When integrating towards to OIDC platform you will need to provide a redirect_uri where you will receive the Authorization Code/Token. Traditionally this is done by specifying an endpoint in your web application. By default the JS Connector do not need any special considerations on the backend, but when using method inline or window, you can integrate with the JS Connector. See the following sections for further information on Back-end implementation of the JS Connector:
Implementing redirect_uri when using method window or inline
Since the JS Connector can open an iframe or a window for you, the handling of the post-authentication step is also important. This section will explain how you can take advantage of cross-domain messaging (XDM) to send the received code / tokens from the active window or iframe to the parent page (your site).
The redirect_uri needs to handle the authorization response in order to receive authorization code and tokens on behalf of the user. This information is either delivered as part of the URL, or as a FORM POST depending on which response_mode is specified in the parameters.
Then, if you follow the callback page example for redirect_uri, you will see that special XDM calls are made to pass the information from the window/iframe to the listening JS Connector instance on the main site.
Finally this will cause the callback function passed in the doConnect method to be called with the data retrieved in the authentication response
With specific token_url and/or userinfo_url (experimental feature)
You can have the JS Connector call token_url and userinfo_url endpoints with the received data from the authentication response.
Token endpoint (token_url)
| URL | As specified in configuration parameter token_endpoint | |
|---|---|---|
| Request mode | POST with parameters as application/x-www-form-urlencoded data | |
| Request parameters | grant_type | Grant type is always authorization_code |
code | Value from response of the foregoing Authorize request | |
redirect_uri | Redirect URI used in the foregoing Authorize request | |
client_id | Not supported since the OIDC clients must always authenticate | |
| OIDC Response /oauth/token | JSON {access_token: "654fe6f11ad61ceb1697d643b5fc59", token_type: "Bearer", expires_in: 3600, scope: "openid phone address", id_token: "...." // JWT } | |
For documentation on the corresponding response to the OIDC plattform, see Token
Userinfo endpoint (userinfo_url)
Using the access token (which also could be stored on the server) to access user information OIDC.
| URL | As specified in configuration parameter userinfo_endpoint | |
|---|---|---|
| Request mode | POST with parameters as application/x-www-form-urlencoded data | |
| Request parameters | access_token | Access token to be used as authorization to access OIDC IDP endpoint |
token_type | How access token shall be passed to OIDC endpoint | |
| OIDC response /oauth/userinfo | JSON { "iat": 1485866449, "exp": 1485870048, | |