Skip to content

Overview#

Authorization Challenge Endpoint allows first-party native client obtain authorization code which later can be exchanged on access token. This can provide an entirely browserless OAuth 2.0 experience suited for native applications.

This endpoint conforms to OAuth 2.0 for First-Party Native Applications specifications.

URL to access authorization challenge endpoint on Janssen Server is listed in the response of Janssen Server's well-known configuration endpoint given below.

https://janssen.server.host/jans-auth/.well-known/openid-configuration

authorization_challenge_endpoint claim in the response specifies the URL for authorization challenge endpoint. By default, authorization challenge endpoint looks like below:

https://janssen.server.host/jans-auth/restv1/authorize-challenge

In order to call Authorization Challenge Endpoint client must have authorization_challenge scope. If scope is not present AS rejects call with 401 (unauthorized) http status code.

Authorization Challenge Endpoint supports Proof Key for Code Exchange (PKCE).

More information about request and response of the authorization challenge endpoint can be found in the OpenAPI specification of jans-auth-server module.

Sample request

POST /authorize HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

login_hint=%2B1-310-123-4567&scope=profile
&client_id=bb16c14c73415

Sample successful response with authorization_code.

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store

{
  "authorization_code": "uY29tL2F1dGhlbnRpY"
}

Sample error response

HTTP/1.1 401 Unauthorized
Content-Type: application/json
Cache-Control: no-store

{
  "error": "username_required"
}

Configuration Properties#

Authorization Challenge Endpoint AS configuration:

  • authorizationChallengeEndpoint - The authorization challenge endpoint URL
  • authorizationChallengeDefaultAcr - Authorization Challenge Endpoint Default ACR if no value is specified in acr_values request parameter. Default value is default_challenge.
  • authorizationChallengeShouldGenerateSession - Boolean value specifying whether to generate session_id (AS object and cookie) during authorization at Authorization Challenge Endpoint. Default value is false.
  • mtlsAuthorizationChallengeEndpoint - URL for Mutual TLS (mTLS) Client Authentication and Certificate-Bound Access Tokens (MTLS) Authorization Challenge Endpoint.

Custom script#

AS provides AuthorizationChallengeType custom script which must be used to control Authorization Challenge Endpoint behaviour.

If request does not have acr_values specified and script name falls back to default_challenge which is available and enabled during installation. Default script name can be changed via authorizationChallengeDefaultAcr configuration property.

Main method return true/false which indicates to server whether to issue authorization_code in response or not.

If parameters is not present then error has to be created and false returned. If all is good script has to return true and it's strongly recommended to set user context.getExecutionContext().setUser(user); so AS can keep tracking what exactly user is authenticated.

Please see following snippet below:

    public boolean authorize(Object scriptContext) {
        ExternalScriptContext context = (ExternalScriptContext) scriptContext;

        // 1. validate all required parameters are present
        final String username = getParameterOrCreateError(context, USERNAME_PARAMETER);
        if (StringUtils.isBlank(username)) {
            return false;
        }

        final String password = getParameterOrCreateError(context, PASSWORD_PARAMETER);
        if (StringUtils.isBlank(password)) {
            return false;
        }

        scriptLogger.trace("All required parameters are present");

        // 2. main authorization logic, if ok -> set authorized user into "context.getExecutionContext().setUser(user);" and return true
        UserService userService = CdiUtil.bean(UserService.class);
        PersistenceEntryManager entryManager = CdiUtil.bean(PersistenceEntryManager.class);

        final User user = userService.getUser(username);
        if (user == null) {
            scriptLogger.trace("User is not found by username {}", username);
            createError(context, "username_invalid");
            return false;
        }

        final boolean ok = entryManager.authenticate(user.getDn(), User.class, password);
        if (ok) {
            context.getExecutionContext().setUser(user); // <- IMPORTANT : without user set, user relation will not be associated with token
            scriptLogger.trace("User {} is authenticated successfully.", username);
            return true;
        }

        // 3. not ok -> set error which explains what is wrong and return false
        scriptLogger.trace("Failed to authenticate user {}. Please check username and password.", username);
        createError(context, "username_or_password_invalid");
        return false;
    }

More details in Authorization Challenge Custom Script Page.

