Imported data
| Resource | Description |
|---|---|
| TokenInfo | API getting token claims once we have an accessToken |
| OAuth2 | OAuth2 authentication endpoints |
| Magic Links | Retrieve access_token without credentials, only with a magic link |
| CIBA | OpenID Connect Client-Initiated Backchannel Authentication Flow |
| WebAuthn | |
| Device Code |
| Resource | Description |
|---|---|
| TokenInfo | API getting token claims once we have an accessToken |
| OAuth2 | OAuth2 authentication endpoints |
| Magic Links | Retrieve access_token without credentials, only with a magic link |
| CIBA | OpenID Connect Client-Initiated Backchannel Authentication Flow |
| WebAuthn | |
| Device Code |
This endpoint returns a 200 status code and token claims when the token is correct and is not expired. Also provides a claims JSON as response.
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2MjM4MzU4OTEsImV4cCI6MTY1NTM3MTg5MSwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.oSm7gu7N4ypkz0e7W-hyOTozX2AUEZ_YacSoYqMkyLs"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
access_token* | string | A valid access token provided by authn |
OK Correct token
{
"tid": "97c1a3c5-839f-4245-b32c-3292352faf66",
"cid": "5H3ui5FBKtPQraqPYpXD",
"scope": "api:everything",
"strength": "amboto",
"exp": 3500,
"aud": "devops.auth.masmovil.com",
"iat": 3500,
"iss": 3500,
"sub": "AE0001",
"preferred_username": "ae0001",
"tenants": "v1::1",
"tenants_translation": [
{
"tenant_id": "15",
"org": "yoigo"
}
],
"groups": "agent",
"roles": "XSELLING RETENCION",
"permissions": "string",
"family_name": "string",
"given_name": "string",
"require_password_change": true
}| Property | Type | Description | Constraints | Default | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
tid* | string | tid | |||||||||||||||||
cid* | string | cid | |||||||||||||||||
scope* | string | Scopes | |||||||||||||||||
strength | string | describes token level of security | |||||||||||||||||
exp | integer | ||||||||||||||||||
aud | string | ||||||||||||||||||
iat | string | issued at | |||||||||||||||||
iss | integer | http://localhost:6040 | |||||||||||||||||
sub | string | subject | |||||||||||||||||
preferred_username | string | user_name | |||||||||||||||||
tenants | string | ||||||||||||||||||
tenants_translation | object[] | ||||||||||||||||||
Array items:
| |||||||||||||||||||
groups | string | ||||||||||||||||||
roles | string | ||||||||||||||||||
permissions | string | ||||||||||||||||||
family_name | string | ||||||||||||||||||
given_name | string | ||||||||||||||||||
require_password_change | boolean | ||||||||||||||||||
Bad Request invalid_token
curl -X POST 'https://authn.masstack.com/v1/tokeninfo' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
--data-raw '{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2MjM4MzU4OTEsImV4cCI6MTY1NTM3MTg5MSwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.oSm7gu7N4ypkz0e7W-hyOTozX2AUEZ_YacSoYqMkyLs"
}'Returns an access token that allows request to MasStack APIs.
HEADER PARAMETERS
Alias of the device obtaining the token
{
"grant_type": "password",
"scope": "string",
"username": "usuario@gmail.com",
"password": "123456",
"refresh_token": "string",
"state": "OyMh_ObySiyWi7SrXgfIdg",
"code": "OyMh_ObySiyWi7SrXgfIdg",
"code_verifier": "5VTycQU924SQ3jHp5g9zcvMF2ai3aN89kxzB2D5QJUrejxam3jddqFUugD8F",
"assertion": "string",
"token": "string",
"otp": "string",
"auth_req_id": "d221eb9b-9d33-4fe9-ba41-9711ed0309ce",
"client_id": "string",
"device_code": "d221eb9b-9d33-4fe9-ba41-9711ed0309ce",
"subject_token": "string",
"subject_token_type": "string",
"actor_token": "string",
"actor_token_type": "string",
"resource": "https://api.example.com",
"client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
"client_assertion": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJjbGllbnRfaWQiLCJzdWIiOiJjbGllbnRfaWQiLCJhdWQiOiJodHRwczovL2F1dGhuLmthcy5tYXNtb3ZpbC5jb20vb2F1dGgvdG9rZW4iLCJqdGkiOiJhYmMxMjMiLCJleHAiOjE3MDUzMzQ4MDl9.signature"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
grant_type* | string
()
authorization_codepasswordrefresh_tokenurn:ietf:params:oauth:grant-type:jwt-bearerurn:masstack:params:oauth:grant-type:magic-linkurn:masstack:params:oauth:grant-type:passwordlessurn:masstack:params:oauth:grant-type:webauthnurn:openid:params:grant-type:cibaurn:ietf:params:oauth:grant-type:device_code | Grant type of token | ||
scope | string | Scope of permissions | ||
username | string | Username of final customers (required for grant_type=password) | ||
password | string | Password of final customers (required for grant_type=password) | ||
refresh_token | string | Is a signed JWT whose main goal is to obtain a new access_token without repeating customer authentication once the user has an active session. | ||
state | string | CSRF token used in the authorization request (for authorization_code and implicit flows) | ||
code | string | Authorization code (required for authorization_code flow) | ||
code_verifier | string | Code challenge value generated by the client in the authorization request (required for authorization_code flow) | ||
assertion | string | Assertion with which to get an access_token (required for grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer) | ||
token | string | Magic link token (required for grant_type=urn:masstack:params:oauth:grant-type:magic-link) | ||
otp | string | One time password token (required for grant_type=urn:masstack:params:oauth:grant-type:passwordless) | ||
auth_req_id | string | Authentication request ID (required for grant_type=urn:openid:params:grant-type:ciba) | ||
client_id | string | The identifier of the client representing the app. (required for grant_type=urn:ietf:params:oauth:grant-type:device_code) | ||
device_code | string | Device Code Authentication request ID (required for grant_type=urn:ietf:params:oauth:grant-type:device_code) | ||
subject_token | string | Represents the identity of the party on behalf of whom the token is being requested while the actor_token represents the identity of the party to whom the access rights of the issued token are being delegated. (required for grant_type=urn:ietf:params:oauth:grant-type:token-exchange) | ||
subject_token_type | string | Indicates the type of the security token in the subject_token parameter (required for grant_type=urn:ietf:params:oauth:grant-type:token-exchange) | ||
actor_token | string | Represents the identity of the acting party. Typically, this will be the party that is authorized to use the requested security token and act on behalf of the subject. (used for grant_type=urn:ietf:params:oauth:grant-type:token-exchange) | ||
