Versies vergeleken

Sleutel

  • Deze regel is toegevoegd.
  • Deze regel is verwijderd.
  • Formattering is gewijzigd.

...

The full specification for OIDC is available on the OpenID Foundation’s website at OpenID Connect Core 1.0 specification.

Informatie

Endpoints

The PKIsigning authentication server listens on endpoint https://identity.pkisigning.io.
For development purposes, please use our staging endpoint: https://accidentity.pkisigning.io.

End-user authentication

The authentication flow of OIDC is most easily compared to logging in with a
Google or Facebook account. The end-user is redirect to a page of a trusted party and is then
asked to provide credentials and will possibly see a consent screen to allow sharing of
personal data with the calling party. It is to the end-user to either disclose the data or not.
OIDC will work in the same manner.

For ASP.Net middleware libraries are available to easily integrate with OIDC. Also for PHP some libraries are available to authenticate. For more information please check http://openid.net/developers/certified.y

Informatie

Endpoints

The PKIsigning authentication server listens on endpoint https://identity.pkisigning.io.
For development purposes, please use our staging endpoint: https://accidentity.pkisigning.io.

Protocol flow

...

Client authentication

...

Urgent

For security purposes, the authentication information as supplied by PKIsigning will differ between production and staging environments. Please do not store PKIsigning credentials in config files in clear text in config files.

Fetch the OpenID configuration document

...

Codeblok
GET https://identity.pkisigning.io/connect/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&scope=openid%20pkisigning.platform
&state=12345
&nonce=678910
Tip

The nature of OIDC is to use credentials only at the authentication page of the supplier of these credentials. Therefore it is not possible to send credentials directly from any third party application. The authentication page has to be shown to the end-user.

Informatie

The use of the PKIsigning authentication page in an iframe has been explicitly blocked to prevent clickjacking and overlay attacks.

After being authenticated on our identity server, the user will be redirected back to an url of
the application. In the query string a code parameter will be specified, which is required to obtain an accesstoken.

...

After the user has been redirect back to the application, use the code specified in the query string to obtain an access token. The values in the request should match the values being sent earlier to redirect the user to the PKIsigning authentication page.

...

Codeblok
languagenone
// Line breaks for readability only

POST /connect/token HTTP/1.1
Host: https://identity.pkisigning.io
Content-Type: application/x-www-form-urlencoded

client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=openid%20pkisigning.platform
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&client_secret=JqQX2PNo9bpM0uEihUPzyrh    // NOTE: This secret needs to be URL-Encoded.

...

Error Code

Description

Client Action

invalid_request

Protocol error, such as a missing required parameter.

Fix the request or app registration and resubmit the request.

invalid_grant

The authorization code or PKCE code verifier is invalid or has expired.

Try a new request to the /authorize endpoint and verify that the code_verifier parameter was correct.

unauthorized_client

The authenticated client isn't authorized to use this authorization grant type.

This error usually occurs when the client application isn't registered in Azure AD or isn't added to the user's Azure AD tenant. The application can prompt the user with instruction for installing the application and adding it to Azure AD.

invalid_client

Client authentication failed.

The client credentials aren't valid. To fix, the application administrator updates the credentials.

unsupported_grant_type

The authorization server doesn't support the authorization grant type.

Change the grant type in the request. This type of error should occur only during development and be detected during initial testing.

interaction_required

Non-standard, as the OIDC specification calls for this code only on the /authorize endpoint. The request requires user interaction. For example, another authentication step is required.

Retry the /authorize request with the same scopes.

temporarily_unavailable

The server is temporarily too busy to handle the request.

Retry the request after a small delay. The client application might explain to the user that its response is delayed because of a temporary condition.

consent_required

The request requires user consent. This error is non-standard. It's usually only returned on the /authorizeendpoint per OIDC specifications. Returned when a scope parameter was used on the code redemption flow that the client app doesn't have permission to request.

The client should send the user back to the /authorize endpoint with the correct scope to trigger consent.

invalid_scope

The scope requested by the app is invalid.

Update the value of the scope parameter in the authentication request to a valid value.

Waarschuwinginfo

For security reasons it is not possible to send a request for obtaining an access token from a browser. This would require having the client secret available in an untrusted environment. Attempts to try this in a webbrowser will be blocked with Webbrowsers will block these requests because of CORS policy violation errors.

...