This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Documentation

This is a placeholder page that shows you how to use this template site.

This section is where the user documentation for your project lives - all the information your users need to understand and successfully use your project.

For large documentation sets we recommend adding content under the headings in this section, though if some or all of them don’t apply to your project feel free to remove them or add your own. You can see an example of a smaller Docsy documentation site in the Docsy User Guide, which lives in the Docsy theme repo if you’d like to copy its docs section.

Other content such as marketing material, case studies, and community updates should live in the About and Community pages.

Find out how to use the Docsy theme in the Docsy User Guide. You can learn more about how to organize your documentation (and how we organized this site) in Organizing Your Content.

1 - Hydra Flows

1.1 - OAuth2Client

const (
	// AuthStyleInParams sends the "client_id" and "client_secret"
	// in the POST body as application/x-www-form-urlencoded parameters.
    // client_secret_post
	AuthStyleInParams AuthStyle = 1

	// AuthStyleInHeader sends the client_id and client_password
	// using HTTP Basic Authorization. This is an optional style
	// described in the OAuth2 RFC 6749 section 2.3.1.
    // client_secret_basic
	AuthStyleInHeader AuthStyle = 2
)

1.2 - Login Challenge

{
    "challenge": "2fd632e57bd1421c809ecdd19f3c53b5",
    "requested_scope": [
        "openid",
        "offline",
        "email",
        "profile",
        "phone",
        "address"
    ],
    "requested_access_token_audience": [],
    "skip": false,
    "subject": "",
    "oidc_context": {
        "acr_values": [ "urn:acr:facial" ],
        "ui_locales": [ "es_CL" ],
        "display": "page",
        "login_hint": "foo@bar.com"
    },
    "client": { 
        "client_id": "spec-client-id",
        "client_name": "spec-client",
        "redirect_uris": [ "http://127.0.0.1:5555/callback" ],
        "grant_types": [ "authorization_code", "refresh_token", "implicit" ],
        "response_types": [ "code", "id_token", "token" ],
        "scope": "openid offline email profile phone address",
        "audience": [],
        "owner": "",
        "policy_uri": "",
        "allowed_cors_origins": [],
        "tos_uri": "",
        "client_uri": "",
        "logo_uri": "",
        "contacts": [],
        "client_secret_expires_at": 0,
        "subject_type": "public",
        "jwks": {},
        "token_endpoint_auth_method": "client_secret_basic",
        "userinfo_signed_response_alg": "none",
        "created_at": "2020-12-22T22:53:43Z",
        "updated_at": "2020-12-22T22:53:43.002063Z",
        "metadata": {}
    },
    "request_url": "http://127.0.0.1:4444/oauth2/auth?acr_values=urn%3Aacr%3Afacial&client_id=spec-client-id&display=page&login_hint=foo%40bar.com&max_age=0&nonce=wtsbgzfnljadntlwnxxpxtdi&prompt=login+consent&redirect_uri=http%3A%2F%2F127.0.0.1%3A5000%2Fcallback&response_mode=query&response_type=code&scope=openid+offline+email+profile+phone+address&state=btmetlazepzwupbnchmzkjsd&ui_locales=es_CL",
    "login_session_id": "a2b40a6c-8748-44f4-b8da-c33bbedc8212"
}

1.3 - Consent Challenge

{
    "challenge": "c6f01e17058e485ca995e89f853ae49e",
    "requested_scope": [
        "openid",
        "offline",
        "email",
        "profile",
        "phone",
        "address"
    ],
    "requested_access_token_audience": [],
    "skip": false,
    "subject": "foo@bar.com",
    "oidc_context": {
        "acr_values": [ "urn:acr:facial" ],
        "ui_locales": [ "es_CL" ],
        "display": "page",
        "login_hint": "foo@bar.com"
    },
    "client": { 
        "client_id": "spec-client-id",
        "client_name": "spec-client",
        "redirect_uris": [ "http://127.0.0.1:5555/callback" ],
        "grant_types": [ "authorization_code", "refresh_token", "implicit" ],
        "response_types": [ "code", "id_token", "token" ],
        "scope": "openid offline email profile phone address",
        "audience": [],
        "owner": "",
        "policy_uri": "",
        "allowed_cors_origins": [],
        "tos_uri": "",
        "client_uri": "",
        "logo_uri": "",
        "contacts": [],
        "client_secret_expires_at": 0,
        "subject_type": "public",
        "jwks": {},
        "token_endpoint_auth_method": "client_secret_basic",
        "userinfo_signed_response_alg": "none",
        "created_at": "2020-12-22T22:53:43Z",
        "updated_at": "2020-12-22T22:53:43.002063Z",
        "metadata": {}
    },
    "request_url": "http://127.0.0.1:4444/oauth2/auth?acr_values=urn%3Aacr%3Afacial&client_id=spec-client-id&display=page&login_hint=foo%40bar.com&max_age=0&nonce=wtsbgzfnljadntlwnxxpxtdi&prompt=login+consent&redirect_uri=http%3A%2F%2F127.0.0.1%3A5000%2Fcallback&response_mode=query&response_type=code&scope=openid+offline+email+profile+phone+address&state=btmetlazepzwupbnchmzkjsd&ui_locales=es_CL",
    "login_challenge": "2fd632e57bd1421c809ecdd19f3c53b5",
    "login_session_id": "a2b40a6c-8748-44f4-b8da-c33bbedc8212",
    "acr": "urn:acr:facial",
    "context": {} 
}
ConsentRequestSession payload
{
    "access_token": {},
    "id_token": { 
        "email": "foo@bar.com",
        "email_verified": true,
        "phone_number": "1337133713371337",
        "phone_number_verified": true,
        "names": "Foo Bar",
        "last_name": "Bas",
        "sur_name": "Baz",
        "gender": "robot",
        "birthdate": "1.1.2014",
        "profile": "https://api.autentiaplus.id/profile/2fd632e57bd1421c809ecdd19f3c53b5",
        "picture": "https://raw.githubusercontent.com/ory/web/master/static/images/favico.png",
        "updated_at": 1604416603,
    }
}

