Authentication REST API
The interface of the tuidd Authentication service is specified below.
The service is called tuidd Log-in, and it is a tool based on the OAuth2 OpenID standard.
ENDPOINT DE DISCOVERY
This endpoint returns the URLs of the endpoints to consume the rest of the services of tuidd, according to the line number, the country or locality, and the telephone operator to which the line belongs.
It has the following format:
POST /{discovery_endpoint}
Example:
POST /https://idgw.tuidd.com/discovery
Request
Headers
Authentication: Basic base64(<client_id>:<client_secret>)
Content-type: application/x-www-form-urlencoded
Note : The client_id and client_secret are those received at the time of registration of the application on the management platform.
Body
|
Field |
Kind |
Required |
Description |
|
Redirect_URL |
String |
required |
URL that was configured when registering the application in the administration platform. Example: http://myapp.com/callback |
|
MSISDN |
String |
Optional |
User's line number in E.164 format. Example: +541199993333 |
Answer 200
Header
Content-Type: application/json
Body
|
Field |
Kind |
Required |
Description |
|
ttl |
Int |
required |
Time of life of the validity of the answer in Unix Timestamp format. |
|
subscriber_id |
String |
Optional |
Line number of the user, encrypted with the key. It can be used in the parameter login_hint of authentication. |
|
response |
JSON |
required |
Response information |
response
|
Field |
Kind |
Required |
Description |
|
client_id |
String |
Optional |
It is the identifier of the application. If it is used for the rest of the authentication services and additional services. Attention! For security reasons, it may be different from the one used in the parameters of the Discovery requirement. |
|
client_secret |
String |
Optional |
It is the secret key that must be used to consume the rest of the services. Attention! For security reasons, it may be different from the one used in the parameters of the Discovery requirement. |
|
serving_operator |
String |
Optional |
Operator name (MNO) |
|
country |
String |
required |
Code of the country where the line is in ISO 3166-1 alpha-2 format. Example: US |
|
currency |
String |
required |
Codes of the currency with which it operates in ISO 4217 alpha-3 format. Example: USD |
|
client_name |
String |
required |
Name of the application registered in the management platform. |
|
apis |
JSON |
required |
Information about service endpoints. |
apis
|
Field |
Kind |
Required |
Description |
|
operator_id |
JSON |
required |
It contains a list of links. |
operator_id
|
Field |
Kind |
Required |
Description |
|
links |
JSON |
required |
Contains the information with the URLs of the enpoints of the tuidd services. |
links
|
Field |
Kind |
Required |
Description |
|
rel |
String |
required |
It is a reference description of the type of endpoint. The values to receive are: authorization : Authentication service endpoint. token : endpoint of the token obtaining service. userinfo : endpoint of the service to obtain the user's data. tuidd_service : tuidd's additional services endpoint |
|
href |
String |
required |
URI of the service endpoint. |
Example:
|
"subscriber_id": null, "ttl": 1488452073, "response": "serving_operator": "Example Operator B", "client_secret": "YWIyNmQyYmQtMDMxMi00MTg4LWJjMDgtYTUyN322...", "country": "US", "apis": "operatorid": "link": \{ "rel": "authorization", "href": "https://idgw-operator-b.tuidd.com/authorize" \}, \{ "rel": "token", "href": "https://idgw-operator-b.tuidd.com/accesstoken" \}, \{ "rel": "userinfo", "href": "https://idgw-operator-b.tuidd.com/userinfo" \}, \{ "rel": "tuidd_service", "href": "https://idgw-operator-b.tuidd.com/service" \} ] \} \}, "currency": "USD", "client_name": "TestApp", "client_id": "MDQ4MTZmMWYtOTAwMi00YjczLTkyNDAtZWQ2YjZhNWZhY..." \} \} |
Answers 400, 401, 404
Body
|
Attribute |
Kind |
Required |
Description |
|
error |
String |
required |
Error code. |
|
description |
String |
required |
Description of the error |
ENDPOINT OF AUTHORIZATION
This endpoint returns an authorization code from the end user that has two objectives:
- Autenticar al usuario
- Obtain the consents and accesses from you, to obtain information or to grant you the different services.