actor_token_type | string | Indicates the type of the security token in the actor_token parameter. This is REQUIRED when the actor_token parameter is present in the request but MUST NOT be included otherwise. (used for grant_type=urn:ietf:params:oauth:grant-type:token-exchange) | ||
resource | string | RFC 8707 — The URI of the resource server where the requested access token will be used. Supported for grant types: password, client_credentials, authorization_code, urn:openid:params:grant-type:ciba, urn:ietf:params:oauth:grant-type:device_code. When provided and the client has allowed_resources configured, the issued token's aud claim will be set to this value instead of the default application issuer. Must be an absolute URI without a fragment component. Not supported for refresh_token (resource from the original grant is preserved) or token-exchange. | ||
client_assertion_type | string
()
urn:ietf:params:oauth:client-assertion-type:jwt-bearer | The format of the assertion as defined by the authorization server. The value must be urn:ietf:params:oauth:client-assertion-type:jwt-bearer when using JWT client authentication (private_key_jwt). This parameter is used together with client_assertion to authenticate the client using a signed JWT instead of client_secret. | ||
client_assertion | string | A single JWT that contains the client authentication information. The JWT must be signed with the client's private key and contain the following claims: - iss: Client ID - sub: Client ID - aud: Token endpoint URL - jti: Unique identifier for the JWT - exp: Expiration time This parameter is used together with client_assertion_type for JWT client authentication (private_key_jwt) as an alternative to Basic authentication. |
OK OK
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1VTkJaNa0ZGTWtKQlFqVkRPVFV4TlVWQ04wRTRPVEV5UWpGRFJFSTFNMFZEUXpBMU1UVTVNQSJ9.eyJpc3MiOiJodHRwczovL21hc21vdmlsLmV1LmF1dGgwLmNvbS8iLCJzdWIiOiJNN3A0YWUyeVdIN1N5bXdiVVlHcTJVdXdlVmp6WE5PR0BjbGllbnRzIiwiYXVkIjoiaHR0cHM6Ly9tYXNtb3ZpbC5ldS5hdXRoMC5jb20vYXBpL3YyLyIsImlhdCI6MTU1MDQyMDM3NywiZXhwIjoxNTUwNTA2Nzc3LCJhenAiOiJNN3A0YWUyeVdIN1N5bXdiVVlHcTJVdXdlVmp6WE5PRyIsInNjb3BlIjoicmVhZDpjbGllbnRfZ3JhbnRzIGNyZWF0ZTpjbGllbnRfZ3JhbnRzIGRlbGV0ZTpjbGllbnRfZ3JhbnRzIHVwZGF0ZTpjbGllbnRfZ3JhbnRzIHJlYWQ6dXNlcnMgdXBkYXRlOnVzZXJzIGRlbGV0ZTp1c2VycyBjcmVhdGU6dXNlcnMgcmVhZDp1c2Vyc19hcHBfbWV0YWRhdGEgdXBkYXRlOnVzZXJzX2FwcF9tZXRhZGF0YSBkZWxldGU6dXNlcnNfYXBwX21ldGFkYXRhIGNyZWF0ZTp1c2Vyc19hcHBfbWV0YWRhdGEgY3JlYXRlOnVzZXJfdGlja2V0cyByZWFkOmNsaWVudHMgdXBkYXRlOmNsaWVudHMgZGVsZXRlOmNsaWVudHMgY3JlYXRlOmNsaWVudHMgcmVhZDpjbGllbnRfa2V5cyB1cGRhdGU6Y2xpZW50X2tleXMgZGVsZXRlOmNsaWVudF9rZXlzIGNyZWF0ZTpjbGllbnRfa2V5cyByZWFkOmNvbm5lY3Rpb25zIHVwZGF0ZTpjb25uZWN0aW9ucyBkZWxldGU6Y29ubmVjdGlvbnMgY3JlYXRlOmNvbm5lY3Rpb25zIHJlYWQ6cmVzb3VyY2Vfc2VydmVycyB1cGRhdGU6cmVzb3VyY2Vfc2VydmVycyBkZWxldGU6cmVzb3VyY2Vfc2VydmVycyBjcmVhdGU6cmVzb3VyY2Vfc2VydmVycyByZWFkOmRldmljZV9jcmVkZW50aWFscyB1cGRhdGU6ZGV2aWNlX2NyZWRlbnRpYWxzIGRlbGV0ZTpkZXZpY2VfY3JlZGVudGlhbHMgY3JlYXRlOmRldmljZV9jcmVkZW50aWFscyByZWFkOnJ1bGVzIHVwZGF0ZTpydWxlcyBkZWxldGU6cnVsZXMgY3JlYXRlOnJ1bGVzIHJlYWQ6cnVsZXNfY29uZmlncyB1cGRhdGU6cnVsZXNfY29uZmlncyBkZWxldGU6cnVsZXNfY29uZmlncyByZWFkOmVtYWlsX3Byb3ZpZGVyIHVwZGF0ZTplbWFpbF9wcm92aWRlciBkZWxldGU6ZW1haWxfcHJvdmlkZXIgY3JlYXRlOmVtYWlsX3Byb3ZpZGVyIGJsYWNrbGlzdDp0b2tlbnMgcmVhZDpzdGF0cyByZWFkOnRlbmFudF9zZXR0aW5ncyB1cGRhdGU6dGVuYW50X3NldHRpbmdzIHJlYWQ6bG9ncyByZWFkOnNoaWVsZHMgY3JlYXRlOnNoaWVsZHMgZGVsZXRlOnNoaWVsZHMgdXBkYXRlOnRyaWdnZXJzIHJlYWQ6dHJpZ2dlcnMgcmVhZDpncmFudHMgZGVsZXRlOmdyYW50cyByZWFkOmd1YXJkaWFuX2ZhY3RvcnMgdXBkYXRlOmd1YXJkaWFuX2ZhY3RvcnMgcmVhZDpndWFyZGlhbl9lbnJvbGxtZW50cyBkZWxldGU6Z3VhcmRpYW5fZW5yb2xsbWVudHMgY3JlYXRlOmd1YXJkaWFuX2Vucm9sbG1lbnRfdGlja2V0cyByZWFkOnVzZXJfaWRwX3Rva2VucyBjcmVhdGU6cGFzc3dvcmRzX2NoZWNraW5nX2pvYiBkZWxldGU6cGFzc3dvcmRzX2NoZWNraW5nX2pvYiByZWFkOmN1c3RvbV9kb21haW5zIGRlbGV0ZTpjdXN0b21fZG9tYWlucyBjcmVhdGU6Y3VzdG9tX2RvbWFpbnMgcmVhZDplbWFpbF90ZW1wbGF0ZXMgY3JlYXRlOmVtYWlsX3RlbXBsYXRlcyB1cGRhdGU6ZW1haWxfdGVtcGxhdGVzIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.h6GTIB8OMcMXDxyUzUW8tJ8LW7U_yIQfCshDuOW9E-_rd9NNRBxzsPhVHllawcB336Xfo3kwrVmS0KdkLGWz4BJo67R_4KXjQ_1VcmHD2WfzpS06fmjdV1DWZbd5dv3LBtPXEIYxWVzFSUcAlIKo5cstYlUWvb1weh56yBu26Y48UK5CIjwLmqAtlxL3kNcMI_PPuM-UmiQPeNe8cKPN4c7Tf_aVw38DcGydY53GIJ_fTeRvB5kb9CO4bs6g4iWOFZFFuLAluRFZsKcqJwNdW1RDYB_blmva5Q8JrBeU5TkbfdrWIL2QfdD93hjLFcWgE9z6txUz5opW2qkcMoQkLA",
"scope": "read:client_grants create:client_grants delete:client_grants update:client_grants",
"expires_in": 86400,
"token_type": "Bearer",
"refresh_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1VTkJNa0ZGTWtKQlFqVkRPVFV4TlVWQ04wRTRPVEV5UWpGRFJFSTFNMFZEUXpBMU1UVTVNQSJ9"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
access_token* | string | A token used by the client to make authenticated requests on behalf of the resource owner | ||
scope | string | Scopes | ||
expires_in | integer | |||
token_type* | string | |||
refresh_token | string | A token used by the client to obtain a new access token without having to involve the resource owner. |
Bad Request Bad Request
{
"error": "invalid_request",
"error_description": "string",
"error_uri": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
error* | string
()
invalid_requestaccess_deniedinvalid_clientinvalid_grantunauthorized_clientunauthorized_grant_typeinvalid_scopeinvalid_targeterror_descriptionerror_uri | A single error code | ||
error_description | string | A human-readable text providing additional information, used to assist in the understanding and resolution of the error occurred | ||
error_uri | string |
Unauthorized Unauthorized
{
"error": "invalid_request",
"error_description": "string",
"error_uri": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
error* | string
()
invalid_requestaccess_deniedinvalid_clientinvalid_grantunauthorized_clientunauthorized_grant_typeinvalid_scopeinvalid_targeterror_descriptionerror_uri | A single error code | ||
error_description | string | A human-readable text providing additional information, used to assist in the understanding and resolution of the error occurred | ||
error_uri | string |
Forbidden Too Many Login Attempts Error
{
"error": "invalid_request",
"error_description": "string",
"error_uri": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
error* | string
()
invalid_requestaccess_deniedinvalid_clientinvalid_grantunauthorized_clientunauthorized_grant_typeinvalid_scopeinvalid_targeterror_descriptionerror_uri | A single error code | ||
error_description | string | A human-readable text providing additional information, used to assist in the understanding and resolution of the error occurred | ||
error_uri | string |
Cache-ControlstringThe authorization server MUST include the HTTP "Cache-Control" response header field with a value of "no-store" in any response containing tokens, secrets, or other sensitive information.