1.4 - NG Flow

Propuesta NG-Flow, soporte para render nativos

sequenceDiagram
  autonumber
  participant Usuario
  participant Relying Party
  participant Hydra Public
  participant FrontSPA
  participant Hydra GW
  participant Hydra Admin
  participant Identity
  participant Channels
  participant IDP
  participant Audit
  Usuario->>+Relying Party: Intento de Login
  Relying Party-->>-Usuario: Login link
  Usuario->>Usuario: Click link
  Usuario->>+Hydra Public: Login request
  Hydra Public-->>-Usuario: 302 FrontSPA url
  Usuario->>+FrontSPA: request + Login Challenge
  FrontSPA->>+Hydra GW: Login Challenge
  Hydra GW->>+Hydra Admin: GET loginChallenge
  Hydra Admin-->>-Hydra GW: Full loginContext
  Hydra GW-->>-FrontSPA: Redacted loginContext
  FrontSPA-->>-Usuario: Render Subject Request
  Usuario->>+FrontSPA: Submit Subject
  FrontSPA->>+Hydra GW: Login Challenge+Sub
  Hydra GW->>+Hydra Admin: GET loginChallenge
  Hydra Admin-->>-Hydra GW: Full loginContext
  Hydra GW->>+Hydra Public: ClientCredential Flow
  Hydra Public-->>-Hydra GW: ClientCredential Token
  Hydra GW->>+Identity: Get Data
  Identity-->>-Hydra GW: Available Data
  Hydra GW-->>-FrontSPA: Available Data
  FrontSPA-->>-Usuario: Render Evidence Request
  Usuario->>+FrontSPA: Submit Evidence
  FrontSPA->>+Identity: Submit Evidence
  Identity-->>-FrontSPA: EV Reference
  FrontSPA->>+Hydra GW: Login Challenge+Sub+EV Reference
  Hydra GW->>+Identity: Validate EV Reference
  Identity-->>-Hydra GW: OK! (JWT?)
  Hydra GW->>+Hydra Public: ClientCredential Flow
  Hydra Public-->>-Hydra GW: ClientCredential Token
  Hydra GW->>+Channels: Get Channels
  Channels-->>-Hydra GW: Channels
  Hydra GW-->>-FrontSPA: Channels Data
  FrontSPA-->>-Usuario: Render ask for Channel
  Usuario->>+FrontSPA: Submit Channel
  FrontSPA->>+Hydra GW: Submit Channel
  Hydra GW->>+Channels: Submit Channel
  Channels-->>-Hydra GW: Success
  Hydra GW->>+Hydra Admin: Accept LoginChallenge
  Hydra Admin-->>-Hydra GW: Consent URL
  Hydra GW-->>-FrontSPA: Consent URL
  FrontSPA-->>-Usuario: 302 Consent URL
  Usuario->>+FrontSPA: request + Consent Challenge
  FrontSPA->>+Hydra GW: Consent Challenge
  Hydra GW->>+Hydra Admin: GET consentChallenge
  Hydra Admin-->>-Hydra GW: Full consentContext
  Hydra GW-->>-FrontSPA: Redacted consentContext
  FrontSPA-->>-Usuario: Render Consent Request
  Usuario->>+FrontSPA: Submit Consent
  FrontSPA->>+Hydra GW: Accept Consent
  Hydra GW->>+Hydra Public: ClientCredential Flow
  Hydra Public-->>-Hydra GW: ClientCredential Token
  Hydra GW->>+IDP: GetProfile
  IDP-->>-Hydra GW: Profile
  Hydra GW->>+Hydra Public: ClientCredential Flow
  Hydra Public-->>-Hydra GW: ClientCredential Token
  Hydra GW->>+Audit: Create Audit
  Audit-->>-Hydra GW: Audit Number
  Hydra GW->>+Hydra Admin: Accept ConsentChallenge
  Hydra Admin-->>-Hydra GW: Relying Party Callback URL
  Hydra GW-->>-FrontSPA: Relying Party Callback URL
  FrontSPA-->>-Usuario: 302 Relying Party Callback url
  Usuario->>+Relying Party: Callback+code
  Relying Party->>+Hydra Public: Token Exchange
  Hydra Public-->>-Relying Party: Tokens
  Relying Party-->>-Usuario: SUCCESS!

1.5 - NG Flow RC1

Propuesta NG-Flow, soporte para render nativos

sequenceDiagram
  autonumber
  participant Usuario
  participant Relying Party
  participant Hydra Public
  participant FrontSPA
  participant Hydra GW
  participant Hydra Admin
  participant Identity
  participant Channels
  participant IDP
  participant Audit
  Usuario->>+Relying Party: Intento de Login
  Relying Party-->>-Usuario: Login link
  Usuario->>Usuario: Click link
  Usuario->>+Hydra Public: Login request
  Hydra Public-->>-Usuario: 302 FrontSPA url
  Usuario->>+FrontSPA: GET ?login_challenge=35b0729eb065430d928d738188ccc1b9
  FrontSPA->>+Hydra GW: GET /auth/login?challenge=35b0729eb065430d928d738188ccc1b9
  Hydra GW->>+Hydra Admin: GET LoginRequest
  Hydra Admin-->>-Hydra GW: { LoginRequest }
  Hydra GW->>+Identity: POST { Credential } /wip/authentication/v1/available
  Identity-->>-Hydra GW: { AvailableAuthentications }
  
  rect rgb(200, 150, 255)
    opt Validate Enrollment if "upgrade" or "noop"
      Hydra GW->>+Identity: POST { RegID } /mvp/v0.1/persons/verify-recent-registration
      Identity-->>-Hydra GW: { RegistrationValidation }
    end
  end

