masstack

V1
API Overview Resources Schemas

OAuth2

OAuth2 authentication endpoints

Parameters

Name In Type Required Description
X-User-Agent-Alias header string false Alias of the device obtaining the token
body body object false ‘none’

Request body - Content-Type: application/x-www-form-urlencoded

Custom schema example

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

grant_type: password
scope: string
username: usuario@gmail.com
password: "123456"
state: OyMh_ObySiyWi7SrXgfIdg
code: OyMh_ObySiyWi7SrXgfIdg
code_verifier: 5VTycQU924SQ3jHp5g9zcvMF2ai3aN89kxzB2D5QJUrejxam3jddqFUugD8F
assertion: string
token: string
otp: string
auth_req_id: d221eb9b-9d33-4fe9-ba41-9711ed0309ce
client_id: string
device_code: d221eb9b-9d33-4fe9-ba41-9711ed0309ce
subject_token: string
subject_token_type: string
actor_token: string
actor_token_type: string
Name Type Required Description
grant_type string true Grant type of token
scope string false Scope of permissions
username string false Username of final customers (required for grant_type=password)
password string false Password of final customers (required for grant_type=password)
state string false CSRF token used in the authorization request (for authorization_code and implicit flows)
code string false Authorization code (required for authorization_code flow)
code_verifier string false Code challenge value generated by the client in the authorization request (required for authorization_code flow)
assertion string false Assertion with which to get an access_token (required for grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer)
token string false Magic link token (required for grant_type=urn:masstack:params:oauth:grant-type:magic-link)
otp string false One time password token (required for grant_type=urn:masstack:params:oauth:grant-type:passwordless)
auth_req_id string false Authentication request ID (required for grant_type=urn:openid:params:grant-type:ciba)
client_id string false The identifier of the client representing the app. (required for grant_type=urn:ietf:params:oauth:grant-type:device_code)
device_code string false Device Code Authentication request ID (required for grant_type=urn:ietf:params:oauth:grant-type:device_code)
subject_token string false Represents the identity of the party on behalf of whom the token is being requested while the actor_token represents the identity of the party to whom the access rights of the issued token are being delegated. (required for grant_type=urn:ietf:params:oauth:grant-type:token-exchange)
subject_token_type string false Indicates the type of the security token in the subject_token parameter (required for grant_type=urn:ietf:params:oauth:grant-type:token-exchange)
actor_token string false Represents the identity of the acting party. Typically, this will be the party that is authorized to use the requested security token and act on behalf of the subject. (used for grant_type=urn:ietf:params:oauth:grant-type:token-exchange)
actor_token_type string false Indicates the type of the security token in the actor_token parameter. This is REQUIRED when the actor_token parameter is present in the request but MUST NOT be included otherwise. (used for grant_type=urn:ietf:params:oauth:grant-type:token-exchange)

Request example

1
2
3
4
5
6
7


curl -X POST https://authn.masstack.com/v1/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Accept: application/json" \
  -H "X-User-Agent-Alias: string" \
  -d "grant_type=password&scope=undefined&username=usuario@gmail.com&password=123456&state=OyMh_ObySiyWi7SrXgfIdg&code=OyMh_ObySiyWi7SrXgfIdg&code_verifier=5VTycQU924SQ3jHp5g9zcvMF2ai3aN89kxzB2D5QJUrejxam3jddqFUugD8F&assertion=undefined&token=undefined&otp=undefined&auth_req_id=d221eb9b-9d33-4fe9-ba41-9711ed0309ce&client_id=undefined&device_code=d221eb9b-9d33-4fe9-ba41-9711ed0309ce&subject_token=undefined&subject_token_type=undefined&actor_token=undefined&actor_token_type=undefined&"

Responses

Code Meaning Description Schema
200 OK OK accessTokenResponse
400 Bad Request Bad Request errorAccessTokenResponse
401 Unauthorized Unauthorized errorAccessTokenResponse
403 Forbidden Too Many Login Attempts Error errorAccessTokenResponse

