Authorization
Cleverbase’s Identity Federation service uses OAuth 2.0 for authorization.
GET /oauth2/authorize
Description
Starts the OAuth 2.0 authorization server using an Authorization Code flow, as described in Section 1.3.1 of RFC 6749.
The authorization is returned in the form of an authorization code, which the client SHALL then use to obtain an access token (and id_token) with the oauth2/token method.
Input Parameters
| Parameter | Presence | Value | Description |
|---|---|---|---|
| response_type | REQUIRED | String | Must always be "code". |
| client_id | REQUIRED | String | Unique Client Identifier. |
| redirect_uri | OPTIONAL | String | The URL to redirect to after the authorization process (defaults to registered redirect). |
| scope | REQUIRED | String | Space-delimited string. Must contain "openid". May contain additional scopes like "com.cleverbase.proof" and "email". |
| state | REQUIRED | String | Up to 255 bytes of arbitrary data from the client that will be passed back to the redirect URI. |
| nonce | OPTIONAL | String | String used to associate a Client session with an ID Token, mitigating replay attacks. |
| ui_locales | OPTIONAL | String | End-User's preferred languages and scripts for the UI according to RFC5646. English and Dutch are supported. Default is Dutch if omitted or unsupported language is provided. |
Response
| Parameter | Presence | Value | Description |
|---|---|---|---|
| code | REQUIRED | String | The authorization code generated by the authorization server |
| state | REQUIRED | String | Should match state given in request |
| error | OPTIONAL | String | A single error code string |
| error_description | OPTIONAL | String | Human-readable text providing additional error information |
Error response cases
| Case | Displayed to User | Error | Error Description |
|---|---|---|---|
ChallengeExpired | De QR code is vervallen. De QR code heeft een beperkte levensduur. Probeer het nog een keer en scan het binnen de 10 minuten. | access_denied | authentication challenge expired |
EmailUnverified | 'Uw email is niet geverifieerd', 'Activeer uw e-mail adres om verder te gaan. Om uw e-mail adres te valideren zoek naar "Verifieer je e-mailadres" in uw inbox en volg de instructies daar.' | access_denied | user email is unverified |
ConsentExpired | 'Pincode niet op tijd hebt ingevoerd', 'Wacht niet te lang om de pincode in te voeren, hier staat een tijdslimiet op.' | access_denied | consent request expired |
ConsentRejected | 'U ging niet akkoord met het delen van uw gegevens' | access_denied | Resource owner rejected consent |
ProcessExpired | 'Tijdslimiet bereikt', 'Deze handeling heeft een beperkte levensduur. Probeer het nog een keer en voer je pincode in binnen de 10 minuten.' | access_denied | process expired |
NonPkioCertificate | Kan niet verbinden met onze systemen. Er was een technisch probleem aan onze kant, probeer het nog een keer. | server_error | n/a |
VerificationFailed | Kan niet verbinden met onze systemen. Er was een technisch probleem aan onze kant, probeer het nog een keer. | server_error | n/a |
SystemError | Kan niet verbinden met onze systemen. Er was een technisch probleem aan onze kant, probeer het nog een keer. | server_error | n/a |
ConsentInvalidated | Kan niet verbinden met onze systemen. Er was een technisch probleem aan onze kant, probeer het nog een keer. | server_error | n/a |
AuthenticationFailure | Kan niet verbinden met onze systemen. Er was een technisch probleem aan onze kant, probeer het nog een keer. | server_error | n/a |
Examples
-
Service Scope Request
Minimal request for login only:
GET /oauth2/authorize? response_type=code& client_id=<OAuth2_client_id>& redirect_uri=<OAuth2_redirect_uri>& scope=openid& lang=en-US& state=12345678& nonce=54321 -
Extended Scope Request
Requesting IDF scopes:
"openid email com.cleverbase.personal_info com.cleverbase.id_number":GET /oauth2/authorize? response_type=code& client_id=<OAuth2_client_id>& redirect_uri=<OAuth2_redirect_uri>& scope=openid email com.cleverbase.personal_info com.cleverbase.id_number& lang=en-US& state=12345678& nonce=54321 -
Service Scope Response
HTTP/1.1 302 Found Location: <OAuth2_redirect_uri>? code=FhkXf9P269L8g& state=12345678 -
Error Response
HTTP/1.1 302 Found Location: <OAuth2_redirect_uri>?error=invalid_request& error_description=Invalid%20Authorization%20Code
POST /oauth2/token
Description
Obtain an OAuth 2.0 bearer access token and ID token from the authorization server by passing the authorization code returned by the authorization server after a successful user authentication, along with the used scope, the client ID and client secret in possession of the client application.
