Overview#
Authorization Endpoint defined in RFC 6749#
Authorization endpoint defined in RFC 6749, used to obtain an Authorization Grant from the Resource Owner: Example:https://openam.example.com:8443/openam/oauth2/authorize
Token Endpoint defined in RFC 6749#
Token Endpoint defined in RFC 6749, used to obtain an access token from the authorization server Example:https://openam.example.com:8443/openam/oauth2/access_token
Token Info Endpoint#
Endpoint not defined in RFC 6749, used to validate tokens, and to retrieve information such as scopesGiven an Access Token, a Resource Server can perform an HTTP GET on /oauth2/tokeninfo?access_token=token-id to retrieve a JSON object indicating token_type, expires_in, scope, and the access_token ID.
Example:
https://openam.example.com:8443/openam/oauth2/tokeninfo
The Authorization Endpoint and Token Endpoint endpoints function as described in RFC 6749.
The Authorization Endpoint endpoint is protected by the policy created during OAuth 2.0 authorization server configuration, which grants all authenticated users access.
Resource Servers — or any party having the token ID — can get token information through this endpoint without authenticating. This means any application or user can validate the token without having to be registered with OpenAM.
OpenAM OpenID Connect Endpoints#
Discovering Provider configuration URI Endpoint#
OpenAM exposes Endpoints for discovering information about the provider configuration, and about the provider for a given end user.https://openam.example.com:8443/openam/.well-known/openid-configuration
WebFinger#
https://openam.example.com:8443/openam/.well-known/webfinger
For examples, see Configuring OpenAM For OpenID Connect Discovery .
OAuth 2.0 Dynamic Client Registration Protocol#
OpenAM allows both static and dynamic registration of OpenID Connect client applications. For dynamic registration according to the OAuth 2.0 Dynamic Client Registration Protocol specification, the Registration Endpoint ishttps://openam.example.com:8443/openam/oauth2/connect/register
Performing OpenID Connect 1.0 Client Authorization#
Registered Relying Party can request authorization through OpenAM.OpenID Connect 1.0 supports both a the OAuth 2.0 Authorization Code Grant, and an Implicit Grant. These client profiles rely on the Authorization_endpoint. Those OAuth 2.0 Endpoints are described in OAuth 2.0 Client & Resource Server Endpoints.
Userinfo_endpoint#
In addition, authorized clients can access end user information through the OpenID Connect 1.0 Userinfo_endpointhttps://openam.example.com:8443/openam/oauth2/userinfo
Managing OpenID Connect 1.0 Sessions#
Registered clients can use OpenID Connect Session Management 1.0 to handle end user logout actions.- /oauth2/connect/checkSession allows clients to retrieve session status notifications.
- /oauth2/connect/endSession allows clients to terminate end user sessions.
For an example, see Managing User Sessions .