Full sample script can be found here

Auth session#

Auth session is optional. AS does not return it by default. It's possible to pass in request use_auth_session=true which makes AS return it in error response. If it is desired to use auth_session and don't pass client_id (or other parameters) in next request, it should be put in attributes of auth_session object. auth_session object lifetime is set by authorizationChallengeSessionLifetimeInSeconds AS configuration property. If authorizationChallengeSessionLifetimeInSeconds is not set then value falls back to 86400 seconds.

Example

String clientId = context.getHttpRequest().getParameter("client_id");
authorizationChallengeSessionObject.getAttributes().getAttributes().put("client_id", clientId);

Full sample script can be found here

Web session#

Authorization challenge script is first-party flow and thus web session is not created by default. However there can be cases when such session has to be created. Please set authorizationChallengeShouldGenerateSession configuration property to true to force session creation.

In case it is needed to prepare session with specific data, it is possible to create session in script and set it into context. Example:

SessionIdService sessionIdService = CdiUtil.bean(SessionIdService.class);
Identity identityService = CdiUtil.bean(Identity.class);

Map<String, String> sessionStore = new HashMap<String, String>();
sessionStore.put("login_id_token",login_id_token);
sessionStore.put("login_access_token",login_access_token);
sessionStore.put("transaction_status","PENDING");
SessionId sessionId = sessionIdService.generateAuthenticatedSessionId(context.getHttpRequest(), user.getDn(), sessionStore);

context.getExecutionContext().setAuthorizationChallengeSessionId(sessionId);
scriptLogger.trace("Created Authorization challenge session successfully");

Multi-step example#

Sometimes it's required to send data sequentially. Step by step. Calls to Authorization Challenge Endpoint must have use_auth_session=true parameter to force tracking data between request.

Lets consider example when RP first sends username and then in next request OTP.

POST /jans-auth/restv1/authorize-challenge HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

username=alice
&scope=photos
&client_id=bb16c14c73415

AS accepts username and returns back error with auth_session.

HTTP/1.1 401 Unauthorized
Content-Type: application/json
Cache-Control: no-store

{
  "error": "otp_required",
  "auth_session": "ce6772f5e07bc8361572f"
}

In next call RP can send OTP and auth_session (AS matches user from auth_session)

POST /jans-auth/restv1/authorize-challenge HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded

otp=ccnnju667d&auth_session=ce6772f5e07bc8361572f

In custom script it's easy to code what data has to be kept in auth_session.

    private void createError(ExternalScriptContext context, String errorCode) {
        String deviceSessionPart = prepareDeviceSessionSubJson(context);

        final String entity = String.format("{\"error\": \"%s\"%s}", errorCode, deviceSessionPart);
        context.createWebApplicationException(401, entity);
    }

    private String prepareDeviceSessionSubJson(ExternalScriptContext context) {
        DeviceSession authorizationChallengeSessionObject = context.getAuthzRequest().getDeviceSessionObject();
        if (authorizationChallengeSessionObject != null) {
            prepareDeviceSession(context, authorizationChallengeSessionObject);
            return String.format(",\"auth_session\":\"%s\"", authorizationChallengeSessionObject.getId());
        } else if (context.getAuthzRequest().isUseDeviceSession()) {
            authorizationChallengeSessionObject = prepareDeviceSession(context, null);
            return String.format(",\"auth_session\":\"%s\"", authorizationChallengeSessionObject.getId());
        }
        return "";
    }

    private DeviceSession prepareDeviceSession(ExternalScriptContext context, DeviceSession authorizationChallengeSessionObject) {
        DeviceSessionService deviceSessionService = CdiUtil.bean(DeviceSessionService.class);
        boolean newSave = authorizationChallengeSessionObject == null;
        if (newSave) {
            authorizationChallengeSessionObject = deviceSessionService.newDeviceSession();
        }

        String username = context.getHttpRequest().getParameter(USERNAME_PARAMETER);
        if (StringUtils.isNotBlank(username)) {
            authorizationChallengeSessionObject.getAttributes().getAttributes().put(USERNAME_PARAMETER, username);
        }

        String otp = context.getHttpRequest().getParameter(OTP_PARAMETER);
        if (StringUtils.isNotBlank(otp)) {
            authorizationChallengeSessionObject.getAttributes().getAttributes().put(OTP_PARAMETER, otp);
        }

        String clientId = context.getHttpRequest().getParameter("client_id");
        if (StringUtils.isNotBlank(clientId)) {
            authorizationChallengeSessionObject.getAttributes().getAttributes().put("client_id", clientId);
        }

        String acrValues = context.getHttpRequest().getParameter("acr_values");
        if (StringUtils.isNotBlank(acrValues)) {
            authorizationChallengeSessionObject.getAttributes().getAttributes().put("acr_values", acrValues);
        }

        if (newSave) {
            deviceSessionService.persist(authorizationChallengeSessionObject);
        } else {
            deviceSessionService.merge(authorizationChallengeSessionObject);
        }

        return authorizationChallengeSessionObject;
    }

More details in Authorization Challenge Custom Script Page.