It has the following format:
GET /\{endpoint_auth\} / \{?client_id,client_name,response_type,scope,acr_values,state,nonce,display\}
Example:
GET /https://idgw.tuidd.com/auth/?
client_id=73958620&client_name=test_app2&response_type=code&scope=openid mc_authn&
acr_values=3 2&state=3a1d38b1&nonce=cee18fcb&display=page
Parameters of the URI
|
Field |
Kind |
Required |
Description |
|
endpoint_tuidd |
String |
required |
It is the URL of the authentication service of the tuidd platform. Example: https://idgw.tuidd.com/auth/ |
|
client_id |
String |
required |
That the ID of the application received from the Discovery service. Example: 73958620d779-4fdc-bc09-7d521af91278 |
|
response_type |
String |
required |
The value must be Example: code |
|
scope |
String |
required |
L ASCII strings - case-sensitive - with values of scope of the OAuth 2.0 standard. According to the standard it must contain the value openid. Other possible values are: profile , e-mail , address , phone , offline_access . In addition you can place the "scope" of additional services: tuidd_notification , tuidd_advertising , tuidd_survey , tuidd_payment , tuidd_coupon . Example: openid profile advertising See more detailed information on this parameter below. |
|
redirect_uri |
String |
required |
The redirect URI that was specified when registering the application in tuidd. The response of this service will be redirected to this URI. Example: https://example.com/sign_in_callback |
|
acr_values |
String |
required |
Are the values of LOAs required by the application, in order of preference, according to ISO / IEC 29115 Clause 6 one , two , 3 , 4 representing the LOW, MEDIUM, HIGH and VERY HIGH levels. Keep in mind that tuidd currently only supports the values 2 and 3. The value finally used is returned in the field acr in the authentication. Example: 3 2 |
|
state |
String |
required |
It is a value indicated by the provider to maintain a correspondence between the requirement and the response. If it is linked to the browser's cookie, it can also be used as a security mechanism to prevent Cross-Site Request Forgery. Example: 3a1d38b154bc-4383-bfc9-a6926fc2644b |
|
nonce |
String |
required |
String used to associate the client session with the Token ID. It must be passed without modification from the Authorization request to the Token ID. Must be unique per session to mitigate replay attacks. Example: cee18fcbcb3a-46b9-88ec-6ab79d9d0da0 |
|
display |
S t r ing |
Option l |
String ASCII that specifies the user interface for the authentication and authorization flow. The values can be:
Example: page |
|
prompt |
String |
Optional |
ASCII case-sensitive string, which specifies whether or not the server should request re-authentication or consent. The possible values are:
Example: consent
|
|
max_age |
In t |
Obligatori or |
Specifies the maximum time in seconds the user authentication lasts. Once this time has passed, you must re-authenticate. When this parameter is used in the request, the Token ID must contain the value of â auth time. Example: 300 |
|
ui_locales |
String |
required |
List of strings with the languages supported by the UI, according to RFC5646, separated by space. This parameter is only a guide, and in case the preferred language is not supported by the server, no error should be returned. Example: es |
|
claims_locales |
Strin g |
Obligatori or |
List of string with the languages of the claims, according to RFC5646. This parameter is only a guide, and in case the preferred language is not supported by the server, no error should be returned. Example: es |
|
id_token_hint |
String |
Conditional |
Used in conjunction with the parameter prompt = none , and contains the id_token previously generated, as a sign for the authentication session. If the id_token is still valid, and the user is connected, then the server must respond positively. Otherwise, an authentication error must be answered. Inside the id_token included in the id_token_hint , the server does not have to be listed in the aud field. Example: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJub25jZSI6 |
|
login_hint |
Strin g |
Option l |
Tell the server which ID to use for the login. It can contain the MSISDN, the encrypted MSISDN or a PCR of a Token ID previously obtained:
If it is not sent, the platform will ask you to enter the line number or alias to authenticate yourself. Example: ENCR_MSISDN: 23153464dsfgh |
|
dtbs |
Strin g |
Option l |
Information that must be encrypted by the private key of the end user. The signed information is returned in the id_token , in the attribute dts of the JWT, together with the public key to decipher it. |
Request
Headers
Authentication: Basic base64(<client_id>:<client_secret>)
Answer 302
Headers
Location: <redirect_url>
RESPONSE TO THE REDIRECT URL
This endpoint records the data that will be sent to the redirect_uri of the application, after the success or failure of the authentication attempt.