curl -X POST 'https://authn.masstack.com/v1/oauth/token' \
-H 'X-User-Agent-Alias: string' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'scope=string' \
--data-urlencode 'username=usuario@gmail.com' \
--data-urlencode 'password=123456' \
--data-urlencode 'refresh_token=string' \
--data-urlencode 'state=OyMh_ObySiyWi7SrXgfIdg' \
--data-urlencode 'code=OyMh_ObySiyWi7SrXgfIdg' \
--data-urlencode 'code_verifier=5VTycQU924SQ3jHp5g9zcvMF2ai3aN89kxzB2D5QJUrejxam3jddqFUugD8F' \
--data-urlencode 'assertion=string' \
--data-urlencode 'token=string' \
--data-urlencode 'otp=string' \
--data-urlencode 'auth_req_id=d221eb9b-9d33-4fe9-ba41-9711ed0309ce' \
--data-urlencode 'client_id=string' \
--data-urlencode 'device_code=d221eb9b-9d33-4fe9-ba41-9711ed0309ce' \
--data-urlencode 'subject_token=string' \
--data-urlencode 'subject_token_type=string' \
--data-urlencode 'actor_token=string' \
--data-urlencode 'actor_token_type=string' \
--data-urlencode 'resource=https://api.example.com' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJjbGllbnRfaWQiLCJzdWIiOiJjbGllbnRfaWQiLCJhdWQiOiJodHRwczovL2F1dGhuLmthcy5tYXNtb3ZpbC5jb20vb2F1dGgvdG9rZW4iLCJqdGkiOiJhYmMxMjMiLCJleHAiOjE3MDUzMzQ4MDl9.signature'Logs in the user or redirects it to a page to authenticate itself
QUERY PARAMETERS
The identifier of the client representing the app.
Which in a basic authorization code flow request should be code. Authn only support code
Should be the HTTP endpoint on your server that will receive the response from Authn. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client, which you configured in the register of application. If this value doesn't match an authorized URI, the request will fail with a 401 error.
Should include the value of the anti-forgery unique session token, as well as any other information needed to recover the context when the user returns to your application, e.g., the starting URL.
If your application knows which user is trying to authenticate, it can use this parameter to provide a hint to the Authentication Server. The server uses the hint to simplify the login flow either by prefilling the email field in the sign-in form or by selecting the appropriate multi-login session.
The sub string is equivalent to the groups in the provider (only support Google ). If you do not provide a groups_hint and the user is currently logged in, in the next request of token, the access_token will not contain claim groups
The allowed values are offline and online. If an access token is being requested, the client does not receive a refresh token unless a value of offline is specified.
Specifies an encoded code_verifier that will be used as a server-side challenge during authorization code exchange. This string helps mitigating against the threat usually through the use of Proof Key for Code Exchange (PKCE)
Specifies what method was used to encode a code_verifier that will be used during authorization code exchange. This parameter must be used with the code_challenge parameter. The value of the code_challenge_method defaults to plain if not present in the request that includes a code_challenge. The only supported values for this parameter are S256 or plain.
RFC 8707 — The URI of the resource server where the requested access token will be used. When provided and the client has allowed_resources configured, the issued token's aud claim will be set to this value instead of the default application issuer. The value is bound to the authorization code and carried through to the token response. Must be an absolute URI without a fragment component.
Found Authorization code/Implicit grant response
Bad Request Bad Request
{
"error": "invalid_request",
"error_description": "string",
"error_uri": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
error* | string
()
invalid_requestaccess_deniedinvalid_clientinvalid_grantunauthorized_clientunauthorized_grant_typeinvalid_scopeinvalid_targeterror_descriptionerror_uri | A single error code | ||
error_description | string | A human-readable text providing additional information, used to assist in the understanding and resolution of the error occurred | ||
error_uri | string |
Unauthorized Unauthorized
{
"error": "invalid_request",
"error_description": "string",
"error_uri": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
error* | string
()
invalid_requestaccess_deniedinvalid_clientinvalid_grantunauthorized_clientunauthorized_grant_typeinvalid_scopeinvalid_targeterror_descriptionerror_uri | A single error code | ||
error_description | string | A human-readable text providing additional information, used to assist in the understanding and resolution of the error occurred | ||
error_uri | string |
LocationstringThe redirect uri of the client
curl -X GET 'https://authn.masstack.com/v1/oauth/authorize?client_id=TtsdmebPcQtEnvLsKw7x&response_type=token&redirect_uri=https%3A%2F%2Fmasmovil.com%2Flogin%2Fcallback&state=0AxLygT73V6kreKzkQySOjfYShIvK%2FTR&login_hint=my_user%40masmovil.com&groups_hint=group1%2Bgroup2&access_type=online&code_challenge=5VTycQU924SQ3jHp5g9zcvMF2ai3aN89kxzB2D5QJUrejxam3jddqFUugD8F&code_challenge_method=S256&resource=https%3A%2F%2Fapi.example.com' \
-H 'Accept: */*'Logout the user
QUERY PARAMETERS
The identifier of the client representing the app.
The url to be redirected to after logout.
If the value is all, it will delete all the user's sessions and refresh_tokens that it has.