Full multi-step sample script can be found here

Full successful Authorization Challenge Flow sample#

OpenID Connect Configuration
-------------------------------------------------------
REQUEST:
-------------------------------------------------------
GET /.well-known/openid-configuration HTTP/1.1 HTTP/1.1
Host: yuriyz-fond-skink.gluu.info

-------------------------------------------------------
RESPONSE:
-------------------------------------------------------
HTTP/1.1 200
Connection: Keep-Alive
Content-Length: 6244
Content-Type: application/json
Date: Thu, 10 Aug 2023 11:53:04 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: X-Correlation-Id=fa097a44-5568-48aa-9390-1880616e5a69; Secure; HttpOnly;HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block

{
  "request_parameter_supported" : true,
  "pushed_authorization_request_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/par",
  "introspection_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/introspection",
  "claims_parameter_supported" : false,
  "issuer" : "https://yuriyz-fond-skink.gluu.info",
  "userinfo_encryption_enc_values_supported" : [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ],
  "id_token_encryption_enc_values_supported" : [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ],
  "access_token_signing_alg_values_supported" : [ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "ES512", "PS256", "PS384", "PS512" ],
  "authorization_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/authorize",
  "service_documentation" : "http://jans.org/docs",
  "authorization_encryption_alg_values_supported" : [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ],
  "claims_supported" : [ "street_address", "country", "zoneinfo", "birthdate", "role", "gender", "formatted", "user_name", "phone_mobile_number", "preferred_username", "locale", "inum", "updated_at", "post_office_box", "nickname", "preferred_language", "email", "website", "email_verified", "profile", "locality", "phone_number_verified", "room_number", "given_name", "middle_name", "picture", "name", "phone_number", "postal_code", "region", "family_name", "jansAdminUIRole" ],
  "ssa_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/ssa",
  "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "tls_client_auth", "self_signed_tls_client_auth" ],
  "tls_client_certificate_bound_access_tokens" : true,
  "response_modes_supported" : [ "query", "jwt", "query.jwt", "form_post.jwt", "form_post", "fragment", "fragment.jwt" ],
  "backchannel_logout_session_supported" : true,
  "token_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/token",
  "response_types_supported" : [ "code", "code id_token token", "id_token", "code id_token", "token", "id_token token", "code token" ],
  "authorization_encryption_enc_values_supported" : [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ],
  "backchannel_token_delivery_modes_supported" : [ "poll", "ping", "push" ],
  "dpop_signing_alg_values_supported" : [ "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "ES512", "PS256", "PS384", "PS512" ],
  "request_uri_parameter_supported" : true,
  "backchannel_user_code_parameter_supported" : false,
  "grant_types_supported" : [ "client_credentials", "urn:ietf:params:oauth:grant-type:uma-ticket", "urn:ietf:params:oauth:grant-type:device_code", "urn:ietf:params:oauth:grant-type:token-exchange", "implicit", "authorization_code", "password", "refresh_token" ],
  "ui_locales_supported" : [ "en", "bg", "de", "es", "fr", "it", "ru", "tr" ],
  "userinfo_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/userinfo",
  "authorization_challenge_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/authorize-challenge",
  "op_tos_uri" : "https://yuriyz-fond-skink.gluu.info/tos",
  "require_request_uri_registration" : false,
  "id_token_encryption_alg_values_supported" : [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ],
  "frontchannel_logout_session_supported" : true,
  "authorization_signing_alg_values_supported" : [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "ES512", "PS256", "PS384", "PS512" ],
  "claims_locales_supported" : [ "en" ],
  "clientinfo_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/clientinfo",
  "request_object_signing_alg_values_supported" : [ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "ES512", "PS256", "PS384", "PS512" ],
  "request_object_encryption_alg_values_supported" : [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ],
  "key_from_java" : "value_from_script_on_java",
  "session_revocation_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/revoke_session",
  "check_session_iframe" : "https://yuriyz-fond-skink.gluu.info/jans-auth/opiframe.htm",
  "scopes_supported" : [ "address", "introspection", "https://jans.io/auth/ssa.admin", "online_access", "openid", "user_name", "clientinfo", "profile", "uma_protection", "permission", "https://jans.io/scim/users.write", "revoke_session", "https://jans.io/scim/users.read", "device_sso", "phone", "mobile_phone", "offline_access", "email" ],
  "backchannel_logout_supported" : true,
  "acr_values_supported" : [ "simple_password_auth" ],
  "request_object_encryption_enc_values_supported" : [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ],
  "device_authorization_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/device_authorization",
  "display_values_supported" : [ "page", "popup" ],
  "userinfo_signing_alg_values_supported" : [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "ES512", "PS256", "PS384", "PS512" ],
  "require_pushed_authorization_requests" : false,
  "claim_types_supported" : [ "normal" ],
  "userinfo_encryption_alg_values_supported" : [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ],
  "end_session_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/end_session",
  "revocation_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/revoke",
  "backchannel_authentication_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/bc-authorize",
  "token_endpoint_auth_signing_alg_values_supported" : [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "ES512", "PS256", "PS384", "PS512" ],
  "frontchannel_logout_supported" : true,
  "jwks_uri" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/jwks",
  "subject_types_supported" : [ "public", "pairwise" ],
  "id_token_signing_alg_values_supported" : [ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "ES512", "PS256", "PS384", "PS512" ],
  "registration_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/register",
  "id_token_token_binding_cnf_values_supported" : [ "tbh" ]
}