  Hydra GW-->>-FrontSPA: { LoginChallengeResponse }
  FrontSPA-->>-Usuario: Render VIEW

  rect rgb(191, 223, 255)
    loop Submit Partial or Full
      Usuario->>+FrontSPA: Submit Data
      FrontSPA->>+Hydra GW: PUT { LoginCredentialRequest } /auth/login/submit?challenge=35b0729eb065430d928d738188ccc1b9
      Hydra GW->>+Hydra Admin: GET LoginRequest
      Hydra Admin-->>-Hydra GW: { LoginRequest }
      Hydra GW-->>-FrontSPA: { LoginChallengeResponse }
    end
  end
  
  FrontSPA->>+Identity: Submit Evidence ( GUSTAVO, PENDIENTE ENDPOINT )
  Identity-->>-FrontSPA: { EvidenceID }
  FrontSPA->>+Hydra GW: PUT /auth/login/accept?challenge=35b0729eb065430d928d738188ccc1b9
  Hydra GW->>+Identity: POST { ValidateEvidenceID } /rc/authentication/authenticate
  Identity-->>-Hydra GW: { AuthenticateValidation }
  Hydra GW->>+Hydra Admin: PUT AcceptLoginRequest
  Hydra Admin-->>-Hydra GW: { CompletedRequest }
  Hydra GW-->>-FrontSPA: { CompletedRequest }
  FrontSPA-->>-Usuario: 302 { CompletedRequest.RedirectURL }
  Usuario->>+FrontSPA: GET ?consent_challenge=598efc627d734b78907d3377a01412e5
  FrontSPA->>+Hydra GW: GET /auth/consent?consent_challenge=598efc627d734b78907d3377a01412e5
  Hydra GW->>+Hydra Admin: GET ConsentRequest
  Hydra Admin-->>-Hydra GW: { ConsentRequest }
  Hydra GW-->>-FrontSPA: { ConsentChallengeResponse }
  FrontSPA-->>-Usuario: Render VIEW
  Usuario->>+FrontSPA: Submit Consent
  FrontSPA->>+Hydra GW: PUT /auth/consent/accept?consent_challenge=598efc627d734b78907d3377a01412e5
  Hydra GW->>+IDP: GetProfile
  IDP-->>-Hydra GW: Profile
  Hydra GW->>+Audit: Create Audit
  Audit-->>-Hydra GW: Audit Number
  Hydra GW->>+Hydra Admin: PUT AcceptConsentRequest
  Hydra Admin-->>-Hydra GW: { CompletedRequest }
  Hydra GW-->>-FrontSPA: { CompletedRequest }
  FrontSPA-->>-Usuario: 302 { CompletedRequest.RedirectURL }
  Usuario->>+Relying Party: Callback+code
  Relying Party->>+Hydra Public: Token Exchange
  Hydra Public-->>-Relying Party: Tokens
  Relying Party-->>-Usuario: SUCCESS!

2 - OAthKeeper Headers

ClientCredentials

"Autentiaplus-AuthType": "Service",
"Autentiaplus-Subject": "4984e27e-4fe4-4040-beb4-870367b17225",
"Autentiaplus-Clientid": "4984e27e-4fe4-4040-beb4-870367b17225",
"Autentiaplus-Customerid": "",
"Autentiaplus-Credential-Sub": "",
"Autentiaplus-Credential-Typ": "",
"Autentiaplus-Credential-Iss": "",
"Autentiaplus-Credential-Country": "",
"Autentiaplus-Name": "",
"Autentiaplus-Scope": "legacy:ws legacy:auth:autentia",
"Autentiaplus-Score": "",

AuthorizationFlow

"Autentiaplus-AuthType": "User",
"Autentiaplus-Subject": "b4db83a9-cbd7-574a-a4fd-49cc0d737e09",
"Autentiaplus-Clientid": "87e61761-fe0c-4237-8295-7180bc816836",
"Autentiaplus-Customerid": "d97ee6db-66cc-43bd-aff7-a3631f911541",
"Autentiaplus-Credential-Sub": "16182517-4",
"Autentiaplus-Credential-Typ": "rut",
"Autentiaplus-Credential-Iss": "srcei",
"Autentiaplus-Credential-Country": "CHL",
"Autentiaplus-Name": "LUIS IGNACIO CISTERNAS ROJAS",
"Autentiaplus-Scope": "openid email profile",
"Autentiaplus-Score": "0.25",

Guest - No Authorization Header

"Autentiaplus-AuthType": "Guest",
"Autentiaplus-Subject": "guest",
"Autentiaplus-Clientid": "",
"Autentiaplus-Customerid": "",
"Autentiaplus-Credential-Sub": "",
"Autentiaplus-Credential-Typ": "",
"Autentiaplus-Credential-Iss": "",
"Autentiaplus-Credential-Country": "",
"Autentiaplus-Name": "",
"Autentiaplus-Scope": "",
"Autentiaplus-Score": "",

3 - OpenID Connect

Un “lightweight framework” para interacciones de Identidad

3.1 - Historia

OpenID Connect fue ratificado como estándar por sus miembros el 26 de Febrero del 2014. OpenID Connect provee un framework de identidad para interacciones RESTful. Fue desarrollado bajo el alero de OpenID Foundation y tiene sus raises en OpenID, pero fue influido en gran medida por OAuth 2.0.

El anuncio emitido por la OpenID Foundation referente al lanzamiento del estándar OpenID Connect está disponible en aquí

OpenID, quien sigue los pasos de SAML en 2005, revoluciono la autenticacion web. Brad Fitzpatrick, fundador de LiveJournal, indico. El principio básico tras ambos OpenID y SAML, son los mismos. Ambos pueden ser utilizados para facilitar single sign-on (SSO) y cross-domain identity federation. OpenID mantiene una mayor comunidad, centra mejor al usuario y es descentralizado. Yahoo! incorporo soporte para OpenID en Enero del 2008, MySpace anuncio soporte para Julio de ese mismo año, Google uniéndose en Octubre. Para diciembre del 2009, hay más de 1 billon de cuentas de usuario OpenID-Enabled. Fue un tremendo éxito como protocolo SSO Web.