It has the following format:
GET /\{redirect_url\}\{?state,code,error,error_description\}
URI example
GET /https:/ejemplo.com/sign_in_callback?state=12324tsfdsdf&code=2d902ae7&error=error_name&error_description=error description
Parameters of the URI
|
Field |
Kind |
Required |
Description |
|
state |
Strin g |
Obligatori or |
The string "state" as it was passed in the original requirement. Example: 12324tsfdsdf |
|
code |
String |
required |
The Authorization Code of only use, according to OAuth 2.0. It will be used in the code parameter of the Token requirement. Example: 2d902ae7 |
|
error |
String |
required |
If there was an error, this parameter would appear, and the parameter code do not. Example: invalid_id |
|
error_description |
String |
required |
In case of error, a description of what the error was. Example: The client id is invalid. |
The parameter "scope"
The values of "scope" Currently accepted are:
|
Value |
Kind |
Required |
Description |
|
openid |
Strin g |
required |
Required according to the standard, to indicate that it is an OpenId authentication request. This scope only grants authentication access. It does not grant access to any additional information or service. |
|
profile |
String |
Optional |
Grant the provider permission to access the following user attributes: name , family_name , given_name , middle_name , nickname , preferred_username , profile , picture , website , gender , birthdate , zoneinfo , locale , updated_at . Keep in mind that it may be that not all information is available in the user's profile. |
|
|
String |
Optional |
Grant permission to obtain the user's email, and optionally, if it is verified. Attributes: e-mail , email_verified |
|
address |
String |
Optional |
Grant permission to obtain the user's address. Attribute: address |
|
phone |
String |
Optional |
Grant permission to obtain the user's phone. Attributes: phone_number , phone_number_verified |
|
offline_access |
String |
Optional |
Grant permission to user the refresh_token to get access to UserInfo, in case the user is not logged in to the site. |
|
tuidd_advertising |
String |
Optional |
Grant the provider permission to send advertisements to the user, according to the amount and frequency set by the same. |
|
tuidd_survey |
String |
Optional |
Grant the provider permission to send surveys to the user, according to the amount and frequency set by the same. |
|
tuidd_payment |
String |
Optional |
Grant the provider permission to send payments to the user, according to the amount and frequency set by the same. |
|
tuidd_coupon |
String |
Optional |
Grant the provider permission to send benefit coupons to the user, according to the amount and frequency configured by the same. |
Can you request more than one scope in the authorization request, which will return the whole union of all the associated attributes when invoking the UserInfo.
ENDPOINT DE TOKEN
After making a successful request to the Authorization endpoint, and receiving the "code" Through the redirect_url, this code can be exchanged in the Token endpoint, by an access_token and a signed id_token. The id_token also contains the access tokens for additional tuidd services.
