Difference between revisions of "BuildOIDCAuthRequest"

From Gvp-public
Jump to navigation Jump to search
 
(2 intermediate revisions by the same user not shown)
Line 107: Line 107:
  
 
|SeeAlso=
 
|SeeAlso=
 +
* [[BuildOIDCLogoutRequest]]
 +
* [https://wikis.tid.es/gvp-dev/index.php/External_authentication_via_4P OIDC External authentication specification]
 
}}
 
}}

Latest revision as of 08:59, 2 September 2019

Description

This method can be used to retrieve a redirection url for external user authentication (OIDC based). It generates a url with all the required parameters to perform external authentication in the OB authentication server. The UNIAPI method generates the url based on a set of parameters defined at instance level and the input parameters. It also generates two parameters internally:

  • nonce: String UUIDv4 value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. This nonce is stored in the state variable and returned to the end application. This parameter is used to maintain the authentication session during all the flow (and use it for logging and BI logs).
  • state: UNIAPI creates a json with some of the input parameters and then encodes it into base64 string. The state is composed of:
{
  "instanceId": 29,  //taken from the token
  "deviceType": 401, //taken from the token,
  "deviceId": 323424234, //taken from the input
  "ipAddress": "213.4.177.115",  //required to validate the geoblock within the jukilo assertion
  "deviceCallbackUrl": "https://movistarplay.com.cl/sso" // received as input in the UNI API method
  "payloadDevice": "2342dsf2329fjj92332fd",
  "nonce":"42231976-a86d-42e2-8fe6-98f7546bdf89" // nonce generated by UNIAPI for this authentication session
}

See External authentication specification for more information.

Geo-Location

Geo-location is performed inside the SSO after the authentication has been performed correctly.

BI

This method creates events in KAFKA with topic = gvp.authentication.external and the following event formats:

{
"ob":"25",
"operation":"OID/login",
"step":"1 - BuildOIDCAuthRequest",
"transaction_id":"727fe862-3b46-43ca-8306-14b5076622f6",
"timestamp":"2018-12-13T20:14:34.0875272Z",
"status": "OK",  // OK if the url has been build correctly. ERROR if there was an error in the method. Fill the error with the error code and error_desc with the StatusMessage
"device_type_id":"401",
"device_id":"3243242334",
"user_id":"",
"error": "",
"error_desc":""
}

Parameters

  • acrValues (int, optional)
defines the authentication level (2=mobile number (mobile connect), 3=user&password). The application can provide an acr_value that will override the default one defined in the OIDC_CODE_ACR_VALUES parameter parameter.
  • token (String, required)
the UNIAPI token for the device app to call UNIAPI. It will be an anonymous token
  • deviceId (String, required)
the ID of the device from which the authentication is being performed
  • deviceCallbackUrl (String, optional)
the callback url where the device wants to receive the final result of the authentication process.
  • payloadDevice (String, optional)
random hash generated by the client and stored locally, to perform security validations.


Returns

Returns a JSON object containing the generated anonymous token and its expiration time (in UnixTimestamp format).

Example:

{

"StatusCode": 0,
"Severity": 1,
"StatusMessage": "OK",
"Content": {
"authUrl": "https://auth.global-int.baikalplatform.com/authorize?response_type=code&client_id=video&acr_values=2&purpose=identify-customer&redirect_uri=https%3A%2F%2Fvideodomain.es%2Fcallback&scope=openid%20offline_access&nonce=42231976-a86d-42e2-8fe6-98f7546bdf89&state=213",
"nonce": "42231976-a86d-42e2-8fe6-98f7546bdf89"
}

}


Exceptions

None


Caching

This method is not cached.


Known issues

None


Version history

API Version Number Change description Changes author
7.1 Initial method design Fran Milagro


See also