Input Parameters
| Parameter | Presence | Value | Description |
|---|---|---|---|
| grant_type | REQUIRED | String | Must always be "authorization_code" |
| code | REQUIRED | String | Code obtained from the oauth2/authorize step |
| client_id | REQUIRED | String | Unique Client Identifier (see Prerequisites) |
| redirect_uri | REQUIRED | String | The URL where the user was redirected after the authorization process completed. |
Input Headers
| Parameter | Presence | Value | Description |
|---|---|---|---|
| Authorization | REQUIRED | String | Must always be Basic Auth – e.g. Basic Y2xpZW50SUQ6cGFzc3dvcmQ (the Base64-encoded value CLIENT_ID:CLIENT_SECRET according to RFC 6749) |
Response
| Parameter | Presence | Value | Description |
|---|---|---|---|
| access_token | REQUIRED | String | The short-lived access token to be used depending on the scope of the OAuth 2.0 authorization request. |
| expires_in | OPTIONAL | Int | The lifetime in seconds of the service access token. |
| id_token | REQUIRED | JWT | The ID Token is a security token in JWT format that claims about the authentication of an end-user by an authorization server when using a client. This includes at least the sub claim containing the pairwise pseudonymous identity of the end-user. Can be parsed using tools like jwt.io. |
| scope | REQUIRED | String | Space delimited string containing the scope for which authorization was granted. |
| token_type | REQUIRED | String | Must be Bearer |
Examples
-
Sample Request
POST /oauth2/token HTTP/1.1 Authorization: Basic K3dfKT59SUD8gWghq1ghjuZ Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=<RESULT_FROM_/oauth2/authorize>& client_id=<OAuth2_client_id>& client_secret=<OAuth2_client_secret>& redirect_uri=<OAuth2_redirect_uri> -
Sample Response
Example response when original OAuth/authorize request only contains
"openid":{ "access_token": "f0EigERuAYruavv2fwRc4ZJKn1x1Uef8ymarsCqKfJw...", "expires_in": 3600, "id_token": "<ID_TOKEN_JWT_CONTENT>", "scope": "openid", "token_type": "bearer" }Example response when original OAuth/authorize request contained the following scopes
"openid email com.cleverbase.personal_info com.cleverbase.id_number":{ "access_token": "rxdF-27ehy4LFSUsh32gVDfN9QpdwqDu-3ZtbVsx5J8...", "expires_in": 3600, "id_token": "<ID_TOKEN_JWT_CONTENT>", "scope": "openid email com.cleverbase.personal_info com.cleverbase.id_number", "token_type": "bearer" }
ID token validation
Clients MUST validate the ID Token in the Token Response in accordance with OIDC ch. 3.1.3.7.
Missing claims
When claims cannot be shared but are requested by the client, the fields will be omited from the id_token and userinfo response in line with OpenID Connect Specification 3.3.3.6. This means that clients SHOULD expect not all requested claims to be present in the id_token and userinfo response.
User information
The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User. To obtain the requested Claims about the End-User, the Client makes a request to the UserInfo Endpoint using an Access Token obtained through OpenID Connect Authentication. These Claims are represented by a JSON object that contains a collection of name and value pairs for the Claims.
Note: when this endpoint is used for IDF then optional scopes are required otherwise only a pairwise pseudonymous identifier for the natural person user is returned. See scopes and claims for details
Warning
Currently this feature is only available on the legacy "https://idf.acc.cleverbase.com" host.
See for more information: OpenID Connect.