Found Logout response
Bad Request Bad Request
{
"error": "invalid_request",
"error_description": "string",
"error_uri": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
error* | string
()
invalid_requestaccess_deniedinvalid_clientinvalid_grantunauthorized_clientunauthorized_grant_typeinvalid_scopeinvalid_targeterror_descriptionerror_uri | A single error code | ||
error_description | string | A human-readable text providing additional information, used to assist in the understanding and resolution of the error occurred | ||
error_uri | string |
Unauthorized Unauthorized
{
"error": "invalid_request",
"error_description": "string",
"error_uri": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
error* | string
()
invalid_requestaccess_deniedinvalid_clientinvalid_grantunauthorized_clientunauthorized_grant_typeinvalid_scopeinvalid_targeterror_descriptionerror_uri | A single error code | ||
error_description | string | A human-readable text providing additional information, used to assist in the understanding and resolution of the error occurred | ||
error_uri | string |
LocationstringThe redirect to post_logout_redirect_uri of the client
curl -X GET 'https://authn.masstack.com/v1/oauth/logout?client_id=TtsdmebPcQtEnvLsKw7x&continue=https%3A%2F%2Fgrupomasmovil.com%2Fes%2F&scope=all' \
-H 'Accept: */*'Logout the user
{
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2MjM4MzU4OTEsImV4cCI6MTY1NTM3MTg5MSwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.oSm7gu7N4ypkz0e7W-hyOTozX2AUEZ_YacSoYqMkyLs",
"scope": "all"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
token | string | A valid token (access_token or refresh_token) provided by authn | ||
scope | string | If the value is all, it will delete all the user's sessions and refresh_tokens that it has. |
No Content Logout response
Bad Request Bad Request
{
"error": "invalid_request",
"error_description": "string",
"error_uri": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
error* | string
()
invalid_requestaccess_deniedinvalid_clientinvalid_grantunauthorized_clientunauthorized_grant_typeinvalid_scopeinvalid_targeterror_descriptionerror_uri | A single error code | ||
error_description | string | A human-readable text providing additional information, used to assist in the understanding and resolution of the error occurred | ||
error_uri | string |
Unauthorized Unauthorized
{
"error": "invalid_request",
"error_description": "string",
"error_uri": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
error* | string
()
invalid_requestaccess_deniedinvalid_clientinvalid_grantunauthorized_clientunauthorized_grant_typeinvalid_scopeinvalid_targeterror_descriptionerror_uri | A single error code | ||
error_description | string | A human-readable text providing additional information, used to assist in the understanding and resolution of the error occurred | ||
error_uri | string |
LocationstringThe request has been processed
curl -X POST 'https://authn.masstack.com/v1/oauth/logout' \
-H 'Content-Type: application/json' \
-H 'Accept: */*' \
--data-raw '{
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2MjM4MzU4OTEsImV4cCI6MTY1NTM3MTg5MSwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.oSm7gu7N4ypkz0e7W-hyOTozX2AUEZ_YacSoYqMkyLs",
"scope": "all"
}'Revokes a previously obtained refresh or access token according to RFC 7009.
This endpoint is fully RFC 7009 compliant:
Security Note: Per RFC 7009 Section 2.2, this endpoint returns 200 OK for all tokens (valid, invalid, expired, or belonging to other clients) to prevent information disclosure attacks.
{
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjVmYjkyOWE5LWZiMTktNDdjYy04ZWI4LTEwZjZmMzkwNzlhMiJ9...",
"token_type_hint": "refresh_token"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
token* | string | The token that the client wants to revoke (access_token or refresh_token) | ||
token_type_hint | string
()
access_tokenrefresh_token | A hint about the type of the token submitted for revocation. Possible values: - `access_token`: Indicates the token is an OAuth 2.0 access token - `refresh_token`: Indicates the token is an OAuth 2.0 refresh token This parameter is optional but helps optimize token lookup performance. If not provided, the server will automatically determine the token type. |
OK Token successfully revoked or token was already invalid/revoked. Per RFC 7009, this endpoint always returns 200 OK to prevent information disclosure about token validity or ownership.
Bad Request Bad Request (missing required parameters)
{
"error": "invalid_request",
"error_description": "string",
"error_uri": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
error* | string
()
invalid_requestaccess_deniedinvalid_clientinvalid_grantunauthorized_clientunauthorized_grant_typeinvalid_scopeinvalid_targeterror_descriptionerror_uri | A single error code | ||
error_description | string | A human-readable text providing additional information, used to assist in the understanding and resolution of the error occurred | ||
error_uri | string |
Unauthorized Unauthorized (invalid client credentials)
{
"error": "invalid_request",
"error_description": "string",
"error_uri": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
error* | string
()
invalid_requestaccess_deniedinvalid_clientinvalid_grantunauthorized_clientunauthorized_grant_typeinvalid_scopeinvalid_targeterror_descriptionerror_uri | A single error code | ||
error_description | string | A human-readable text providing additional information, used to assist in the understanding and resolution of the error occurred | ||
error_uri | string |
curl -X POST 'https://authn.masstack.com/v1/oauth/revoke' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: */*' \
--data-urlencode 'token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjVmYjkyOWE5LWZiMTktNDdjYy04ZWI4LTEwZjZmMzkwNzlhMiJ9...' \
--data-urlencode 'token_type_hint=refresh_token'This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
OK OK
{
"keys": [
{
"alg": "RS256",
"kty": "RSA",
"use": "sig",
"x5c": [
"MIIDBTCCAe2gAwIBAgIJMg1BS/K2xovDMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNVBAMTFW1hc21vdmlsLmV1LmF1dGgwLmNvbTAeFw0xODA0MjcwNzQ5MjFaFw0zMjAxMDQwNzQ5MjFaMCAxHjAcBgNVBAMTFW1hc21vdmlsLmV1LmF1dGgwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALRLXzvNzYGhvXUVefnrw+2+5k/J5PkSiv3dpbQjJB/kM3uPPVa/+qiy9gvcZbSkeN+Z6D3+fTcIW+xdWuiIj8kiBGLpHCjPz5ybaTq87uvx2KfEqx+T/Q7z9..."
],
"n": "tEtfO83NgaG9dRV5-evD7b7mT8nk-RKK_d2ltCMkH-Qze489Vr_6qLL2C9xltKR435noPf59Nwhb7F1a6IiPySIEYuk...",
"e": "AQAB",
"kid": "MUNBMkFFMkJBQjVDOTUxNUVCN0E4OTEyQjFDREI1M0VDQzA1MTU5MA",
"x5t": "MUNBMkFFMkJBQjVDOTUxNUVCN0E4OTEyQjFDREI1M0VDQzA1MTU5MA"
}
]
}| Property | Type | Description | Constraints | Default | |||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
keys* | object[] | The JSON object MUST have a "keys" member, which is an array of JWKs. | |||||||||||||||||||||||||||||||||||||||||||||||
Array items:
| |||||||||||||||||||||||||||||||||||||||||||||||||
curl -X GET 'https://authn.masstack.com/v1/.well-known/jwks.json' \
-H 'Accept: application/json'This URL returns a JSON listing of the OpenID/OAuth endpoints, supported scopes and claims, public keys used to sign the tokens, and other details. The clients can use this information to construct a request to the OpenID server. The field names and values are defined in the OpenID Connect Discovery Specification
OK OK
{
"token_endpoint": "https://authn.k8s.masmovil.com/oauth/token",
"token_endpoint_auth_methods_supported": [
[
"client_secret_post",
"client_secret_basic",
"private_key_jwt"
]
],
"jwks_uri": "https://authn.k8s.masmovil.com/.well-known/jwks.json",
"response_modes_supported": [
[
"query",
"fragment",
"form_post"
]
],
"subject_types_supported": [
[
"public"
]
],
"id_token_signing_alg_values_supported": [
[
"RS256"
]
],
"response_types_supported": [
[
"code",
"token"
]
],
"scopes_supported": [
[
"openid",
"profile",
"email",
"offline_access"
]
],
"issuer": "{appName}.auth.masmovil.com",
"request_uri_parameter_supported": false,
"userinfo_endpoint": "",
"authorization_endpoint": "https://authn.k8s.masmovil.com/oauth/authorize",
"http_logout_supported": false,
"frontchannel_logout_supported": false,
"end_session_endpoint": "",
"claims_supported": [
[
"aud",
"cid",
"exp",
"iat",
"iss",
"tenant",
"scope",
"sub",
"tid",
"user_metadata",
"app_metadata",
"given_name",
"family_name",
"name"
]
]
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
token_endpoint | string | |||
token_endpoint_auth_methods_supported | string[] | |||
jwks_uri | string | |||
response_modes_supported | string[] | |||
subject_types_supported | string[] | |||
id_token_signing_alg_values_supported | string[] | |||
response_types_supported | string[] | |||
scopes_supported | string[] | |||
issuer | string | |||
request_uri_parameter_supported | boolean | |||
userinfo_endpoint | string | |||
authorization_endpoint | string | |||
http_logout_supported | boolean | |||
frontchannel_logout_supported | boolean | |||
end_session_endpoint | string | |||
claims_supported | string[] |
curl -X GET 'https://authn.masstack.com/v1/.well-known/openid-configuration' \
-H 'Accept: application/json'This endpoint returns a 200 status code and in its body an access_token and refresh_token.