Parameters

Name In Type Required Description
client_id query string true The identifier of the client representing the app.
response_type query string true Which in a basic authorization code flow request should be code. Authn only support code
redirect_uri query string false Should be the HTTP endpoint on your server that will receive the response from Authn. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client, which you configured in the register of application. If this value doesn’t match an authorized URI, the request will fail with a 401 error.
state query string true Should include the value of the anti-forgery unique session token, as well as any other information needed to recover the context when the user returns to your application, e.g., the starting URL.
login_hint query string false If your application knows which user is trying to authenticate, it can use this parameter to provide a hint to the Authentication Server. The server uses the hint to simplify the login flow either by prefilling the email field in the sign-in form or by selecting the appropriate multi-login session.
groups_hint query string false The sub string is equivalent to the groups in the provider (only support Google ). If you do not provide a groups_hint and the user is currently logged in, in the next request of token, the access_token will not contain claim groups
access_type query string false The allowed values are offline and online. If an access token is being requested, the client does not receive a refresh token unless a value of offline is specified.
code_challenge query string false Specifies an encoded code_verifier that will be used as a server-side challenge during authorization code exchange. This string helps mitigating against the threat usually through the use of Proof Key for Code Exchange (PKCE)
code_challenge_method query string false Specifies what method was used to encode a code_verifier that will be used during authorization code exchange. This parameter must be used with the code_challenge parameter. The value of the code_challenge_method defaults to plain if not present in the request that includes a code_challenge. The only supported values for this parameter are S256 or plain.

Enumerated Values

Property Values
response_type one of [token, code]

Request example

1
2
3
4


curl -X GET https://authn.masstack.com/v1/oauth/authorize?client_id='TtsdmebPcQtEnvLsKw7x'&response_type='token'&redirect_uri='https://masmovil.com/login/callback'&state='0AxLygT73V6kreKzkQySOjfYShIvK/TR'&login_hint='my_user@masmovil.com'&groups_hint='group1+group2'&access_type='online'&code_challenge='5VTycQU924SQ3jHp5g9zcvMF2ai3aN89kxzB2D5QJUrejxam3jddqFUugD8F'&code_challenge_method='S256'?client_id=TtsdmebPcQtEnvLsKw7x&response_type=token&state=0AxLygT73V6kreKzkQySOjfYShIvK%2FTR \
  -H "Accept: */*"

Responses

Code Meaning Description Schema
302 Found Authorization code/Implicit grant response None
400 Bad Request Bad Request errorAccessTokenResponse
401 Unauthorized Unauthorized errorAccessTokenResponse

Parameters

Name In Type Required Description
client_id query string false The identifier of the client representing the app.
continue query string false The url to be redirected to after logout.
scope query string false If the value is all, it will delete all the user’s sessions and refresh_tokens that it has.

Request example

1
2
3
4


curl -X GET https://authn.masstack.com/v1/oauth/logout?client_id='TtsdmebPcQtEnvLsKw7x'&continue='https://grupomasmovil.com/es/'&scope='all' \
  -H "Accept: */*"

Responses

Code Meaning Description Schema
302 Found Logout response None
400 Bad Request Bad Request errorAccessTokenResponse
401 Unauthorized Unauthorized errorAccessTokenResponse

Parameters

Name In Type Required Description
body body logoutRequest true ‘none’

Request body - instance of logoutRequest

1
2
3
4

{
  "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2MjM4MzU4OTEsImV4cCI6MTY1NTM3MTg5MSwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.oSm7gu7N4ypkz0e7W-hyOTozX2AUEZ_YacSoYqMkyLs",
  "scope": "all"
}
Name Type Required Description
token string false A valid token (access_token or refresh_token) provided by authn
scope string false If the value is all, it will delete all the user’s sessions and refresh_tokens that it has.

Request example

1
2
3
4
5
6
7
8
9


curl -X POST https://authn.masstack.com/v1/oauth/logout \
  -H "Content-Type: application/json" \
  -H "Accept: */*" \
 --data-raw "{
  'token': 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2MjM4MzU4OTEsImV4cCI6MTY1NTM3MTg5MSwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.oSm7gu7N4ypkz0e7W-hyOTozX2AUEZ_YacSoYqMkyLs',
  'scope': 'all'
}"

Responses

Code Meaning Description Schema
204 No Content Logout response None
400 Bad Request Bad Request errorAccessTokenResponse
401 Unauthorized Unauthorized errorAccessTokenResponse

Request example

1
2
3
4


curl -X GET https://authn.masstack.com/v1/.well-known/jwks.json \
  -H "Accept: application/json"

Responses

Code Meaning Description Schema
200 OK OK jwks

Request example

1
2
3
4


curl -X GET https://authn.masstack.com/v1/.well-known/openid-configuration \
  -H "Accept: application/json"

Responses

Code Meaning Description Schema
200 OK OK openid-configuration

Endpoints

TokenInfo

    OAuth2

      Magic Links

        CIBA

          WebAuthn

            Device Code