Authentication

The Backchannel Authentication Endpoint

The Backchannel Authentication Endpoint is used to initiate an out-of-band authentication of the end-user. This is done by sending an HTTP POST message directly from the Client to the OpenID Provider's Backchannel Authentication Endpoint

POST /bc-authorize

Parameters

Name	In	Type	Required	Description
Authorization	header	string	true	Basic <base64(client_id:client_secret)>
body	body	object	false	‘none’

Request body - `Content-Type: application/x-www-form-urlencoded`

Custom schema example

1
2
3
4


login_hint: myemail@gmail.com
scope: string
binding_message: usuario@gmail.com

Name	Type	Required	Description
login_hint	string	true	A hint to the OpenID Provider regarding the end-user for whom authentication is being requested. The value may contain an email address or msisdn, which identifies the end-user to the OP
scope	string	false	Scope of permissions
binding_message	string	false	A human-readable identifier or message intended to be displayed on both the consumption device and the authentication device to interlock them together for the transaction by way of a visual cue for the end-user. This interlocking message enables the end-user to ensure that the action taken on the authentication device is related to the request initiated by the consumption device.

Request example

1
2
3
4
5
6
7



curl -X POST https://apimanager-opengateway.sta.k8s.masmovil.com/bc-authorize \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Accept: application/json" \
  -H "Authorization: string" \
  -d "login_hint=myemail@gmail.com&scope=undefined&binding_message=usuario@gmail.com&" 

Responses

Code	Meaning	Description	Schema
200	OK	OK	bcAuthorizeResponse
400	Bad Request	Bad Request	errorAccessTokenResponse
401	Unauthorized	Unauthorized	errorAccessTokenResponse

Token polling endpoint

After a successful authentication, the Client polls the Token Endpoint to obtain an Access Token sending an authentication request id. The Client MUST poll the Token Endpoint at a rate not exceeding that specified by the interval parameter included in the response from the Backchannel Authentication Endpoint (/bc-authorize).

POST /token

Parameters

Name	In	Type	Required	Description
Authorization	header	string	false	Basic <base64(client_id:client_secret)>
body	body	object	false	‘none’

Request body - `Content-Type: application/x-www-form-urlencoded`

Custom schema example

1
2
3
4
5
6


grant_type: urn:openid:params:grant-type:ciba
auth_req_id: d221eb9b-9d33-4fe9-ba41-9711ed0309ce
code: SplxlOBeZQQYbYS6WxSbIA
redirect_uri: https://myapp.com/callback
client_id: M7p4ae2yWH7SymwbUYGq2UuweVjzXNOG

Name	Type	Required	Description
grant_type	string	true	Grant type
auth_req_id	string	false	It is the unique identifier to identify the authentication request (transaction) made by the Client.
code	string	false	It is the authorization code received from the /authorize endpoint.
redirect_uri	string	false	It is the redirection URI used in the /authorize endpoint.
client_id	string	false	Client identifier

Request example

1
2
3
4
5
6
7



curl -X POST https://apimanager-opengateway.sta.k8s.masmovil.com/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Accept: application/json" \
  -H "Authorization: string" \
  -d "grant_type=urn:openid:params:grant-type:ciba&auth_req_id=d221eb9b-9d33-4fe9-ba41-9711ed0309ce&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https://myapp.com/callback&client_id=M7p4ae2yWH7SymwbUYGq2UuweVjzXNOG&" 

Responses

Code	Meaning	Description	Schema
200	OK	OK	postTokenResponse
400	Bad Request	Bad Request	errorPostTokenResponse
401	Unauthorized	Unauthorized	errorPostTokenResponse

Get authentication page

Logs in the user or redirects it to a page to authenticate itself

GET /authorize

Parameters

Name	In	Type	Required	Description
client_id	query	string	true	The identifier of the client representing the app.
response_type	query	string	true	Which in a basic authorization code flow request should be code. Authn only support code
redirect_uri	query	string	false	Should be the HTTP endpoint on your server that will receive the response from Authn. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client, which you configured in the register of application. If this value doesn’t match an authorized URI, the request will fail with a 401 error.
state	query	string	true	Should include the value of the anti-forgery unique session token, as well as any other information needed to recover the context when the user returns to your application, e.g., the starting URL.
login_hint	query	string	false	If your application knows which user is trying to authenticate, it can use this parameter to provide a hint to the Authentication Server. The server uses the hint to simplify the login flow either by prefilling the email field in the sign-in form or by selecting the appropriate multi-login session.
groups_hint	query	string	false	The sub string is equivalent to the groups in the provider (only support Google ). If you do not provide a groups_hint and the user is currently logged in, in the next request of token, the access_token will not contain claim groups
access_type	query	string	false	The allowed values are offline and online. If an access token is being requested, the client does not receive a refresh token unless a value of offline is specified.
code_challenge	query	string	false	Specifies an encoded code_verifier that will be used as a server-side challenge during authorization code exchange. This string helps mitigating against the threat usually through the use of Proof Key for Code Exchange (PKCE)
code_challenge_method	query	string	false	Specifies what method was used to encode a code_verifier that will be used during authorization code exchange. This parameter must be used with the code_challenge parameter. The value of the code_challenge_method defaults to plain if not present in the request that includes a code_challenge. The only supported values for this parameter are S256 or plain.

Enumerated Values

Property	Values
response_type	one of [token, code]

Request example

1
2
3
4



curl -X GET https://apimanager-opengateway.sta.k8s.masmovil.com/authorize?client_id='TtsdmebPcQtEnvLsKw7x'&response_type='token'&redirect_uri='https://masmovil.com/login/callback'&state='0AxLygT73V6kreKzkQySOjfYShIvK/TR'&login_hint='my_user@masmovil.com'&groups_hint='group1+group2'&access_type='online'&code_challenge='5VTycQU924SQ3jHp5g9zcvMF2ai3aN89kxzB2D5QJUrejxam3jddqFUugD8F'&code_challenge_method='S256'?client_id=TtsdmebPcQtEnvLsKw7x&response_type=token&state=0AxLygT73V6kreKzkQySOjfYShIvK%2FTR \
  -H "Accept: */*"

Responses

Code	Meaning	Description	Schema
302	Found	Authorization code/Implicit grant response	None
400	Bad Request	Bad Request	errorAccessTokenResponse
401	Unauthorized	Unauthorized	errorAccessTokenResponse

Authentication

The Backchannel Authentication Endpoint

Parameters

Request body - Content-Type: application/x-www-form-urlencoded

Request example

Responses

Token polling endpoint

Parameters

Request body - Content-Type: application/x-www-form-urlencoded

Request example

Responses

Get authentication page

Parameters

Enumerated Values

Request example

Responses

Request body - `Content-Type: application/x-www-form-urlencoded`

Request body - `Content-Type: application/x-www-form-urlencoded`