#######################################################
TEST: authorizationChallengeFlow
#######################################################
-------------------------------------------------------
REQUEST:
-------------------------------------------------------
POST /jans-auth/restv1/register HTTP/1.1
Host: yuriyz-fond-skink.gluu.info
Content-Type: application/json
Accept: application/json

{
  "grant_types" : [ "authorization_code", "refresh_token" ],
  "subject_type" : "public",
  "application_type" : "web",
  "scope" : "openid profile address email phone user_name",
  "minimum_acr_priority_list" : [ ],
  "redirect_uris" : [ "https://yuriyz-fond-skink.gluu.info/jans-auth-rp/home.htm", "https://client.example.com/cb", "https://client.example.com/cb1", "https://client.example.com/cb2" ],
  "client_name" : "jans test app",
  "additional_audience" : [ ],
  "response_types" : [ "code", "id_token" ]
}

-------------------------------------------------------
RESPONSE:
-------------------------------------------------------
HTTP/1.1 201
Cache-Control: no-store
Connection: Keep-Alive
Content-Length: 1633
Content-Type: application/json
Date: Thu, 10 Aug 2023 11:53:05 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Keep-Alive: timeout=5, max=100
Pragma: no-cache
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: X-Correlation-Id=81dc6c45-7831-4738-b169-b087ee9a6bd6; Secure; HttpOnly;HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block

{
    "allow_spontaneous_scopes": false,
    "application_type": "web",
    "rpt_as_jwt": false,
    "registration_client_uri": "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/register?client_id=999e13b8-f4a2-4fed-ad3c-6c88bd2c92ea",
    "tls_client_auth_subject_dn": "",
    "run_introspection_script_before_jwt_creation": false,
    "registration_access_token": "28a50db3-b6d1-4054-a259-ef7168afa760",
    "client_id": "999e13b8-f4a2-4fed-ad3c-6c88bd2c92ea",
    "token_endpoint_auth_method": "client_secret_basic",
    "scope": "openid",
    "client_secret": "f6364c5c-295d-4e6e-bb40-6ad3a47b2119",
    "client_id_issued_at": 1691668385,
    "backchannel_logout_uri": "",
    "backchannel_logout_session_required": false,
    "client_name": "jans test app",
    "par_lifetime": 600,
    "spontaneous_scopes": [],
    "id_token_signed_response_alg": "RS256",
    "access_token_as_jwt": false,
    "grant_types": [
        "authorization_code",
        "refresh_token"
    ],
    "subject_type": "public",
    "additional_token_endpoint_auth_methods": [],
    "keep_client_authorization_after_expiration": false,
    "require_par": false,
    "redirect_uris": [
        "https://client.example.com/cb2",
        "https://client.example.com/cb1",
        "https://client.example.com/cb",
        "https://yuriyz-fond-skink.gluu.info/jans-auth-rp/home.htm"
    ],
    "redirect_uris_regex": "",
    "additional_audience": [],
    "frontchannel_logout_session_required": false,
    "client_secret_expires_at": 1691704385,
    "access_token_signing_alg": "RS256",
    "response_types": [
        "code",
        "id_token"
    ]
}