3.2 - Inicio Rápido

¿Cuántos perfiles mantienes hoy en diferentes sitios web?. Quizás tienes una cuenta Yahoo!, una en Facebook, otra en Google, etc. Cada vez que se actualiza un dato personal, teléfono o dirección, tienes que actualizarlo en cada lugar o mantener datos desactualizados. OpenID soluciona este problema de datos de perfil distribuidos por diferentes proveedores. Con OpenID, mantienes tu perfil solamente en tú OpenID provider. Y todos los otros sitios se transforman en OpenID relying parties. Estos “hablan” con tu proveedor OpenID para obtener tu información de perfil.

Cada vez que intentes entrar a un sitio web OpenID relying party; serás redireccionado al OpenID provider. Ahi deberás autenticarte y aprobar el requerimiento de atributos echo por él relying party. Al aprobar, eres redireccionado de vuelta al sitio del relying party con los atributos del request.

Con SSO, solamente autentificas en el proveedor OpenID. Esto siendo, un relying party te redirecciona por primera vez. Luego the eso, él OpenID provider no vuelve a consultar por credenciales, sino que utiliza la session creada previamente. Esta session autenticada es mantenida ya sea por una cookie hasta que el browser sea cerrado, o por una cookie persistente.

sequenceDiagram;
    participant Usuario
    participant Relying Party
    participant OpenID Provider
    Usuario->>+Relying Party: Intento de Login
    Relying Party-->>-Usuario: Login link
    Usuario->>Usuario: Click link
    alt auth flow
        Usuario->>+OpenID Provider: Login request
        OpenID Provider-->>-Usuario: Render toma de evidencias
        Usuario->>+OpenID Provider: Proporciona evidencias
    end
    alt consent flow
        OpenID Provider-->>-Usuario: Render toma consentimientos
        Usuario->>+OpenID Provider: Proporciona consentimientos
    end
    OpenID Provider-->>-Usuario: 302 callback url
    Usuario->>Usuario: resuelve 302
    Usuario->>Relying Party: Entrega code
    Relying Party->>OpenID Provider: Intercambio code por tokens
    OpenID Provider->>Relying Party: AccessToken y/o idToken

3.3 - ID Token

El ID Token es la principal adición a OAuth2 que realiza OpenID Connect. Es un JSON web token JWT que transporta información relevante al usuario autenticado desde el servidor de autorización (OpenID provider) hacia la aplicacion cliente (OpenID relaying party). La estructura de un ID Token es definida por pa especificación OpenID Connect. A continuación un ejemplo de ID Token:

StandardClaims

{
    "iss": "https://accounts.autentiaplus.id/",
    "sub": "d733edad-4d05-402a-9b66-090b06d40f7a",
    "name": "Luis Ignacio Cisternas Rojas",
    "given_name": "Luis Ignacio",
    "family_name": "Cisternas Rojas",
    "gender": "male",
    "updated_at": 1604416603,
    "aud": "67jjuyuy7JHk12",
    "nonce": "88797jgjg32323",
    "exp": "1416283970",
    "iat": "1416283970",
    "auth_time": ":1311280969",
    "acr": "urn:acr:password",
    "amr": "password",
    "azp": "67jjuyuy7JHk12"
}
Atributo Descripcion
iss Identifica al emisor del token en formato HTTPS sin ningún parametro o fragmentos.
sub El identificador local del usuario en el OpenID provider.
aud La audiencia del token, Puede ser una lista de identificadores, pero debe contener el OAuth client ID en el; de otra forma el client ID debe ser agregado al parametro azp
nonce Un nuevo parametro que introduce la especificación OpenID Connect al authorization flow. EN adición a los parametros definidos por OAuth 2.0, la aplicacion cliente puede opcionalmente incluir el parametro nonce. Este parametro permite mitigar ataques de “replay”. El servidor de autorización debe rechazar cualquier request si encuentra que dos o mas request con el mismo nonce. Si un nonce esta presente el el request de autenticacion, entonces el servidor de autenticacion debe incluir el mismo valor dentro del ID token. La aplicacion cliente debe validar que el valor de nonce devuelto por el servidor sea el mismo que se envió originalmente.
exp El tiempo de expiración del token en segundos desde 1970-01-01T0:0:0Z (UTC), Unix Epoch.
iat El tiempo de emisión del token en segundos desde 1970-01-01T0:0:0Z (UTC), Unix Epoch.
auth_time El momento en el cual el usuario es autenticado por el OpenID provider. Si el usuario estaba previamente autenticado, entonces el OpenID provider no pedira autenticacion por parte del usuario. Como un OpenID provider maneja la session o el mecanismo de autenticacion esta fuera del alcance de la especificación OpenID Connect. Un usuario podria crear una session entrando a un sitio web diferente a la aplicacion cliente. En ese caso, el OpenID provider debe mantener el tiempo de autenticacion original. Este es el valor de auth_time.
acr Authentication Context Reference o acr. El valor de este parametro debe ser comprendido tanto por la aplicacion cliente como el proveedor de autenticacion. Solicita un nivel de autenticacion para el request.
amr Authentication Method References p amr, Indica como fue autenticado el usuario por el provedor de identidad. Puede ser un array de valores. Tanto la aplicacion cliente como el proveedor de autenticacion deben comprender estos valores.
azp Authorized Party o azp, Es necesario cuando existe una audiencia (aud) y su valor es diferente al OAuth client ID. El valor de azp debe ser el OAuth client ID.