It has the following format:
POST /\{op_token_endpoint\}
Example:
POST /https:/operator.com/oidc/token
Parameters of the URI
|
Field |
|||
|
op_token_endpoint |
String |
required |
It is the Token endpoint of the operator, which was returned in the discovery process, in the field links , with rel = token . Example: https://operator.com/oidc/token |
Request
Headers
Authentication: Basic base64(<client_id>:<client_secret>)
Content-Type: application/x-www-form-urlencoded
Body
|
Field |
Kind |
Required |
Description |
|
grant_type |
String |
required |
Must have the value authorization_code |
|
code |
String |
required |
It is the authorization code received in the redirect URL. |
|
redirect_uri |
String |
required |
Used as an extra security mechanism. It must match the redirect URL registered in the tuidd administration platform. It should go in URL Encoded format. |
Answer 200
Body
JSON with the following parameters:
|
Field |
Kind |
Required |
Description |
|
access_token |
String |
required |
Access token according to OAuth 2.0 used to obtain user information. For this, it must be sent in the UserInfo request. It can be reused for as long as it does not expire. Example: c333504b-953d-4a2f-b82c-d3584d030f2b |
|
token_type |
String |
required |
It must have the value "bearer" as defined in RFC 6749 section 7.1 and RFC6750. Example: bearer |
|
id_token |
String |
required |
It is an additional token used in OIDC to provide security information about the authentication of the end user. It also has the tokens of tuidd's additional services. This id_token has a JSON Web Token (JWT) format. The format of this id_token and its information are described in the following section. Example: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJub25jZSI6 |
|
expires_in |
Int |
Optional |
A Unix timestamp that represents when the access token will no longer be valid. Example: 1475744978 |
|
refresh_token |
Stri ng |
Optional |
It is the code that can be used to obtain a new access_token using the same user authorization. Currently it is not supported. |
The id_token parameter
This parameter comes in JWT (JSON Web Token) format. It consists of 3 parts separated by a period (".")
- The first part is the header, which contains information on how the token is signed. To sign you can use any of these algorithms: HS256, HS512, RS256, RS512.
- The second part contains all the attributes with the information in JSON format. Next, each of the attributes is described.
- The third part is the signature. Using the header information you can determine the algorithm used in the signature. If the hash of the first and second part matches the signature, then it can be assured that the id_token was not adulterated.
Each of these 3 parts is encoded using the format Base64 URL. For more information on the JWT format consult: http://jwt.io
The attributes received within the id_token are:
|
Field |
Kind |
Required |
Description |
|
iss |
String |
required |
URL of the server that generated the token. |
|
sub |
String |
required |
It is the user's identifier for the application that requested the token (PCR). |
|
aud |
String |
required |
It is the client_id of the application to which the token is directed. |
|
exp |
Int |
required |
It is the Unix timestamp that represents the expiration of the token. |
|
iat |
Int |
required |
It is the Unix timestamp that represents the creation date of the token. |
|
auth_time |
Int |
required |
It is the Unix timestamp that represents the date on which the user's authentication was performed. |
|
nonce |
String |
required |
String passed by the service provider in the authorization requirement, in the parameter nonce . It allows to associate the id_token with the session and serves to mitigate replay attacks. |
|
acr |
Int |
required |
â € œ Authentication Context Class Referenceâ €. It is the LOA value used in the authentication. |
|
amr |
String |
required |
â € œ Authentication Methods Referenceâ €. It is the name or the names of the authentication methods used. These methods depend on the operator. The possible values are: OK, DEV_PIN, SIM_PIN, UID_PWD, BIOM, HDR, OTP.
|
|
azp |
String |
Conditional |
It is the client_id of the service provider authorized to use the token, in case it is different from the aud parameter. If it is the same entity, then this parameter is optional. |
|
at_hash |
String |
Optional |
It is an access_token hash, encoded in Base64URL. The hash algorithm is right given at the time of registration of the application. |
|
dts |
String |
Optional |
Information sent in the field dtbs in the authorization requirement, encrypted by the private key of the end user. |
|
upk |
String |
Optional |
Public key of the end user needed to decipher dts . |
|
dts_time |
Int |
Optional |
Unix Timestamp, representing the time of encryption of information in dts . |
|
tuidd_service_tokens |
String |
Optional |
JSON with the tuidd additional service token information, according to the permissions requested in the scope , in the authorization requirement. See below the format of it. |
The tuidd_service_tokens attribute
It is a JSON with the information of the additional services of tuidd. The format depends on the type of service.