OK OK
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1VTkJaNa0ZGTWtKQlFqVkRPVFV4TlVWQ04wRTRPVEV5UWpGRFJFSTFNMFZEUXpBMU1UVTVNQSJ9.eyJpc3MiOiJodHRwczovL21hc21vdmlsLmV1LmF1dGgwLmNvbS8iLCJzdWIiOiJNN3A0YWUyeVdIN1N5bXdiVVlHcTJVdXdlVmp6WE5PR0BjbGllbnRzIiwiYXVkIjoiaHR0cHM6Ly9tYXNtb3ZpbC5ldS5hdXRoMC5jb20vYXBpL3YyLyIsImlhdCI6MTU1MDQyMDM3NywiZXhwIjoxNTUwNTA2Nzc3LCJhenAiOiJNN3A0YWUyeVdIN1N5bXdiVVlHcTJVdXdlVmp6WE5PRyIsInNjb3BlIjoicmVhZDpjbGllbnRfZ3JhbnRzIGNyZWF0ZTpjbGllbnRfZ3JhbnRzIGRlbGV0ZTpjbGllbnRfZ3JhbnRzIHVwZGF0ZTpjbGllbnRfZ3JhbnRzIHJlYWQ6dXNlcnMgdXBkYXRlOnVzZXJzIGRlbGV0ZTp1c2VycyBjcmVhdGU6dXNlcnMgcmVhZDp1c2Vyc19hcHBfbWV0YWRhdGEgdXBkYXRlOnVzZXJzX2FwcF9tZXRhZGF0YSBkZWxldGU6dXNlcnNfYXBwX21ldGFkYXRhIGNyZWF0ZTp1c2Vyc19hcHBfbWV0YWRhdGEgY3JlYXRlOnVzZXJfdGlja2V0cyByZWFkOmNsaWVudHMgdXBkYXRlOmNsaWVudHMgZGVsZXRlOmNsaWVudHMgY3JlYXRlOmNsaWVudHMgcmVhZDpjbGllbnRfa2V5cyB1cGRhdGU6Y2xpZW50X2tleXMgZGVsZXRlOmNsaWVudF9rZXlzIGNyZWF0ZTpjbGllbnRfa2V5cyByZWFkOmNvbm5lY3Rpb25zIHVwZGF0ZTpjb25uZWN0aW9ucyBkZWxldGU6Y29ubmVjdGlvbnMgY3JlYXRlOmNvbm5lY3Rpb25zIHJlYWQ6cmVzb3VyY2Vfc2VydmVycyB1cGRhdGU6cmVzb3VyY2Vfc2VydmVycyBkZWxldGU6cmVzb3VyY2Vfc2VydmVycyBjcmVhdGU6cmVzb3VyY2Vfc2VydmVycyByZWFkOmRldmljZV9jcmVkZW50aWFscyB1cGRhdGU6ZGV2aWNlX2NyZWRlbnRpYWxzIGRlbGV0ZTpkZXZpY2VfY3JlZGVudGlhbHMgY3JlYXRlOmRldmljZV9jcmVkZW50aWFscyByZWFkOnJ1bGVzIHVwZGF0ZTpydWxlcyBkZWxldGU6cnVsZXMgY3JlYXRlOnJ1bGVzIHJlYWQ6cnVsZXNfY29uZmlncyB1cGRhdGU6cnVsZXNfY29uZmlncyBkZWxldGU6cnVsZXNfY29uZmlncyByZWFkOmVtYWlsX3Byb3ZpZGVyIHVwZGF0ZTplbWFpbF9wcm92aWRlciBkZWxldGU6ZW1haWxfcHJvdmlkZXIgY3JlYXRlOmVtYWlsX3Byb3ZpZGVyIGJsYWNrbGlzdDp0b2tlbnMgcmVhZDpzdGF0cyByZWFkOnRlbmFudF9zZXR0aW5ncyB1cGRhdGU6dGVuYW50X3NldHRpbmdzIHJlYWQ6bG9ncyByZWFkOnNoaWVsZHMgY3JlYXRlOnNoaWVsZHMgZGVsZXRlOnNoaWVsZHMgdXBkYXRlOnRyaWdnZXJzIHJlYWQ6dHJpZ2dlcnMgcmVhZDpncmFudHMgZGVsZXRlOmdyYW50cyByZWFkOmd1YXJkaWFuX2ZhY3RvcnMgdXBkYXRlOmd1YXJkaWFuX2ZhY3RvcnMgcmVhZDpndWFyZGlhbl9lbnJvbGxtZW50cyBkZWxldGU6Z3VhcmRpYW5fZW5yb2xsbWVudHMgY3JlYXRlOmd1YXJkaWFuX2Vucm9sbG1lbnRfdGlja2V0cyByZWFkOnVzZXJfaWRwX3Rva2VucyBjcmVhdGU6cGFzc3dvcmRzX2NoZWNraW5nX2pvYiBkZWxldGU6cGFzc3dvcmRzX2NoZWNraW5nX2pvYiByZWFkOmN1c3RvbV9kb21haW5zIGRlbGV0ZTpjdXN0b21fZG9tYWlucyBjcmVhdGU6Y3VzdG9tX2RvbWFpbnMgcmVhZDplbWFpbF90ZW1wbGF0ZXMgY3JlYXRlOmVtYWlsX3RlbXBsYXRlcyB1cGRhdGU6ZW1haWxfdGVtcGxhdGVzIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.h6GTIB8OMcMXDxyUzUW8tJ8LW7U_yIQfCshDuOW9E-_rd9NNRBxzsPhVHllawcB336Xfo3kwrVmS0KdkLGWz4BJo67R_4KXjQ_1VcmHD2WfzpS06fmjdV1DWZbd5dv3LBtPXEIYxWVzFSUcAlIKo5cstYlUWvb1weh56yBu26Y48UK5CIjwLmqAtlxL3kNcMI_PPuM-UmiQPeNe8cKPN4c7Tf_aVw38DcGydY53GIJ_fTeRvB5kb9CO4bs6g4iWOFZFFuLAluRFZsKcqJwNdW1RDYB_blmva5Q8JrBeU5TkbfdrWIL2QfdD93hjLFcWgE9z6txUz5opW2qkcMoQkLA",
"scope": "read:client_grants create:client_grants delete:client_grants update:client_grants",
"expires_in": 86400,
"token_type": "Bearer",
"refresh_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1VTkJNa0ZGTWtKQlFqVkRPVFV4TlVWQ04wRTRPVEV5UWpGRFJFSTFNMFZEUXpBMU1UVTVNQSJ9"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
access_token* | string | A token used by the client to make authenticated requests on behalf of the resource owner | ||
scope | string | Scopes | ||
expires_in | integer | |||
token_type* | string | |||
refresh_token | string | A token used by the client to obtain a new access token without having to involve the resource owner. |
Bad Request Bad Request
{
"error": "invalid_request",
"error_description": "string",
"error_uri": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
error* | string
()
invalid_requestaccess_deniedinvalid_clientinvalid_grantunauthorized_clientunauthorized_grant_typeinvalid_scopeinvalid_targeterror_descriptionerror_uri | A single error code | ||
error_description | string | A human-readable text providing additional information, used to assist in the understanding and resolution of the error occurred | ||
error_uri | string |
Unauthorized Unauthorized
{
"error": "invalid_request",
"error_description": "string",
"error_uri": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
error* | string
()
invalid_requestaccess_deniedinvalid_clientinvalid_grantunauthorized_clientunauthorized_grant_typeinvalid_scopeinvalid_targeterror_descriptionerror_uri | A single error code | ||
error_description | string | A human-readable text providing additional information, used to assist in the understanding and resolution of the error occurred | ||
error_uri | string |
curl -X GET 'https://authn.masstack.com/v1/magiclink' \
-H 'Accept: application/json'The Backchannel Authentication Endpoint is used to initiate an out-of-band authentication of the end-user. This is done by sending an HTTP POST message directly from the Client to the OpenID Provider's Backchannel Authentication Endpoint
{
"login_hint": "myemail@gmail.com",
"scope": "string",
"binding_message": "usuario@gmail.com",
"acr_values": "locale:eu",
"client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
"client_assertion": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJjbGllbnRfaWQiLCJzdWIiOiJjbGllbnRfaWQiLCJhdWQiOiJodHRwczovL2F1dGhuLmthcy5tYXNtb3ZpbC5jb20vYmMtYXV0aG9yaXplIiwianRpIjoiYWJjMTIzIiwiZXhwIjoxNzA1MzM0ODA5fQ.signature",
"resource": "https://api.example.com"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
login_hint* | string | A hint to the OpenID Provider regarding the end-user for whom authentication is being requested. The value may contain an email address or msisdn, which identifies the end-user to the OP | ||
scope | string | Scope of permissions | ||