3.4 - Authorization Request

curl --location --request GET 'https://accounts.autentiaplus.id/oauth2/auth? \
      response_type=code&
      scope=openid&
      client_id=EA71B8972236997FDA75D62E41ED6&
      redirect_uri=https://localhost:3000/callback&
      response_mode=query&
      nonce=aXK2rXuApo&
      state=8KHUzRUxtZ&
      display=page&
      prompt=login&
      max_age=24h&
      ui_locales=es-CL&
      id_token_hint=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c&
      login_hint=16182517-4&
      acr_values=urn:acr:facial'


Atributo Descripcion Tipo Requerido
response_type El tipo de token que espera el cliente obtener string *
scope Los scopes o permisos que el cliente requiere del usuario string *
client_id Identificador de la aplicacion cliente string *
redirect_uri URL Publica SSL, donde la aplicacion cliente espera recivir el resultado del flujo string *
response_mode Determina como el authorization server envia los parametros de respuesta string
nonce Mitiga replay attacks. El authorizationserver rechaza cualquier requerimiento si encuentra que dos de ellos contienen el mismo nonce string *pkce
state Mitiga CSRF attacks. El authorizationserver exige este parametro para flujos PKCE string *pkce
display Indica como la aplicacion cliente espera que el authorization server despliegue la pagina de login y consent string
prompt Indica si el cliente requiere desplegar la pagina de login, de consent, ambas o ninguna string
max_age Define la maxima antiguedad que una session anterior podria tener para ser reutilizada string
ui_locales Expresa la localizacion requerida por el cliente string
id_token_hint Un ID Token obtenido previamente por la aplicacion cliente string
login_hint Indica el username que la aplicacion cliente espera autenticar string
acr_values authentication context reference values indica el nivel de autenticacion requerida por el cliente string

3.5 - Scope

(StandardClaims)[https://openid.net/specs/openid-connect-basic-1_0.html#StandardClaims]

Scope Claims Requerido
openid Retorna el claim sub, el cual identifica de forma unica al usuario. Adicionalmente, se entregan default claims. ver ID Token *
birthdate Retorna el claim birthdate
profile Retorna el claim profile, birthdate, picture
credential Retorna el claim credential. ver Credential
email Retorna el claim email y email_verified
phone Retorna el claim phone_number y phone_number_verified
offline_access Retorna refresh token

3.6 - Credential

Credential Payload

{
  "sub": "16182517-4",
  "country": "CHL",
  "typ": "rut",
  "iss": "srcei"
}

3.7 - Authentication Context Reference

Strategy ACR’s

Valor Descripcion Alias Locales
urn:acr:default Verificacion numero de documento autoidentify es_CL
urn:acr:password Verificacion de password password *
urn:acr:facial:live Verificacion facial CON prueba de vida facial es_CL, es_PE
urn:acr:facial:simple Verificacion facial SIN prueba de vida facialself es_CL, es_PE
urn:acr:facial:live?=sample=true Verificacion facial CON prueba de vida + muestra facial es_CL, es_PE
urn:acr:facial:simple?=sample=true Verificacion facial SIN prueba de vida + muestra facialself es_CL, es_PE
urn:acr:facial:live?=sample=false Verificacion facial CON prueba de vida facial es_CL, es_PE
urn:acr:facial:simple?=sample=false Verificacion facial SIN prueba de vida facialself es_CL, es_PE
urn:acr:finger:reader Verificacion dactilar con lector es_CL, es_PE
urn:acr:finger:picture Verificacion dactilar con camara es_CL, es_PE
urn:acr:finger:reader?=sample=true Verificacion dactilar con lector + muestra es_CL, es_PE
urn:acr:finger:picture?=sample=true Verificacion dactilar con camara + muestra es_CL, es_PE
urn:acr:finger:reader?=sample=false Verificacion dactilar con lector es_CL, es_PE
urn:acr:finger:picture?=sample=false Verificacion dactilar con camara es_CL, es_PE

2FA ACR

Valor
urn:acr:otp:email
urn:acr:otp:phone
urn:acr:otp:email?=recipient=foo@bar.com
urn:acr:otp:phone?=recipient=+56911111111

4 - Resources

4.1 - Resources MAP

identity

URN Description
urn:identity::120b5cb7-41d3-4713-9abb-fc6f72074fde sub ref

identity traits (future proof)

URN Description
urn:identity::120b5cb7-41d3-4713-9abb-fc6f72074fde:traits:d3f8249 rfc
urn:identity:traits::120b5cb7-41d3-4713-9abb-fc6f72074fde:d3f8249 rfc
urn:identity::120b5cb7-41d3-4713-9abb-fc6f72074fde?=traits=d3f8249 rfc

identity event registry cloudevents spec

URN Description
urn:event:source:type:id cloudevent spec
urn:event:identity:registry:f87d10c5-382a-43a2-a8ca-a36ae77c2fc4 identity registry event ref

identity credential(s)

URN Description
urn:identity:credential
urn:identity:credential::chl:srcei:rut:1-9 sub ref

identity credential(s) rfc8141 q-component

URN Description
urn:identity:credential?=country=chl&iss=srcei&typ=rut&sub=1-9 combinables
urn:identity:credential?=country=chl&iss=srceisub=1-9 combinables
urn:identity:credential?=iss=google&typ=email&sub=foobar combinables
urn:identity:credential?=iss=whatsapp&typ=phone&sub=+56955500123 combinables
urn:identity:credential?=country=chl&iss=srcei&typ=rut&sub=1-9 combinables

identity document(s)

URN Description
urn:identity:document
urn:identity:document::chl:srcei:rut:1-9 sub ref

identity document(s) rfc8141 q-component

URN Description
urn:identity:document?=country=chl&iss=srcei&typ=rut&sub=1-9 required

identity verifiable channels (otp / totp / password recovery)