-------------------------------------------------------
REQUEST:
-------------------------------------------------------
POST /jans-auth/restv1/authorize-challenge HTTP/1.1
Host: yuriyz-fond-skink.gluu.info

client_id=999e13b8-f4a2-4fed-ad3c-6c88bd2c92ea&scope=openid+profile+address+email+phone+user_name&state=b4a41b29-51c8-4354-9c8c-fda38b4dbd43&nonce=3a56f8d0-f78e-4b15-857c-3e792801be68&prompt=&ui_locales=&claims_locales=&acr_values=&request_session_id=false&password=secret&username=admin

-------------------------------------------------------
RESPONSE:
-------------------------------------------------------
HTTP/1.1 200
Cache-Control: no-transform, no-store
Connection: Keep-Alive
Content-Length: 61
Content-Type: application/json
Date: Thu, 10 Aug 2023 11:53:06 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: X-Correlation-Id=3aa95eb7-73e2-40ae-9303-34adf30a1a05; Secure; HttpOnly;HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block

{"authorization_code":"9e3dc65b-937a-49c2-bdff-41fbc1a352d0"}

Successfully obtained authorization code 9e3dc65b-937a-49c2-bdff-41fbc1a352d0 at Authorization Challenge Endpoint
-------------------------------------------------------
REQUEST:
-------------------------------------------------------
POST /jans-auth/restv1/token HTTP/1.1
Host: yuriyz-fond-skink.gluu.info
Content-Type: application/x-www-form-urlencoded
Authorization: Basic OTk5ZTEzYjgtZjRhMi00ZmVkLWFkM2MtNmM4OGJkMmM5MmVhOmY2MzY0YzVjLTI5NWQtNGU2ZS1iYjQwLTZhZDNhNDdiMjExOQ==

grant_type=authorization_code&code=9e3dc65b-937a-49c2-bdff-41fbc1a352d0&redirect_uri=https%3A%2F%2Fyuriyz-fond-skink.gluu.info%2Fjans-auth-rp%2Fhome.htm

-------------------------------------------------------
RESPONSE:
-------------------------------------------------------
HTTP/1.1 200
Cache-Control: no-store
Connection: Keep-Alive
Content-Length: 1250
Content-Type: application/json
Date: Thu, 10 Aug 2023 11:53:06 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Keep-Alive: timeout=5, max=100
Pragma: no-cache
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: X-Correlation-Id=3eb3c205-6206-4a70-98fb-75bf81757976; Secure; HttpOnly;HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block

{"access_token":"d87aa8d2-fefb-4d16-a775-9b9d27f73bfc","refresh_token":"505314a7-05f5-4c9f-8900-ccb0685dea17","id_token":"eyJraWQiOiJjb25uZWN0XzI1OGZmMmFiLWE4ODQtNDIxNy1iNmQ4LTJhMGI2NDhmOTcxZF9zaWdfcnMyNTYiLCJ0eXAiOiJqd3QiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiUC04RktlejhlNHROTURTbVlGeHV5dyIsInN1YiI6IjI1Nzg0ZDQ5LTg0ZjMtNGIyNi1hZWUyLTEwNDkzMzM5MjMyZCIsImFtciI6W10sImlzcyI6Imh0dHBzOi8veXVyaXl6LWZvbmQtc2tpbmsuZ2x1dS5pbmZvIiwibm9uY2UiOiIzYTU2ZjhkMC1mNzhlLTRiMTUtODU3Yy0zZTc5MjgwMWJlNjgiLCJqYW5zT3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25uZWN0LTEuMCIsImF1ZCI6Ijk5OWUxM2I4LWY0YTItNGZlZC1hZDNjLTZjODhiZDJjOTJlYSIsInJhbmRvbSI6ImJmYmI5OTBmLWNkYTEtNGM3OC1hNjM4LWFhN2NiMjc5MjU3MiIsImFjciI6ImRlZmF1bHRfY2hhbGxlbmdlIiwiY19oYXNoIjoiTnFoSGFIenZZYjYxeDFackQwUEZVdyIsImF1dGhfdGltZSI6MTY5MTY2ODM4NiwiZXhwIjoxNjkxNjcxOTg2LCJncmFudCI6ImF1dGhvcml6YXRpb25fY29kZSIsImlhdCI6MTY5MTY2ODM4Nn0.QTUmzJaHtbPGjrV4E0MUn_fU1On44B6-_7pT0Dz_cY29s_KajGLfin3G_WsYmZA--ysyRLAmdK_X5C3W-wpkpDJ8906vuZST5547lSJGOZ45_VFv7XnTmBip3zRQOmrlxdU6OQ5Vmj3xMON_NQ-ckEUSNr65xWTAPmOQoncGYp8s-TO7ethyx6UyDTnW8d1YiXWCUYfQDQ8d5wCPHnfoYAsZCs_f0xaBUmaiwvUL3ckiXgMr2yHjWKWQuezlbjJk7ODu2cgoAzs3IWMonaixIJeeJJcOvFB4SPTnbToJe7ISvvsZTEwrLWW_E_LgTUEDqHbeWyeQI8WqDa9EOwMEFw","token_type":"Bearer","expires_in":299}