binding_message | string | A human-readable identifier or message intended to be displayed on both the consumption device and the authentication device to interlock them together for the transaction by way of a visual cue for the end-user. This interlocking message enables the end-user to ensure that the action taken on the authentication device is related to the request initiated by the consumption device. | ||
acr_values | string | Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request. Can include language preference using the format 'locale:xx' where xx is the ISO 639-1 language code (e.g., 'locale:eu', 'locale:es', 'locale:en'). Language preference is only supported by +Credentials provider. | ||
client_assertion_type | string
()
urn:ietf:params:oauth:client-assertion-type:jwt-bearer | The format of the assertion used for client authentication (private_key_jwt). Must be `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` when authenticating with a signed JWT instead of a client secret. Use together with `client_assertion`. Mutually exclusive with `Authorization: Basic` header. | ||
client_assertion | string | A signed JWT used to authenticate the client (private_key_jwt). The JWT must be signed with the client's private key and contain: - `iss`: Client ID - `sub`: Client ID - `aud`: Backchannel authentication endpoint URL - `jti`: Unique identifier - `exp`: Expiration time Use together with `client_assertion_type`. Mutually exclusive with `Authorization: Basic` header. | ||
resource | string | RFC 8707 — The URI of the resource server where the requested access token will be used. When provided and the client has allowed_resources configured, the issued token's aud claim will be set to this value instead of the default application issuer. Must be an absolute URI without a fragment component. |
OK OK
{
"auth_req_id": "d221eb9b-9d33-4fe9-ba41-9711ed0309ce",
"expires_in": 360,
"interval": 60
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
auth_req_id* | string | REQUIRED. This is a unique identifier to identify the authentication request made by the Client. | ||
expires_in* | integer | The duration in seconds for which the authentication request is valid. | ||
interval* | integer | The minimum amount of time in seconds that the client SHOULD wait between polling to check if the authentication request has been completed. |
Bad Request Bad Request
{
"error": "invalid_request",
"error_description": "string",
"error_uri": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
error* | string
()
invalid_requestaccess_deniedinvalid_clientinvalid_grantunauthorized_clientunauthorized_grant_typeinvalid_scopeinvalid_targeterror_descriptionerror_uri | A single error code | ||
error_description | string | A human-readable text providing additional information, used to assist in the understanding and resolution of the error occurred | ||
error_uri | string |
Unauthorized Unauthorized
{
"error": "invalid_request",
"error_description": "string",
"error_uri": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
error* | string
()
invalid_requestaccess_deniedinvalid_clientinvalid_grantunauthorized_clientunauthorized_grant_typeinvalid_scopeinvalid_targeterror_descriptionerror_uri | A single error code | ||
error_description | string | A human-readable text providing additional information, used to assist in the understanding and resolution of the error occurred | ||
error_uri | string |
Cache-ControlstringThe authorization server MUST include the HTTP "Cache-Control" response header field with a value of "no-store" in any response containing tokens, secrets, or other sensitive information.
curl -X POST 'https://authn.masstack.com/v1/bc-authorize' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
--data-urlencode 'login_hint=myemail@gmail.com' \
--data-urlencode 'scope=string' \
--data-urlencode 'binding_message=usuario@gmail.com' \
--data-urlencode 'acr_values=locale:eu' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJjbGllbnRfaWQiLCJzdWIiOiJjbGllbnRfaWQiLCJhdWQiOiJodHRwczovL2F1dGhuLmthcy5tYXNtb3ZpbC5jb20vYmMtYXV0aG9yaXplIiwianRpIjoiYWJjMTIzIiwiZXhwIjoxNzA1MzM0ODA5fQ.signature' \
--data-urlencode 'resource=https://api.example.com'{
"username": "gasai@yahoo.es",
"user_verification": "preferred",
"attestation": "none",
"attachment": "all",
"algorithms": [
"es256",
"rs256"
],
"discoverable_credential": "preferred"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
username | string | |||
user_verification | string | |||
attestation | string | |||
attachment | string | |||
algorithms | string[] | |||
discoverable_credential | string |
OK Successful response
{
"rp": {
"name": "Authn",
"id": "localhost"
},
"user": {
"name": "gasai@yahoo.es",
"displayName": "gasai@yahoo.es",
"id": "Z2FzYWlAeWFob28uZXNfbWFzbW92aWxfTHVtaWVyZSBRdmFudGVsMQ"
},
"challenge": "kLnLjjcbKoZxiHitcqZh0U6NZxZdImHvfCitQlOI3e8",
"pubKeyCredParams": [
{
"type": "public-key",
"alg": -7
},
{
"type": "public-key",
"alg": -35
},
{
"type": "public-key",
"alg": -36
},
{
"type": "public-key",
"alg": -257
},
{
"type": "public-key",
"alg": -258
},
{
"type": "public-key",
"alg": -259
},
{
"type": "public-key",
"alg": -37
},
{
"type": "public-key",
"alg": -38
},
{
"type": "public-key",
"alg": -39
},
{
"type": "public-key",
"alg": -8
}
],
"timeout": 300000,
"authenticatorSelection": {
"requireResidentKey": false,
"userVerification": "preferred"
}
}| Property | Type | Description | Constraints | Default | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
rp | object | |||||||||||||||||||||||
| ||||||||||||||||||||||||
user | object | |||||||||||||||||||||||
| ||||||||||||||||||||||||
challenge | string | |||||||||||||||||||||||
pubKeyCredParams | object[] | |||||||||||||||||||||||