URN Description
urn:identity:channel
urn:identity:channel:phone
urn:identity:channel:email
urn:identity:channel:device
urn:identity:channel:phone:+56955500123 ref
urn:identity:channel:email:foobar@example.com ref
urn:identity:channel:device:9d23dbc87d9de583fbceacd410d5ee47 ref

4.2 - RBAC

role

{
    "id": "urn:role::tenent-id:role-name",
    "description": "string",
    "members": [
        "urn:identity::120b5cb7-41d3-4713-9abb-fc6f72074fde",
        "urn:identity:credential::chl:srcei:rut:1-9",
        "urn:identity:document::chl:srcei:rut:1-9"
    ]
}
Name Type Required Restrictions Description
id string false none ID is the role’s unique id.
description string false none Description is the description of the role.
members [string] false none Members is who belongs to the role.

scp (service control policy)

{
    "id": "urn:policy:tenant-id:policy-name",
    "actions": [
        "read",
        "write",
    ],
    "description": "string",
    "effect": "(allow|deny)",
    "subjects": [
        "urn:role::tenent-id:role-name",
        "urn:identity::66bb201b-e368-40cd-81b7-37f01ec73ed8"
    ],
    "resources": [
        "string"
    ]
}
Name Type Required Restrictions Description
id string false none ID is the unique identifier of the SCP. It is used to query, update, and remove the SCP.
actions [string] false none Actions is an array representing all the actions this SCP applies to.
description string false none Description is an optional, human-readable description.
effect string false none Effect is the effect of this SCP. It can be “allow” or “deny”.
subjects [string] false none Subjects is an array representing all the subjects this SCP applies to.
resources [string] false none Resources is an array representing all the resources this SCP applies to.

check request

{
    "action": "string",
    "context": {},
    "resource": "string",
    "subject": "string"
}

5 - Auditorias

6 - Gatekeeper

6.1 - Gatekeeper API

Informations

Version

latest

Contact

Ignacio Cisternas icisternas@autentia.cl https://autentia.cl

Content negotiation

URI Schemes

  • http
  • https

Consumes

  • application/json

Produces

  • application/json

Access control

Security Schemes

oauth2

Type: oauth2

Flow: accessCode

Authorization URL: https://accounts-dev.autentiaplus.id/oauth2/auth

Token URL: https://accounts-dev.autentiaplus.id/oauth2/token

Scopes
Name Description
openid default
profile default

All endpoints

Method URI Name Summary
POST /authx/consent/accept accept consent challenge
GET /authx/consent get consent challenge
POST /authx/consent/reject reject consent challenge

login_flow

Method URI Name Summary
POST /authx/login/accept accept login challenge
GET /authx/login get login challenge Initialize state-machine and return ui settings
POST /authx/login/reject reject login challenge
POST /authx/login/credential set login credential
POST /authx/login/verify/2factor verify2 factor
POST /authx/login/verify/strategy verify strategy

sessions

Method URI Name Summary
GET /authx/sessions list sessions
DELETE /authx/sessions/revoke revoke session

Paths

POST /authx/consent/accept

Consumes

  • application/json

Produces

  • application/json

Parameters

Name Source Type Go type Separator Required Default Description
consent_challenge query string string
remember_me query boolean bool

All responses

Code Status Description Has headers Schema
200 OK schema
400 Bad Request JSONError schema
404 Not Found JSONError schema
422 Unprocessable Entity JSONError schema
424 Failed Dependency JSONError schema
500 Internal Server Error JSONError schema

Responses

Status: OK

RedirectTo

Status: Bad Request

JSONError

Status: Not Found

JSONError

Status: Unprocessable Entity

JSONError

Status: Failed Dependency

JSONError

Status: Internal Server Error

JSONError

accept login challenge (acceptLoginChallenge)

POST /authx/login/accept

Consumes

  • application/json

Produces

  • application/json

Parameters

Name Source Type Go type Separator Required Default Description
login_challenge query string string
remember_me query boolean bool

All responses

Code Status Description Has headers Schema
200 OK schema
400 Bad Request JSONError schema
404 Not Found JSONError schema
422 Unprocessable Entity JSONError schema
424 Failed Dependency JSONError schema
500 Internal Server Error JSONError schema

Responses

200

Status: OK

Schema

RedirectTo

400 - JSONError

Status: Bad Request

Schema

JSONError

404 - JSONError

Status: Not Found

Schema

JSONError

422 - JSONError

Status: Unprocessable Entity

Schema

JSONError

424 - JSONError

Status: Failed Dependency

Schema

JSONError

500 - JSONError

Status: Internal Server Error

Schema

JSONError

GET /authx/consent

Consumes

  • application/json

Produces

  • application/json

Parameters

Name Source Type Go type Separator Required Default Description
consent_challenge query string string

All responses

Code Status Description Has headers Schema
200 OK schema
400 Bad Request JSONError schema
404 Not Found JSONError schema
422 Unprocessable Entity JSONError schema
424 Failed Dependency JSONError schema
500 Internal Server Error JSONError schema

Responses

Status: OK

ConsentChallengeResponse

Status: Bad Request

JSONError

Status: Not Found

JSONError

Status: Unprocessable Entity

JSONError

Status: Failed Dependency

JSONError

Status: Internal Server Error

JSONError

Initialize state-machine and return ui settings (getLoginChallenge)

GET /authx/login

Quod satis pecuniae sempiternum. Ut sciat oportet motum. Nunquam invenies eum. Hic de tabula. Ego vivere, ut debui, et nunc fiant. Istuc quod opus non est. Lorem ipsum occurrebat pragmaticam semper ut, si quis ita velim tibi bene recognoscere. Quorum duo te mihi videtur.