-------------------------------------------------------
REQUEST:
-------------------------------------------------------
POST /jans-auth/restv1/token HTTP/1.1
Host: yuriyz-fond-skink.gluu.info
Content-Type: application/x-www-form-urlencoded
Authorization: Basic OTk5ZTEzYjgtZjRhMi00ZmVkLWFkM2MtNmM4OGJkMmM5MmVhOmY2MzY0YzVjLTI5NWQtNGU2ZS1iYjQwLTZhZDNhNDdiMjExOQ==

grant_type=refresh_token&refresh_token=505314a7-05f5-4c9f-8900-ccb0685dea17

-------------------------------------------------------
RESPONSE:
-------------------------------------------------------
HTTP/1.1 200
Cache-Control: no-store
Connection: Keep-Alive
Content-Length: 166
Content-Type: application/json
Date: Thu, 10 Aug 2023 11:53:08 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Keep-Alive: timeout=5, max=100
Pragma: no-cache
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: X-Correlation-Id=88a6b7a5-3230-4f0f-b859-09df77a5c67a; Secure; HttpOnly;HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block

{"access_token":"572f6422-caf9-496a-a6be-4ab39c872816","refresh_token":"e93b6576-5297-4d9d-a92b-3276d90a75e4","scope":"openid","token_type":"Bearer","expires_in":299}

-------------------------------------------------------
REQUEST:
-------------------------------------------------------
GET /jans-auth/restv1/userinfo HTTP/1.1 HTTP/1.1
Host: yuriyz-fond-skink.gluu.info
Authorization: Bearer 572f6422-caf9-496a-a6be-4ab39c872816

-------------------------------------------------------
RESPONSE:
-------------------------------------------------------
HTTP/1.1 200
Cache-Control: no-store, private
Connection: Keep-Alive
Content-Length: 46
Content-Type: application/json;charset=utf-8
Date: Thu, 10 Aug 2023 11:53:08 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Keep-Alive: timeout=5, max=100
Pragma: no-cache
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: X-Correlation-Id=390c7a63-fe06-48a5-b3bf-2549267ba9b0; Secure; HttpOnly;HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block

{"sub":"25784d49-84f3-4b26-aee2-10493339232d"}

Authorization Challenge Flow sample with invalid user#

OpenID Connect Configuration
-------------------------------------------------------
REQUEST:
-------------------------------------------------------
GET /.well-known/openid-configuration HTTP/1.1 HTTP/1.1
Host: yuriyz-fond-skink.gluu.info

-------------------------------------------------------
RESPONSE:
-------------------------------------------------------
HTTP/1.1 200
Connection: Keep-Alive
Content-Length: 6244
Content-Type: application/json
Date: Thu, 10 Aug 2023 11:57:01 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: X-Correlation-Id=79c5fed3-d69a-4fdf-af88-fce550cd1819; Secure; HttpOnly;HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block