The available tokens are:
- advertising_token
- survey_token
- notification_token
- coupon_token
Each one has the following attributes:
|
Field |
Kind |
Required |
Description |
|
token |
String |
required |
Token value. |
|
exp |
Int |
required |
It is the Unix timestamp that represents the expiration of the token. |
|
count |
Int |
required |
Number of times the token can be used, before the expiration date. |
Example:
|
\{ “ tuidd_service_token ” : \{ “ advertising_token ” : \{ “ token ” : “ c333504b-953d-4a2f-b82c-d3584d030f2b ” , “ exp ” : “ 1475744978 ” , “ count ” : “ 10 ” \}, “ survey_token ” “ token ” : “ 34de514b-657d-7a2a-184a-e344d04567c ” , “ exp ” : “ 1475744932 ” , “ count ” : “ 1 ” \} \} |
USER INFO ENDPOINT
User Info allows the application of the service provider to access the information of the end user. What information can be accessed is determined by the parameter scope of the original authorization requirement.
The requirement has the following format:
POST / {op_userinfo_endpoint} {? token}
If none of these â € œ scopesâ €? Was requested in the original authorization requirement, the User Info requirement will return an error (401).
As in the rest of the endpoints, it requires authentication basic auth operator specific.
URI example
POST /https://idgw.tuidd.com/userinfo?token=d5828439-6ace-4e5c-93ab-d880e8f68d36
Parameters of the URI
|
Field |
Kind |
Required |
Description |
|
op_userinfo_endpoint |
String |
required |
URL of the UserInfo endpoint, returned in the Discovery process., Under the field links with rel = "userinfo" Example: https://idgw.tuidd.com/userinfo |
|
token |
String |
required |
The access_token received from the Token endpoint. Example: d5828439-6ace-4e5c-93ab-d880e8f68d36 |
Request
Headers
Authentication: Basic base64(<client_id>:<client_secret>)
Answer 200
Body
|
Attribute |
Kind |
Required |
Description |
|
sub |
String |
required |
PCR that identifies the user in the application |
|
yam |
String |
Optional |
User's full name |
|
given_name |
String |
Optional |
First name of the user |
|
family_name |
String |
Optional |
User's last name |
|
middle_name |
String |
Optional |
Second name of the user. If there was a third or fourth they would go separated space |
|
preferred_username |
String |
Optional |
Alias of the user |
|
profile |
String |
Optional |
URL with the page with the user's profile information |
|
picture |
String |
Optional |
URL where the user's image is located |
|
website |
String |
Optional |
URL of a user's page, such as a personal blog or social network. |
|
|
String |
Optional |
User's email |
|
email_verified |
Boolean |
Optional |
Indicates TRUE or FALSE if the email is checked or not |
|
gender |
String |
Optional |
Genre of the user. Possible values: male, female, other. |
|
birthdate |
String |
Optional |
Date of birth in format YYYY-MM-DD |
|
zoneinfo |
String |
Optional |
String with the user's time zone, depending on: http://www.twinsun.com/tz/tz-link-htm |
|
locale |
String |
Optional |
Language information according to RFC5646. The value is 2 lowercase alphabetic values for the language code, and 2 uppercase alphabetic values for the country, separated by a hyphen. Example: en-GB |
|
phone_number |
String |
Optional |
Line number of the user in E.164 format, including international prefix. Example: +541155443322 |
|
phone_number_verified |
Boolean |
Optional |
Indicates TRUE or FALSE if the phone is checked or not |
|
address |
JSON |
Optional |
JSON with the data of the user's address. See below |
|
udpated_at |
String |
Optional |
Timestamp Unix with the update date of the information presented. |
The format of the field address :
|
Attribute |
Kind |
Required |
Description |
|
formatted |
String |
Optional |
Full address that can be displayed |
|
street_address |
String |
Optional |
Name of the street, number and number of department or office. |
|
locality |
String |
Optional |
City or locality |
|
region |
String |
Optional |
Region, State or province |
|
postal_code |
String |
Optional |
Postal Code (ZIP) |
|
country |
String |
Optional |
Name of the country |
Answer 401
Body
|
Attribute |
Kind |
Required |
Description |
|
error |
String |
required |
Error code. |
|
error_description |
String |
required |
Description of the error |
Example :
{
"error": "access_denied",
"error_description": "the selected scopes do not allow access"
}