Consumes

  • application/json

Produces

  • application/json

Parameters

Name Source Type Go type Separator Required Default Description
login_challenge query string string

All responses

Code Status Description Has headers Schema
200 OK schema
400 Bad Request JSONError schema
404 Not Found JSONError schema
422 Unprocessable Entity JSONError schema
424 Failed Dependency JSONError schema
500 Internal Server Error JSONError schema

Responses

200

Status: OK

Schema

LoginChallengeResponse

400 - JSONError

Status: Bad Request

Schema

JSONError

404 - JSONError

Status: Not Found

Schema

JSONError

422 - JSONError

Status: Unprocessable Entity

Schema

JSONError

424 - JSONError

Status: Failed Dependency

Schema

JSONError

500 - JSONError

Status: Internal Server Error

Schema

JSONError

list sessions (listSessions)

GET /authx/sessions

Consumes

  • application/json

Produces

  • application/json

Security Requirements

  • oauth2

All responses

Code Status Description Has headers Schema
200 OK schema
401 Unauthorized JSONError schema
500 Internal Server Error JSONError schema

Responses

200

Status: OK

Schema

[]Session

401 - JSONError

Status: Unauthorized

Schema

JSONError

500 - JSONError

Status: Internal Server Error

Schema

JSONError

POST /authx/consent/reject

Consumes

  • application/json

Produces

  • application/json

Parameters

Name Source Type Go type Separator Required Default Description
consent_challenge query string string

All responses

Code Status Description Has headers Schema
200 OK schema
400 Bad Request JSONError schema
404 Not Found JSONError schema
422 Unprocessable Entity JSONError schema
424 Failed Dependency JSONError schema
500 Internal Server Error JSONError schema

Responses

Status: OK

RedirectTo

Status: Bad Request

JSONError

Status: Not Found

JSONError

Status: Unprocessable Entity

JSONError

Status: Failed Dependency

JSONError

Status: Internal Server Error

JSONError

reject login challenge (rejectLoginChallenge)

POST /authx/login/reject

Consumes

  • application/json

Produces

  • application/json

Parameters

Name Source Type Go type Separator Required Default Description
login_challenge query string string

All responses

Code Status Description Has headers Schema
200 OK schema
400 Bad Request JSONError schema
404 Not Found JSONError schema
422 Unprocessable Entity JSONError schema
424 Failed Dependency JSONError schema
500 Internal Server Error JSONError schema

Responses

200

Status: OK

Schema

RedirectTo

400 - JSONError

Status: Bad Request

Schema

JSONError

404 - JSONError

Status: Not Found

Schema

JSONError

422 - JSONError

Status: Unprocessable Entity

Schema

JSONError

424 - JSONError

Status: Failed Dependency

Schema

JSONError

500 - JSONError

Status: Internal Server Error

Schema

JSONError

revoke session (revokeSession)

DELETE /authx/sessions/revoke

Consumes

  • application/json

Produces

  • application/json

Security Requirements

  • oauth2

Parameters

Name Source Type Go type Separator Required Default Description
client_id query string string

All responses

Code Status Description Has headers Schema
208 Already Reported EmptyResponse are sent when, for example, resources are deleted. The HTTP status code for empty responses is
typically 201 or 208 for accepted response. schema
401 Unauthorized JSONError schema
500 Internal Server Error JSONError schema

Responses

208 - EmptyResponse are sent when, for example, resources are deleted. The HTTP status code for empty responses is

typically 201 or 208 for accepted response. Status: Already Reported

Schema
401 - JSONError

Status: Unauthorized

Schema

JSONError

500 - JSONError

Status: Internal Server Error

Schema

JSONError

set login credential (setLoginCredential)

POST /authx/login/credential

Consumes

  • application/json

Produces

  • application/json

Parameters

Name Source Type Go type Separator Required Default Description
login_challenge query string string
Body body Credential models.Credential

All responses

Code Status Description Has headers Schema
200 OK schema
400 Bad Request JSONError schema
404 Not Found JSONError schema
422 Unprocessable Entity JSONError schema
424 Failed Dependency JSONError schema
500 Internal Server Error JSONError schema

Responses

200

Status: OK

Schema

LoginChallengeResponse

400 - JSONError

Status: Bad Request

Schema

JSONError

404 - JSONError

Status: Not Found

Schema

JSONError

422 - JSONError

Status: Unprocessable Entity

Schema

JSONError

424 - JSONError

Status: Failed Dependency

Schema

JSONError

500 - JSONError

Status: Internal Server Error

Schema

JSONError

verify2 factor (verify2Factor)

POST /authx/login/verify/2factor

Consumes

  • application/json

Produces

  • application/json

Parameters

Name Source Type Go type Separator Required Default Description
login_challenge query string string
Body body VerifyEvidencesRequest models.VerifyEvidencesRequest

All responses

Code Status Description Has headers Schema
200 OK schema
400 Bad Request JSONError schema
404 Not Found JSONError schema
422 Unprocessable Entity JSONError schema
424 Failed Dependency JSONError schema
500 Internal Server Error JSONError schema

Responses

200

Status: OK

Schema

LoginChallengeResponse

400 - JSONError

Status: Bad Request

Schema

JSONError

404 - JSONError

Status: Not Found

Schema

JSONError

422 - JSONError

Status: Unprocessable Entity

Schema

JSONError

424 - JSONError

Status: Failed Dependency

Schema

JSONError

500 - JSONError

Status: Internal Server Error

Schema

JSONError

verify strategy (verifyStrategy)

POST /authx/login/verify/strategy

Consumes

  • application/json

Produces

  • application/json

Parameters

Name Source Type Go type Separator Required Default Description
login_challenge query string string
Body body VerifyEvidencesRequest models.VerifyEvidencesRequest

All responses

Code Status Description Has headers Schema
200 OK schema
400 Bad Request JSONError schema
404 Not Found JSONError schema
422 Unprocessable Entity JSONError schema
424 Failed Dependency JSONError schema
500 Internal Server Error JSONError schema