{
  "request_parameter_supported" : true,
  "pushed_authorization_request_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/par",
  "introspection_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/introspection",
  "claims_parameter_supported" : false,
  "issuer" : "https://yuriyz-fond-skink.gluu.info",
  "userinfo_encryption_enc_values_supported" : [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ],
  "id_token_encryption_enc_values_supported" : [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ],
  "access_token_signing_alg_values_supported" : [ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "ES512", "PS256", "PS384", "PS512" ],
  "authorization_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/authorize",
  "service_documentation" : "http://jans.org/docs",
  "authorization_encryption_alg_values_supported" : [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ],
  "claims_supported" : [ "street_address", "country", "zoneinfo", "birthdate", "role", "gender", "formatted", "user_name", "phone_mobile_number", "preferred_username", "locale", "inum", "updated_at", "post_office_box", "nickname", "preferred_language", "email", "website", "email_verified", "profile", "locality", "phone_number_verified", "room_number", "given_name", "middle_name", "picture", "name", "phone_number", "postal_code", "region", "family_name", "jansAdminUIRole" ],
  "ssa_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/ssa",
  "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "tls_client_auth", "self_signed_tls_client_auth" ],
  "tls_client_certificate_bound_access_tokens" : true,
  "response_modes_supported" : [ "query", "jwt", "query.jwt", "form_post.jwt", "form_post", "fragment", "fragment.jwt" ],
  "backchannel_logout_session_supported" : true,
  "token_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/token",
  "response_types_supported" : [ "code", "code id_token token", "id_token", "code id_token", "token", "id_token token", "code token" ],
  "authorization_encryption_enc_values_supported" : [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ],
  "backchannel_token_delivery_modes_supported" : [ "poll", "ping", "push" ],
  "dpop_signing_alg_values_supported" : [ "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "ES512", "PS256", "PS384", "PS512" ],
  "request_uri_parameter_supported" : true,
  "backchannel_user_code_parameter_supported" : false,
  "grant_types_supported" : [ "client_credentials", "urn:ietf:params:oauth:grant-type:uma-ticket", "urn:ietf:params:oauth:grant-type:device_code", "urn:ietf:params:oauth:grant-type:token-exchange", "implicit", "authorization_code", "password", "refresh_token" ],
  "ui_locales_supported" : [ "en", "bg", "de", "es", "fr", "it", "ru", "tr" ],
  "userinfo_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/userinfo",
  "authorization_challenge_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/authorize-challenge",
  "op_tos_uri" : "https://yuriyz-fond-skink.gluu.info/tos",
  "require_request_uri_registration" : false,
  "id_token_encryption_alg_values_supported" : [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ],
  "frontchannel_logout_session_supported" : true,
  "authorization_signing_alg_values_supported" : [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "ES512", "PS256", "PS384", "PS512" ],
  "claims_locales_supported" : [ "en" ],
  "clientinfo_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/clientinfo",
  "request_object_signing_alg_values_supported" : [ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "ES512", "PS256", "PS384", "PS512" ],
  "request_object_encryption_alg_values_supported" : [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ],
  "key_from_java" : "value_from_script_on_java",
  "session_revocation_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/revoke_session",
  "check_session_iframe" : "https://yuriyz-fond-skink.gluu.info/jans-auth/opiframe.htm",
  "scopes_supported" : [ "address", "introspection", "https://jans.io/auth/ssa.admin", "online_access", "openid", "user_name", "clientinfo", "profile", "uma_protection", "permission", "https://jans.io/scim/users.write", "revoke_session", "https://jans.io/scim/users.read", "device_sso", "phone", "mobile_phone", "offline_access", "email" ],
  "backchannel_logout_supported" : true,
  "acr_values_supported" : [ "simple_password_auth" ],
  "request_object_encryption_enc_values_supported" : [ "A128CBC+HS256", "A256CBC+HS512", "A128GCM", "A256GCM" ],
  "device_authorization_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/device_authorization",
  "display_values_supported" : [ "page", "popup" ],
  "userinfo_signing_alg_values_supported" : [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "ES512", "PS256", "PS384", "PS512" ],
  "require_pushed_authorization_requests" : false,
  "claim_types_supported" : [ "normal" ],
  "userinfo_encryption_alg_values_supported" : [ "RSA1_5", "RSA-OAEP", "A128KW", "A256KW" ],
  "end_session_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/end_session",
  "revocation_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/revoke",
  "backchannel_authentication_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/bc-authorize",
  "token_endpoint_auth_signing_alg_values_supported" : [ "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "ES512", "PS256", "PS384", "PS512" ],
  "frontchannel_logout_supported" : true,
  "jwks_uri" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/jwks",
  "subject_types_supported" : [ "public", "pairwise" ],
  "id_token_signing_alg_values_supported" : [ "none", "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "ES512", "PS256", "PS384", "PS512" ],
  "registration_endpoint" : "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/register",
  "id_token_token_binding_cnf_values_supported" : [ "tbh" ]
}


