# # Copyright (C) 2015 The Gravitee team (http://gravitee.io) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # swagger: '2.0' info: description: >- Gravitee.io - Access Management - CIBA 1.0 API. Defines The OIDC Client-Initiated Backchannel Authentication Flow Endpoints exposed by AM server. version: 2.10.x title: Gravitee.io - Access Management - CIBA 1.0 API contact: email: contact@graviteesource.com license: name: Apache 2.0 url: 'http://www.apache.org/licenses/LICENSE-2.0.html' host: auth.gravitee.io basePath: /{domain}/ciba schemes: - https paths: /authenticate: get: tags: - CIBA 1.0 summary: Initiate an out-of-band authentication of the end-user. description: The Backchannel Authentication Endpoint is used to initiate an out-of-band authentication of the end-user. parameters: - in: query name: scope description: The scope of the access request as described by Section 3.3 of the OAuth 2.0 Authorization Framework (should contains at least openid) required: true type: string - in: query name: client_notification_token description: REQUIRED if the Client is registered to use Ping or Push modes. It is a bearer token provided by the Client that will be used by the OpenID Provider to authenticate the callback request to the Client. required: false type: string - in: query name: acr_values description: Requested Authentication Context Class Reference values. A space-separated string that specifies the acr values that the OpenID Provider is being requested to use for processing this Authentication Request, with the values appearing in order of preference required: false type: string - in: query name: login_hint_token description: A token containing information identifying the end-user for whom authentication is being requested required: false type: string - in: query name: id_token_hint description: An ID Token previously issued to the Client by the OpenID Provider being passed back as a hint to identify the end-user for whom authentication is being requested. required: false type: string - in: query name: login_hint description: A hint to the OpenID Provider regarding the end-user for whom authentication is being requested required: false type: string - in: query name: binding_message description: A human-readable identifier or message intended to be displayed on both the consumption device and the authentication device to interlock them together for the transaction by way of a visual cue for the end-user. required: false type: string - in: query name: user_code description: A secret code, such as a password or pin, that is known only to the user but verifiable by the OP. required: false type: string - in: query name: requested_expiry description: A positive integer allowing the client to request the expires_in value for the auth_req_id the server will return. required: false type: integer - in: query name: request description: A signed JWT containing all of the authentication request parameters as claims of a signed JWT with each parameter name as the claim name and its value as a JSON string. An exception to this is requested_expiry, which may be sent as either a JSON string or a JSON number. (see https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#signed_auth_request) required: false type: string security: - client_auth: [] responses: '200': description: If the resource owner grants the access request, the authorization server issues an authorization code or token (for Implicit/Hybrid Flow) and delivers it to the client by adding the following parameters to the query component of the redirection URI using the "application/x-www-form-urlencoded" format. schema: $ref: '#/definitions/AuthenticationRequestAcknowledgement' '400': description: Bad Request schema: $ref: '#/definitions/Error' '401': description: Unauthorized schema: $ref: '#/definitions/Error' '403': description: Forbidden schema: $ref: '#/definitions/Error' /authenticate/callback: post: tags: - CIBA 1.0 summary: Callback that will received the status of the end-user response regarding the Authentication Device notification. description: On success the Backchannel Authentication Endpoint will trigger a Authentication Device Notification of request End-User action. This callback endpoint aims to receive the user reponse (Does the end user successfully authenticate and consent to the requestes scopes or not?). Note that the parameters may be different according to the plugin configured to notify the Authentication Device.) consumes: - application/x-www-form-urlencoded parameters: - in: formData name: tid description: The identifier of the end-user notification request required: true type: string - in: formData name: state description: A signed JWT containing send to the Authentication Device to trust the response. required: true type: string - in: formData name: validated description: Has the end-user been successfully authenticated and has he consented ? required: true type: boolean responses: '200': description: security: - client_auth: [] securityDefinitions: client_auth: type: basic description: Base64(clientId:clientSecret) definitions: AuthenticationRequestAcknowledgement: type: object properties: auth_req_id: type: string description: REQUIRED. The unique identifier to identify the authentication request made by the Client. expires_in: type: integer description: REQUIRED. A JSON number with a positive integer value indicating the expiration time of the "auth_req_id" in seconds since the authentication request was received. A Client calling the token endpoint with an expired auth_req_id will receive an error. interval: type: integer description: OPTIONAL. A JSON number with a positive integer value indicating the minimum amount of time in seconds that the Client MUST wait between polling requests to the token endpoint. This parameter will only be present if the Client is registered to use the Poll or Ping modes. If no value is provided, clients MUST use 5 as the default value. Error: type: object properties: error: type: string description: REQUIRED. A single ASCII error code from one present in the list below. error_description: type: integer description: REQUIRED. Human-readable ASCII [USASCII] text providing additional information, used to assist the client developer in understanding the error that occurred.