This URL returns a JSON listing of the OpenID/OAuth endpoints, supported scopes and claims, public keys used to sign the tokens, and other details. The clients can use this information to construct a request to the OpenID server. The field names and values are defined in the OpenID Connect Discovery Specification.
CURL
curl -i \
-X GET "/.well-known/openid-configuration/:provider_code"
curl -i \
-X GET "/.well-known/openid-configuration/:provider_code"
Human readable Provider identifier.
Can raise:
NotFound, Forbidden
Response
This URL returns a JSON listing of the OpenID/OAuth endpoints, supported scopes and claims, public keys used to sign the tokens, and other details. The clients can use this information to construct a request to the OpenID server. The field names and values are defined in the OpenID Connect Discovery Specification.
issuer
string, required
Issuer identifier URL
authorization_endpoint
string, required
URL of the authorization server's authorization endpoint
token_endpoint
string, required
URL of the authorization server's token endpoint
registration_endpoint
string, required
URL of the authorization server's OAuth 2.0 Dynamic Client Registration Endpoint
service_documentation
string, required
URL of a page containing human-readable information that developers might want or need to know when using the authorization server
jwks_uri
string, required
URL of the authorization server's JWK Set document
scopes_supported
array, required
JSON array containing a list of the OAuth 2.0 "scope" values that this authorization server supports
Allowed values:
openid, accounts, payments, fundsconfirmations
response_types_supported
array, required
JSON array containing a list of the OAuth 2.0 "response_type" values that this authorization server supports
Allowed values:
code
grant_types_supported
array, required
JSON array containing a list of the OAuth 2.0 "grant_type" values that this authorization server supports
Allowed values:
client_credentials, authorization_code, refresh_token
token_endpoint_auth_methods_supported
array, required
JSON array containing a list of client authentication methods supported by this token endpoint
Allowed values:
client_secret_basic, private_key_jwt
token_endpoint_auth_signing_alg_values_supported
array, required
JSON array containing a list of the JWS signing algorithms supported by the token endpoint for the signature on the JWT used to authenticate the client at the token endpoint
Allowed values:
RS256, PS256
request_object_signing_alg_values_supported
array, required
JSON array containing a list of the JWS signing algorithms supported by Salt Edge OB KSA Compliance Solution.
Allowed values:
RS256, PS256
Related Errors
Class
Code
Description
Forbidden
403
Specified resource is not allowed to perform an action.
NotFound
404
Specified resource doesn't exist or doesn't correspond.
×
JWKs
This URL returns a JSON object that represents a set of JWKs
This URL returns a JSON object that represents a set of JWKs
keys
array, required
JSON Array of JWK
kty
string, required
Identifies the cryptographic algorithm family used with the key, such as "RSA" or "EC"
Allowed values:
RSA
use
string, required
Indicate whether a public key is used for encrypting data or verifying the signature on data.
Allowed values:
sig
kid
string, required
Unique key identifier
e
string, required
Public key modulus
n
string, required
Public key exponent
×
Tokens
Create
The token endpoint is used by the client to obtain an access token by presenting its authorization grant or refresh token. The token endpoint is used with every authorization grant except for the implicit grant type (since an access token is issued directly).
The media type of the body of the request.
Allowed values:
application/x-www-form-urlencoded
Request parameters
provider_code
string, required
Human readable Provider identifier.
Can raise:
NotFound, Forbidden
client_id
string, optional
Client application identifier.
grant_type
string, required
The format of the assertion as defined by the authorization server. The value will be an absolute URI.
Allowed values:
client_credentials, authorization_code, refresh_token
client_assertion_type
string, required
The format of the assertion as defined by the authorization server. The value will be an absolute URI.
Allowed values:
urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion
string, required
The assertion being used to authenticate the client. Specific serialization of the assertion is defined by profile documents.
Can raise:
InvalidClientAssertion, NotFound
redirect_uri
string, required
The same URI as it was used in authorize endpoint.
code
string, required
The same code as TPP got after authorize endpoint.
Can raise:
NotFound, InvalidRequest, TooEarly
provider_code
string, required
Human readable Provider identifier.
Can raise:
NotFound, Forbidden
client_id
string, optional
Client application identifier.
grant_type
string, required
The format of the assertion as defined by the authorization server. The value will be an absolute URI.
Allowed values:
client_credentials, authorization_code, refresh_token
client_assertion_type
string, required
The format of the assertion as defined by the authorization server. The value will be an absolute URI.
Allowed values:
urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion
string, required
The assertion being used to authenticate the client. Specific serialization of the assertion is defined by profile documents.
Can raise:
InvalidClientAssertion, NotFound
scope
string, optional
This is a list of scopes that the client wants to be included in the access token.
provider_code
string, required
Human readable Provider identifier.
Can raise:
NotFound, Forbidden
client_id
string, optional
Client application identifier.
grant_type
string, required
The format of the assertion as defined by the authorization server. The value will be an absolute URI.
Allowed values:
client_credentials, authorization_code, refresh_token
client_assertion_type
string, required
The format of the assertion as defined by the authorization server. The value will be an absolute URI.
Allowed values:
urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion
string, required
The assertion being used to authenticate the client. Specific serialization of the assertion is defined by profile documents.
Can raise:
InvalidClientAssertion, NotFound
refresh_token
string, required
Can raise:
InvalidRequest
scope
string, optional
This is a list of scopes that the client wants to be included in the access token.
Response
Upon successful request, 200 status code will be returned. See ‘Related Errors’ table for other possibilities.
access_token
string, required
The access token issued by the authorization server.
id_token
string, required
The id of the access_token on the Salt Edge OB KSA Compliance Solution side.
refresh_token
string, required
The refresh token, which can be used to obtain new access tokens using the same authorization grant.
token_type
string, required
The type of the token issued.
Allowed values:
Bearer
scope
string, required
Scopes that included in access_token.
Related Errors
Class
Code
Description
InvalidClientAssertion
400
Given client_assertion is invalid or malformed.
InvalidRequest
400
Given data is invalid. More in message.
Forbidden
403
Specified resource is not allowed to perform an action.
NotFound
404
Provider for given code is not found
TooEarly
425
Request was sent too early, please try again later.