#######################################################
TEST: authorizationChallengeFlow
#######################################################
-------------------------------------------------------
REQUEST:
-------------------------------------------------------
POST /jans-auth/restv1/register HTTP/1.1
Host: yuriyz-fond-skink.gluu.info
Content-Type: application/json
Accept: application/json

{
  "grant_types" : [ "authorization_code", "refresh_token" ],
  "subject_type" : "public",
  "application_type" : "web",
  "scope" : "openid profile address email phone user_name",
  "minimum_acr_priority_list" : [ ],
  "redirect_uris" : [ "https://yuriyz-fond-skink.gluu.info/jans-auth-rp/home.htm", "https://client.example.com/cb", "https://client.example.com/cb1", "https://client.example.com/cb2" ],
  "client_name" : "jans test app",
  "additional_audience" : [ ],
  "response_types" : [ "code", "id_token" ]
}

-------------------------------------------------------
RESPONSE:
-------------------------------------------------------
HTTP/1.1 201
Cache-Control: no-store
Connection: Keep-Alive
Content-Length: 1633
Content-Type: application/json
Date: Thu, 10 Aug 2023 11:57:02 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Keep-Alive: timeout=5, max=100
Pragma: no-cache
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: X-Correlation-Id=7045173c-9a96-418a-86ed-47a09749b004; Secure; HttpOnly;HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block

{
    "allow_spontaneous_scopes": false,
    "application_type": "web",
    "rpt_as_jwt": false,
    "registration_client_uri": "https://yuriyz-fond-skink.gluu.info/jans-auth/restv1/register?client_id=d93a5129-1546-4b9b-bf8c-ea19e36ea2c8",
    "tls_client_auth_subject_dn": "",
    "run_introspection_script_before_jwt_creation": false,
    "registration_access_token": "67aa99de-e977-4562-955d-6292f2c95df4",
    "client_id": "d93a5129-1546-4b9b-bf8c-ea19e36ea2c8",
    "token_endpoint_auth_method": "client_secret_basic",
    "scope": "openid",
    "client_secret": "f921c89c-57f0-4a91-baaa-036a4a22737b",
    "client_id_issued_at": 1691668622,
    "backchannel_logout_uri": "",
    "backchannel_logout_session_required": false,
    "client_name": "jans test app",
    "par_lifetime": 600,
    "spontaneous_scopes": [],
    "id_token_signed_response_alg": "RS256",
    "access_token_as_jwt": false,
    "grant_types": [
        "authorization_code",
        "refresh_token"
    ],
    "subject_type": "public",
    "additional_token_endpoint_auth_methods": [],
    "keep_client_authorization_after_expiration": false,
    "require_par": false,
    "redirect_uris": [
        "https://client.example.com/cb2",
        "https://client.example.com/cb1",
        "https://client.example.com/cb",
        "https://yuriyz-fond-skink.gluu.info/jans-auth-rp/home.htm"
    ],
    "redirect_uris_regex": "",
    "additional_audience": [],
    "frontchannel_logout_session_required": false,
    "client_secret_expires_at": 1691704622,
    "access_token_signing_alg": "RS256",
    "response_types": [
        "code",
        "id_token"
    ]
}

-------------------------------------------------------
REQUEST:
-------------------------------------------------------
POST /jans-auth/restv1/authorize-challenge HTTP/1.1
Host: yuriyz-fond-skink.gluu.info

client_id=d93a5129-1546-4b9b-bf8c-ea19e36ea2c8&scope=openid+profile+address+email+phone+user_name&state=4f925a8d-287a-4cba-a174-04d2e56109df&nonce=84c9b6dd-635c-4ca4-bba1-35c53c51a339&prompt=&ui_locales=&claims_locales=&acr_values=&request_session_id=false&password=secret&username=invalidUser

-------------------------------------------------------
RESPONSE:
-------------------------------------------------------
HTTP/1.1 401
Cache-Control: no-transform, no-store
Connection: Keep-Alive
Content-Length: 29
Content-Type: application/json
Date: Thu, 10 Aug 2023 11:57:02 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: X-Correlation-Id=4c89e007-6c77-43da-a67f-b7ee1ff0e60a; Secure; HttpOnly;HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block

{"error": "username_invalid"}

Last update: 2024-10-29
Created: 2023-08-11