OAuth 2.0 endpoints
Endpoints provide OAuth clients the ability to communicate with the OAuth server or authorization server within a definition.
All endpoints can be accessed through URLs. The syntax of the URLs is specific to the purpose of the access.
If you are responsible for installing and configuring the appliance, you might find it helpful to be familiar with these endpoints and URLs.
API protection definitions
https://<hostname:port>/<junction>/sps/oauth/oauth20
For
example: https://server.oauth.com/mga/sps/oauth/oauth20
- There is only a single set of endpoints.
- Not all authorization grant types use all three endpoints in a single OAuth 2.0 flow.
Endpoint name | Description | Example |
---|---|---|
Authorization endpoint | An authorization URL where the resource owner grants authorization to the OAuth client to access the protected resource. | https://server.oauth.com/mga/sps/oauth/oauth20/authorize |
Token endpoint | A token request URL where the OAuth client exchanges an authorization grant for an access token and an optional refresh token. | https://server.oauth.com/mga/sps/oauth/oauth20/token |
Clients manager endpoint | A URL for resource owners to manage their trusted clients. The resource owner can use the clients manager endpoint to access and modify the list of clients that are authorized to access the protected resource. The trusted clients manager shows the client name and permitted scope of an authorized client. Note: The list does not show clients
that are disabled or deleted from the definition.
The resource owner can optionally remove trusted client information from the list. In doing so, the resource owner is prompted for consent to authorize the next time the OAuth client attempts to access the protected resource. |
https://server.oauth.com/mga/sps/oauth/oauth20/clients |
Session endpoint | A
URL where an
access_token can be exchanged for a
web session. The client uses the endpoint to obtain an authenticated
web session for the resource owner that is typically used in hybrid
mobile application scenarios. Note: The session endpoint is disabled
by default and can be enabled by using advanced configuration.
The
client must send a POST request with the access_token in
the body. |
https://server.oauth.com/mga/sps/oauth/oauth20/session |
Authorization grant management endpoint | A URL where you can view your authorization grants and the tokens and attributes of each authorization grant. |
http://server.oauth.com/mga/sps/mga/user/mgmt/html/device/device_selection.html |
Logout endpoint | A URL where you can end a session by revoking an
access_token . The token must be provided in the Authorization header or a session
cookie must be used. |
http://server.oauth.com/mga/sps/oauth/oauth20/logout |
Introspect endpoint | A URL where an access_token can be inspected
by an oauth_client . For more details, see OAuth introspection.Note: The introspect endpoint is
disabled by default and can be enabled by using the advanced configuration.
|
https://server.oauth.com/mga/sps/oauth/oauth20/introspect |
Revocation endpoint | A URL where you can revoke OAuth tokens issued to a client. For more details, see OAuth revocation endpoint. | https://server.oauth.com/mga/sps/oauth/oauth20/revoke |
Metadata endpoint | Final portion of URL is a path parameter that is the name of your API
Protection definition. Template file
available:
If a custom template is needed per definition use:
Example:
|
https://server.oauth.com/mga/sps/oauth/oauth20/metadata/<Definition_Name> |
Userinfo Endpoint |
The Userinfo endpoint is an OAuth 2.0 protected resource that returns claims about the authenticated end-user. These claims are normally represented by a JSON object that contains a collection of name and value pairs for each claim. For more info, see http://openid.net/specs/openid-connect-core-1_0.html#UserInfo |
https://server.oauth.com/mga/sps/oauth/oauth20/userinfo |
JWKS Uri |
The URL of the JSON Web Key (JWK) Set document for the OpenID Provider. This data contains the signing key (or keys) that the Relying Party uses to validate signatures from the OpenID Provider. Optionally, the JWK Set can contain the Server's encryption key (or keys), which Relying Parties use to encrypt requests to the Server. |
https://server.oauth.com/mga/sps/oauth/oauth20/jwks/<Definition_Name> |
Client Registration Endpoint | The Client Registration Endpoint where an application can request a clientId in order to make OAuth/OIDC requests. This is also the endpoint to retrieve a registered client's definition, or delete it. | https://server.oauth.com/mga/sps/oauth/oauth20/register/<Definition_Name> |
Device Authorize Endpoint | Endpoint initially visited by the device client to obtain a device code and user code. | https://server.oauth.com/mga/sps/oauth/oauth20/device_authorize |
User Authorize Endpoint | Endpoint visited by a user to verify a user_code so a device client may obtain an authorization grant for the user. | https://server.oauth.com/mga/sps/oauth/oauth20/user_authorize |
Authorization grants management API endpoint | An API to list all of a user's grants. | https://server.oauth.com/mga/sps/mga/user/mgmt/grant |
Authorization grant management API endpoint | An API to retrieve a specific grant based on a grant ID. This API can also be used to delete a grant. | https://server.oauth.com/mga/sps/mga/user/mgmt/grant/{grantId} |