified by OpenID Connect Discovery.

WebFinger#

https://openam.example.com:8443/openam/.well-known/webfinger
allows clients to retrieve the Provider Configuration URI for an end user by HTTP GET as specified by OpenID Connect Discovery.

For examples, see Configuring OpenAM For OpenID Connect Discovery .

OAuth 2.0 Dynamic Client Registration Protocol#

OpenAM allows both static and dynamic registration of OpenID Connect client applications. For dynamic registration according to the OAuth 2.0 Dynamic Client Registration Protocol specification, the Registration Endpoint is
https://openam.example.com:8443/openam/oauth2/connect/register
See To Register a Client Dynamically for details.

Performing OpenID Connect 1.0 Client Authorization#

Registered Relying Party can request authorization through OpenAM.

OpenID Connect 1.0 supports both a Basic Client Profile using the OAuth 2.0 Authorization Code Grant, and an Implicit Client Profile using the OAuth 2.0 Implicit Grant. These client profiles rely on the Authorization Endpoint. Those endpoints are described in OAuth 2.0 Client & Resource Server Endpoints .

Userinfo_endpoint#

In addition, authorized clients can access end user information through the OpenID Connect 1.0 Userinfo_endpoint
https://openam.example.com:8443/openam/oauth2/userinfo
For examples, see Client Examples .

Managing OpenID Connect 1.0 Sessions#

Registered clients can use OpenID Connect Session Management 1.0 to handle end user logout actions.
  • /oauth2/connect/checkSession allows clients to retrieve session status notifications.
  • /oauth2/connect/endSession allows clients to terminate end user sessions.

For an example, see Managing User Sessions .

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-12) was last changed on 12-Jul-2015 13:38 by jim