Array items:
| ||||||||||||||||||||||||
timeout | integer | |||||||||||||||||||||||
authenticatorSelection | object | |||||||||||||||||||||||
| ||||||||||||||||||||||||
curl -X POST 'https://authn.masstack.com/v1/webauthn/registration/options' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
--data-raw '{
"username": "gasai@yahoo.es",
"user_verification": "preferred",
"attestation": "none",
"attachment": "all",
"algorithms": [
"es256",
"rs256"
],
"discoverable_credential": "preferred"
}'{
"username": "gasai@yahoo.es",
"response": {
"id": "1oiirNJ62KeeucBn6MAsfFHyB9k",
"rawId": "1oiirNJ62KeeucBn6MAsfFHyB9k",
"response": {
"attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10...",
"clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoia0xuTGpq...",
"transports": [
"hybrid",
"internal"
],
"publicKeyAlgorithm": -7,
"publicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjmgQf1tLUkjKDus1ipkNsOmLtzcp5ZtanTowgUzB3RkCxSge-e-8Mrq76Pl0x_8SffYTXlaqkm0fBmAX911Vtg",
"authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NdAAAAAPv8MAcVTk7MjAtuAgVX170AFNaIoqzSetinnrnAZ-jALHxR8gfZpQECAyYgASFYII5oEH9bS1JIyg7rNYqZDbDpi7c3KeWbWp06MIFMwd0ZIlggAsUoHvnvvDK6u-j5dMf_En32E15WqpJtHwZgF_ddVbY"
},
"type": "public-key",
"clientExtensionResults": {},
"authenticatorAttachment": "platform"
}
}| Property | Type | Description | Constraints | Default | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
username | string | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
response | object | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OK Successful verification
{
"verified": true
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
verified | boolean |
curl -X POST 'https://authn.masstack.com/v1/webauthn/registration/verify' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
--data-raw '{
"username": "gasai@yahoo.es",
"response": {
"id": "1oiirNJ62KeeucBn6MAsfFHyB9k",
"rawId": "1oiirNJ62KeeucBn6MAsfFHyB9k",
"response": {
"attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10...",
"clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoia0xuTGpq...",
"transports": [
"hybrid",
"internal"
],
"publicKeyAlgorithm": -7,
"publicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEjmgQf1tLUkjKDus1ipkNsOmLtzcp5ZtanTowgUzB3RkCxSge-e-8Mrq76Pl0x_8SffYTXlaqkm0fBmAX911Vtg",
"authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NdAAAAAPv8MAcVTk7MjAtuAgVX170AFNaIoqzSetinnrnAZ-jALHxR8gfZpQECAyYgASFYII5oEH9bS1JIyg7rNYqZDbDpi7c3KeWbWp06MIFMwd0ZIlggAsUoHvnvvDK6u-j5dMf_En32E15WqpJtHwZgF_ddVbY"
},
"type": "public-key",
"clientExtensionResults": {},
"authenticatorAttachment": "platform"
}
}'{
"username": "gasai@yahoo.es",
"user_verification": "preferred"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
username | string | |||
user_verification | string |
OK Successful response
{
"challenge": "MdycdqU2giNAZR5pnkRPem3ACKZUQnAFEmIzbiqztHU",
"timeout": 300000,
"rpId": "localhost",
"allowCredentials": [
{
"type": "public-key",
"id": "1oiirNJ62KeeucBn6MAsfFHyB9k",
"transports": [
"hybrid",
"internal"
]
}
],
"userVerification": "preferred"
}| Property | Type | Description | Constraints | Default | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
challenge | string | |||||||||||||||||||||||
timeout | integer | |||||||||||||||||||||||
rpId | string | |||||||||||||||||||||||
allowCredentials | object[] | |||||||||||||||||||||||
Array items:
| ||||||||||||||||||||||||
userVerification | string | |||||||||||||||||||||||
curl -X POST 'https://authn.masstack.com/v1/webauthn/authentication/options' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
--data-raw '{
"username": "gasai@yahoo.es",
"user_verification": "preferred"
}'{
"username": "gasai@yahoo.es",
"response": {
"id": "1oiirNJ62KeeucBn6MAsfFHyB9k",
"rawId": "1oiirNJ62KeeucBn6MAsfFHyB9k",
"response": {
"authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MdAAAAAA",
"clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiTWR5Y2RxVTJnaU5BWlI1cG5rUlBlbTNBQ0taVVFuQUZFbUl6YmlxenRIVSIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MCIsImNyb3NzT3JpZ2luIjpmYWxzZX0",
"signature": "MEQCIFz7zeflWv5p3rDZglFzwbDLgAZqMheLkubu94FPKCNpAiA0KikVURD5D8t1JpwLoOeEgtizVZd1owDwv9C2ZJA2kw",
"userHandle": "Z2FzYWlAeWFob28uZXNfbWFzbW92aWxfTHVtaWVyZSBRdmFudGVsMQ"
},
"type": "public-key",
"clientExtensionResults": {},
"authenticatorAttachment": "platform"
}
}| Property | Type | Description | Constraints | Default | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
username* | string | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
response* | object | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
OK Successful verification
{
"access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjgzMmE2NWFhLWU3ODYtNGE1ZC04MDk3LTNjYWQ1MzQzZDMxZCIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJzYWxlczE3OTMwOWQ3LWI4NDgtNDgyZC1hZTg3LTNlMWFjZjRjNGE3Ni5hdXRoLm1hc21vdmlsLmNvbSIsImV4cCI6MTcwNTM4ODQwOSwiaWF0IjoxNzA1MzM0ODA5LCJncm91cHMiOiJjdXN0b21lciIsImlhdCI6MTcwNTMzNDgwOSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo2MDQwIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiZ2FzYWkteWFob28uZXMiLCJyb2xlcyI6Iml0c2VsZiIsInNjb3BlIjoiYXBpOmV2ZXJ5dGhpbmciLCJzdHJlbmd0aCI6InR4aW5kb2tpIiwic3ViIjoiZ2FzYWlAeWFob28uZXMiLCJ0ZW5hbnRzIjoidjE6OjIiLCJ0aWQiOiJjN2RjZWJmMC1hNmU0LTQ0MTctYmEwYi04YmNlYmJkMTg5N2UiLCJ0aWVyIjoiZ3JlZW4ifQ.aytlxbbC1TaPFpNyuj0_ZXNFgS90Xnf0zS1dswJ4BojWezU5jvri9jRlqqD8dpAAU5pBYo__xwir0mlgTh6fjdZZ4d8MX_uDEVbOjBGESe4uWztF3mWLcUdy6AeU80zhaQIFdtXvo-2_0KEuFw79qWUUm1w3kgq2-DZ21ok8__YnH4XY6dg9qQvSzIcGTKA8Z1I0u6oF2GlcOWcqu_36ssOJ8J30RgGBHjHVhg0vS6FbY02CUiDcJv5sa0flWpKUfY9raygWxe-UARHHxttM8ZICDhQm4B76DOtUjS0ww2Ik96q31WWWA7tfOsO9ymDXQivSY9fV9duSeI0O6drCUA",
