Janssen Server exposes authorization endpoint compliant with OAuth2 framework. A client uses authorization endpoint to obtain an authorization grant. Based on response type requested by the client, the authorization endpoint issues an authorization code or an access token. Authorization endpoint is a protected endpoint which will require end-user authentication before issuing authorization code or access token.
URL to access authorization endpoint on Janssen Server is listed in the response of Janssen Server's well-known configuration endpoint given below.
authorization_endpoint claim in the response specifies the URL for authorization endpoint. By default, authorization
endpoint looks like below:
More information about request and response of the authorization endpoint can be found in the OpenAPI specification of jans-auth-server module.
Disabling The Endpoint Using Feature Flag#
TODO: It seems this endpoint can't be disabled using featureflags. Confirm this.
Authorization endpoint can be further configured using Janssen Server configuration properties listed below. When using
Janssen Text-based UI(TUI) to configure the properties,
Required Client Configuration#
Clients must be registered with Janssen Server as using code and/or implicit grant types in order to use authorization endpoint.
Using Janssen Text-based UI(TUI), client can be registered for appropriate grant type by
Janssen Server supports PKCE, which recommended and more secure method for using
PKCE can be enabled/disable by setting requirePkce
property. Janssen server supports
plain as well as
s256 code challenge methods.
As a separate endpoint, Janssen Server supports PAR(Pushed Authorization Requests) to enable authorization using more complex authorization requests and making it more secure at the same time.
Use Janssen Server configuration property requirePar to accept only PAR requests.
Authorization endpoint supports JWT Secured Authorization Response Mode, or JARM. Using JARM makes authorization responses more secure and compliant to be used in FAPI deployments.
Janssen Server supports all response modes as defined in JARM specification
Using Prompt Parameter#
prompt request parameter is an ASCII string value that specifies whether the Authorization Server prompts the End-User
for re-authentication and consent. Janssen Server supports
select_account values for
prompt parameter. Multiple values can be specified by separating them with single space. Based on value/s of this
request parameter Authorization Server prompts the End-User for re-authentication and consent.
none value will instruct Janssen Server NOT to display any authentication or consent user interface pages.
An error is returned if the End-User is not already authenticated or the Client does not have pre-configured consent for
the requested scopes. This can be used as a method to check for existing authentication and/or consent.
login value will instruct Janssen Server to prompt the End-User for re-authentication.
consent value will instruct Janssen Server to prompt the End-User for consent before returning information to the
select_account value will instruct Janssen Server to prompt the End-User to select a user account. This allows a user
who has multiple accounts at the Authorization Server to select amongst the multiple accounts that they may have current
Configuring Authentication Methods#
acr_values request parameter is used to specify authentication methods to be used by Janssen Server to authenticate
the end user. Multiple acr values can be specified by separating them with a space.
In order to use a particular acr value, the client needs to be authorized to use all the acr values in the list. If no the request doesn't specify any acr value then the default acr value configured for respective client is used by Janssen server for end user authentication.
Customizing using Interception Scripts#
Interception scripts allows flexibility to configure and customize multiple aspects in Janssen Server. For example, see this documentation to learn how person authentication and consent gathering can be customized using interception scripts.
Want to contribute?#
If you have content you'd like to contribute to this page in the meantime, you can get started with our Contribution guide.