Authorization Server Authorization Service: Overview
Provides operations for performing activities relating to the resource owner's interaction with the OAuth Provider's authorization endpoint during the grant setup/provisioning process.
This service includes such activities as initiating a resource owner grant, authenticating the resource owner with the corresponding resource owner domain, and obtaining the resource owner's authorization for the application's access to the resources, with the specific scopes requested.
Calls to this service are always initiated by the resource owner, never by the application. Since the authorization endpoint is only used in three-legged scenarios, these operations are only used by three-legged grant types (Authorization Code and Implicit).
URL: https://{oauth-provider-url}/oauth/auz
Action | Endpoint | Description |
---|---|---|
authenticate complete (GET) | GET /oauth/auz/grants/{GrantID}/authcomplete | Supports redirect from the identity provider after the resource owner's login with the identity provider is complete. |
authenticate complete (POST) | POST /oauth/auz/grants/provider/authcomplete{domainid:(/[^/]+?)?} | In scenarios where the resource owner will be authenticated with an SSO domain, this operation renders the authorization provider's authorization page. |
authenticate resource owner | POST /oauth/auz/grants/{GrantID}/authenticate | Authenticates the resource owner. For SSO login, this operation renders the login domain; for LDAP domain, it accepts LDAP credentials such as username and password. |
complete resource owner authorization | GET /oauth/auz/grants/{GrantID}/auzcomplete | Completes the process of authentication and authorization. Changes the grant status to Active or Rejected based on the authorization action, removes the temporary cookie that was in use during provisioning, and returns the resource owner to the redirect URI along with additional information such as the state parameter and the code, token, or id token. |
get client avatar | GET /oauth/auz/grants/{GrantID}/client/picture | Returns the avatar image for the OAuth client, for display on the Authorization page where the resource owner authorizes the grant. |
get grant details | GET /oauth/auz/grants/{GrantID}/details | Returns detailed information about the specified OAuth grant, including the list of scopes. |
get OAuth Provider from Grant ID | GET /oauth/auz/grants/{GrantID}/provider | Returns information about the OAuth Provider, based on the GrantID. |
get OAuth Provider logo from Grant ID | GET /oauth/auz/grants/{GrantID}/provider/resources/logo | Returns the logo for the OAuth provider, based on the specified GrantID, as part of the OAuth grant provisioning UI. In the Community Manager developer portal, the logo is uploaded as part of the OAuth Provider domain setup (OAuth Provider domain setup, Branding tab). It can be retrieved using this operation. The resource name is always logo. |
request resource owner authorization (GET) | GET /oauth/auz/authorize | Starts the authentication of the resource owner. On success, the user sees a login page based on the resource owner domain configured by the OAuth provider, so the user can complete authentication. Similar functionality to SSO Login in the Login service. Uses HTTP GET. |
request resource owner authorization (POST) | POST /oauth/auz/authorize | Starts the authentication of the resource owner. On success, the user sees a login page based on the resource owner domain configured by the OAuth provider, so the user can complete authentication. Similar functionality to SSO Login in the Login service. Supported by both OAuth and OpenID Connect; OpenID Connect introduces some additional parameters, or additional values to existing parameters. Uses HTTP POST. |