Responses

200

Status: OK

Schema

LoginChallengeResponse

400 - JSONError

Status: Bad Request

Schema

JSONError

404 - JSONError

Status: Not Found

Schema

JSONError

422 - JSONError

Status: Unprocessable Entity

Schema

JSONError

424 - JSONError

Status: Failed Dependency

Schema

JSONError

500 - JSONError

Status: Internal Server Error

Schema

JSONError

Models

ConsentChallengeResponse

Properties

Name Type Go type Required Default Description Example
Audiences []string []string Audiences contains the access token audience as requested by the OAuth 2.0 Client. ["https://accounts.someshit.com"]
GeoCheck boolean bool GeoCheck not implemented
GeoStamp boolean bool GeoStamp not implemented
ID string string ID is the identifier (“authorization challenge”) of the consent authorization request. It is used to
identify the session.
Scopes []string []string Scopes contains the OAuth 2.0 Scope requested by the OAuth 2.0 Client. ["openid","profile","credential"]
ui_preferences UIPreferences UIPreferences

Credential

Credential defines a credential

Properties

Name Type Go type Required Default Description Example
Country string string CHL
Issuer string string SRCEI
Subject string string 12345678-9
Type string string RUT

Duration

A Duration represents the elapsed time between two instants as an int64 nanosecond count. The representation limits the largest representable duration to approximately 290 years.

Name Type Go type Default Description Example
Duration int64 (formatted integer) int64 A Duration represents the elapsed time between two instants
as an int64 nanosecond count. The representation limits the
largest representable duration to approximately 290 years.

Err

Properties

Name Type Go type Required Default Description Example
CodeField int64 (formatted integer) int64 the http status code https://httpstatuses.com/ 400
DebugField string string debug information
DetailsField map of any map[string]interface{} list of details
ErrorField string string error message
RIDField string string http request id 4ad9f946e0c159bd0f1bdbaa7255bec8
ReasonField string string underlying cause of the error
StatusField string string the http status code https://httpstatuses.com/ in plain text Bad Request

JSONError

JSONError responses are sent when an error (e.g. unauthorized, bad request, …) occurred

Properties

Name Type Go type Required Default Description Example
error Err Err

LoginChallengeResponse

Properties

Name Type Go type Required Default Description Example
ID string string ID is the identifier (“login challenge”) of the login request. It is used to identify the login flow request.
Mode string string "ANY" Mode is the flow criteria.
Status string string "pending" Status of the verification of the flow
Strategies map of Strategy map[string]Strategy Strategies is a list of the requested verification strategies
Subject uuid (formatted string) strfmt.UUID Subject is the user ID of the end-user that authenticated. Now, that end user needs to grant or deny the scope requested by the OAuth 2.0 client.
Type string string "SFA" Type is the flow type.
credential Credential Credential
second_factor SecondFactor SecondFactor
ui_preferences UIPreferences UIPreferences

RedirectTo

Properties

Name Type Go type Required Default Description Example
URL uri (formatted string) strfmt.URI Redirect via 302 the user-agent to this URL

SecondFactor

Properties

Name Type Go type Required Default Description Example
Evidences []string []string Evidences is the list of validated evidences uuids
Kind string string Kind of second factor. email
Name string string Name is the target channel to dispatch the OTP foo@bar.com
RemainingRetries int32 (formatted integer) int32 3 RemainingRetries is the remaining retries for the strategy
Status string string "unavailable" Status of the verification of the strategy pending
TotalRetries int32 (formatted integer) int32 3 TotalRetries is the max amount of retries of the strategy
WaitMode string string "INPUT" Type of interface needed for this flow

Session

Properties

Name Type Go type Required Default Description Example
ClientID string string
ConsentChallenge string string
GrantAccessTokenAudience []string []string
GrantScope []string []string
HandledAt string string
IDToken interface{} interface{}
LoginChallenge string string
Remember boolean bool
RememberFor int64 (formatted integer) int64
RequestURL string string
RequestedAccessTokenAudience []string []string
RequestedScope []string []string
SessionID string string
Subject string string
ui_preferences UIPreferences UIPreferences

Strategy

Properties

Name Type Go type Required Default Description Example
Evidences []string []string Evidences is the list of validated evidences uuids
Order int32 (formatted integer) int32 Order is the position in which strategies should be rendered
RemainingRetries int32 (formatted integer) int32 3 RemainingRetries is the remaining retries for the strategy
Sample boolean bool Sample defines the behavior of evidence validation
Status string string "pending" Status of the verification of the strategy
TotalRetries int32 (formatted integer) int32 3 TotalRetries is the max amount of retries of the strategy
timeout Duration Duration

UIPreferences

UIPreferences

Properties

Name Type Go type Required Default Description Example
ClientName string string Name is the human-readable string name of the client to be presented to the end-user during authorization.
ClientURI uri (formatted string) strfmt.URI ClientURI is an URL string of a web page providing information about the client. If present, the server SHOULD display this URL to the end-user in a clickable fashion.
Deeplink string string Deeplink
Display string string "page" Display is a string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User.
LogoURI uri (formatted string) strfmt.URI LogoURI is an URL string that references a logo for the client.
PolicyURI uri (formatted string) strfmt.URI PolicyURI is a URL string that points to a human-readable privacy policy document.
TermsOfServiceURI uri (formatted string) strfmt.URI TermsOfServiceURI is a URL string that points to a human-readable terms of service document
UILocales []string []string ["es_CL"] UILocales is the customer required location and scripts for the user interface, represented as a of BCP47 [RFC5646]

VerifyEvidencesRequest

Properties

Name Type Go type Required Default Description Example
Evidences []string []string Evidences is a list of evidence ids provided by the identity API
Name string string Name of the strategy to verify, of a PrimaryFactor strategy, email or phone number for 2FA

6.2 - Gatekeeper OpenapiV2

7 - Identity

8 - Profile