GET /userinfo
Input headers
| Parameter | Presence | Value | Description |
|---|---|---|---|
| Authorization | REQUIRED | String | Must always be of type Bearer. Obtained from the "openid" scope OAuth flow. e.g. Bearer 4/CKN69L8gdSYp5_pwH3XlFQZ3ndFhkXf9P2_TiHRG-bA |
Response
| Parameter | Presence | Value | Description |
|---|---|---|---|
| sub | REQUIRED | String | Subject - Identifier for the End-User at the Issuer. |
| com.cleverbase.proof | OPTIONAL | JSON | A JSON array of JSON objects with id, content_type and base64_encoded_content fields. The content should be archived by the relying party and associated with the identifier and the provided content type. |
| com.cleverbase.last_name | OPTIONAL | String | Last name of the end-user, as present in the identity document. |
| given_name | OPTIONAL | String | Given name(s) of the end-user, as present in the identity document. |
| birthdate | OPTIONAL | String | Birthdate of the end-user, as present in the identity document. |
| com.cleverbase.birthplace | OPTIONAL | String | Birthplace of the end-user, as present in the identity document. |
| com.cleverbase.nationality | OPTIONAL | String | Nationality of the end-user, as present in the identity document. |
| com.cleverbase.document.type | OPTIONAL | String | Document type used by the end-user to identify. |
| com.cleverbase.id_number | OPTIONAL | String | Unique number of the the identity document used during client registration. |
| OPTIONAL | String | End-user’s preferred email address. | |
| email_verified | OPTIONAL | Boolean | True if the end-user’s email address has been verified. |
| com.cleverbase.nl_brp_voornaam | OPTIONAL | String | Given name according to BRP rules. |
| com.cleverbase.nl_brp_voorvoegsel | OPTIONAL | String | Prefix according to BRP rules. |
| com.cleverbase.nl_brp_geslachtsnaam | OPTIONAL | String | Last name according to BRP rules. |
| com.cleverbase.nl_brp_geslachtsnaam_zonder_voorvoegsel | OPTIONAL | String | Last name without prefix according to BRP rules. |
| com.cleverbase.id_document_issuance_date | OPTIONAL | String | ID Document date of issuance. |
| com.cleverbase.id_document_issuance_place | OPTIONAL | String | ID Document place of issuance. |
| aud | REQUIRED | String | Audience - (for who or what the token is intended for) |
| auth_time | REQUIRED | Int | Time when authentication occurred - Unix timestamp |
| iat | REQUIRED | Int | Token issued at - Unix timestamp |
| iss | REQUIRED | String | Issuer (who created and signed this token) |
| rat | REQUIRED | Int | Unkown - Unix timestamp |
Sample request
GET /userinfo HTTP/1.1
Authorization: Bearer 4/CKN69L8gdSYp5_pwH3XlFQZ3ndFhkXf9P2_TiHRG-bA
Content-Type: application/jsonSample response
Example response when the original oauth/authorize request only contained the "openid" scope (login functionality only)
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
{
"aud": [
<client_id>
],
"auth_time": 1650458268,
"iat": 1650458274,
"iss": "https://esign.acc.cleverbase.com/",
"rat": 1650458253,
"sub": "bf70e2da-feff-4c6b-86c2-47eda199ab30"
}Example response when the original oauth/authorize request contained the scopes "openid email com.cleverbase.personal_info com.cleverbase.id_number":
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
{
"aud": [
<client_id>
],
"auth_time": 1650459478,
"birthdate": "1990-12-22",
"com.cleverbase.birthplace": "Rome",
"com.cleverbase.document.type": "NLD_PASSPORT",
"com.cleverbase.id_number": "XWN75IM16",
"com.cleverbase.last_name": "De Bruijn",
"com.cleverbase.nationality": "NLD",
"email": "demo.acc.190422.102459@cleverbase.com",
"email_verified": true,
"given_name": "Willeke Liselotte",
"iat": 1650459485,
"iss": "https://esign.acc.cleverbase.com/",
"rat": 1650459462,
"sub": "bf70e2da-feff-4c6b-86c2-47eda199ab30"
}