"expires_in": 3600,
"refresh_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjgzMmE2NWFhLWU3ODYtNGE1ZC04MDk3LTNjYWQ1MzQzZDMxZCIsInR5cCI6IkpXVCJ9.eyJjaWQiOiJIN2VadHpxbmhTYVlEY3YwY1pwayIsImV4cCI6MTcwNTQyMjQwOSwiaWF0IjoxNzA1MzM0ODA5LCJzdWIiOiJnYXNhaUB5YWhvby5lcyIsInRpZCI6ImM3ZGNlYmYwLWE2ZTQtNDQxNy1iYTBiLThiY2ViYmQxODk3ZSJ9.jCjfz9YAxVEuKKs-gLw0PQnMC_tg7wt5gtG0DNo82bLNtIc-7_LQFPIhompPkqPa4j9k0VeiIg_MxZNe1PY6Kx6s5x6DR4f1FhNEeoNJ8CwkpHTk6oxjYT0_BIyFBwTS3LJd5VTgT7xHkHeRFdb_5QoM_ifhXDAyzKWG6nCAUDIPdNmmkeSHN-SzBN2TrrdBPs32WjqE_Wkcl2o9PjBLVpq_Ul-_Lmv2wo7ONcry3T11lGrR-UWZjPeJO6OCN0M-Zgxpfgz-mqMUsZEhhGW6FeTxcy_Yzxg-bpRK4PPaCPXdnlxUjimtGmhDvMA5Sl19roEdASWf9EhOxDzM1ihk7w",
"token_type": "Bearer"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
access_token* | string | |||
expires_in* | integer | |||
refresh_token* | string | |||
token_type* | string |
curl -X POST 'https://authn.masstack.com/v1/webauthn/authentication/verification' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
--data-raw '{
"username": "gasai@yahoo.es",
"response": {
"id": "1oiirNJ62KeeucBn6MAsfFHyB9k",
"rawId": "1oiirNJ62KeeucBn6MAsfFHyB9k",
"response": {
"authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MdAAAAAA",
"clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiTWR5Y2RxVTJnaU5BWlI1cG5rUlBlbTNBQ0taVVFuQUZFbUl6YmlxenRIVSIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MCIsImNyb3NzT3JpZ2luIjpmYWxzZX0",
"signature": "MEQCIFz7zeflWv5p3rDZglFzwbDLgAZqMheLkubu94FPKCNpAiA0KikVURD5D8t1JpwLoOeEgtizVZd1owDwv9C2ZJA2kw",
"userHandle": "Z2FzYWlAeWFob28uZXNfbWFzbW92aWxfTHVtaWVyZSBRdmFudGVsMQ"
},
"type": "public-key",
"clientExtensionResults": {},
"authenticatorAttachment": "platform"
}
}'The Device Code Authentication Endpoint is used to initiate an out-of-band authentication of the end-user. The client initiates the authorization flow by requesting a set of verification codes from the authorization server by making an HTTP "POST" request to the device authorization endpoint.
{
"client_id": "string",
"scope": "string",
"resource": "https://api.example.com"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
client_id* | string | The identifier of the client representing the app. | ||
scope | string | Scope of permissions | ||
resource | string | RFC 8707 — The URI of the resource server where the requested access token will be used. When provided and the client has allowed_resources configured, the issued token's aud claim will be set to this value instead of the default application issuer. Must be an absolute URI without a fragment component. |
OK OK
{
"device_code": "817c6cf8-0adc-4e61-bc58-5c6de63af808",
"user_code": "RKNG-ZGXR",
"verification_uri": "https://authn.masstack.com/v1/device",
"verification_uri_complete": "https://authn.masstack.com/v1/device?user_code=RKNG-ZGXR",
"qr_code": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMgAAADIEAAAAADYoy0BAAAEQ0lEQVR4nOyd0aojSwgAk8v8/y/nvvYJOOiqc+pA1dvuTjqzKQSxbfv6fF4C4nq93u/5Zac0R+92rl99/8y7nWtGz+/8bv/NLyodFAJDITAUAkMhMK6ff+xkR5msI5O9TH1XZ/0oi4vWnPu/GCEwFAJDITAUAkMhMK74n6YymShLydSpMn8frVOtR23X307i7zJCYCgEhkJgKASGQmDcZFkbZDKuzDOdmlImK6uuOYcRAkMhMBQCQyEwFALj4Syrkx1lMq5MpsRuDTRCYCgEhkJgKASGQmDcZFkb2UgnO5qqQXVqZRl6v5sRAkMhMBQCQyEwFALjK8vaODd30qlHddaZ6k7fP29ohMBQCAyFwFAIDIXAeO/vn3UykE63fAZGL9aJEQJDITAUAkMhMBQC4/35dGpKEZ0u9Ck6O4aZNXd+HyMEhkJgKASGQmAoBMY111UesVHL6nxvJ7OqPlOfMmGEwFAIDIXAUAgMhcBIzsuqdqFnzhJ25mVNzdqa6hM76a1jhMBQCAyFwFAIDIXAGDxjOJXJTGU7U53qT9bTvGEHh0JgKASGQmAoBMZXX9ZJNcuaOou3cc/gxtnA6pq539MIgaEQGAqBoRAYCoFxc4/hVI/WVLZT3al88pbnzu7qibUsHAqBoRAYCoGhEBg33e8RmZ2+6PkMGzdBb8zO2pliaoTAUAgMhcBQCAyFwLjmajudGk60TuazU3WkzPtsTzc1QnAoBIZCYCgEhkJgJCc5REzNj8qwcU5w47OZdz6x+x2NQmAoBIZCYCgExk0tq9Nh3slqqkzdbxh9ttPlXs88jRAYCoGhEBgKgaEQGMnu92p3+vYNNU+eVayu3zs1YITAUAgMhcBQCAyFwLiZl3WyUWvqrJPJcLZvi96ZFGGEwFAIDIXAUAgMhcC4mZfVoTPVIfP89o0/U31ZmeetZaFRCAyFwFAIDIXAuNkxzLAxHXR75+7Jewwz72P3OxqFwFAIDIXAUAiM5I5hhk5Ws3Fv4NQu3saNPNay/gwKgaEQGAqBoRAYyduiM0zNdd+oNUXPV7Og7XOLRggOhcBQCAyFwFAIjH+oZXV26KLnq98VsbE72bn9p951b4TAUAgMhcBQCAyFwLhy0z4zbPRcVXchCXO9OjPq7cvCoRAYCoGhEBgKgTF4w85Jppb1W/1a0frRZzvr1z9rhMBQCAyFwFAIDIXAaJ4xPHny7sLMZ5/s7+pgLQuNQmAoBIZCYCgERrP7farzvPr8b92Ss1FP+4kRAkMhMBQCQyEwFAJjcJJDlY0Mrdp13+njmtrNPLGWhUMhMBQCQyEwFALj4SxrY/ZUtH6nDjY11aF+9tAIgaEQGAqBoRAYCoFxk2VN9R1t1IJOqmvOTV2ore+8rD+JQmAoBIZCYCgExleWtXHecKr7vdrl3qkpdTr5q+t7xhCNQmAoBIZCYCgExnuqgiMz/B8AAP//+pvzsRrwE2EAAAAASUVORK5CYII=",
"expires_in": 360,
"interval": 60
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
device_code* | string | REQUIRED. The unique code used for device verification. | ||
user_code* | string | REQUIRED. The human-readable user code to be displayed to the user. | ||
verification_uri* | string | REQUIRED. The end-user verification URI on the authorization server. The URI should be short and easy to remember as end users will be asked to manually type it into their user agent. | ||
verification_uri_complete | string | A verification URI that includes the \"user_code\" (or other information with the same function as the \"user_code\"), which is designed for non-textual transmission. | ||
qr_code* | string | REQUIRED. The base64 encoded QR code image data. | ||
expires_in* | integer | REQUIRED. The lifetime in seconds of the "device_code" and "user_code" | ||
interval | integer | The minimum amount of time in seconds that the client SHOULD wait between polling requests to the token endpoint. If no value is provided, clients MUST use 5 as the default. |
Bad Request Bad Request
{
"error": "invalid_request",
"error_description": "string",
"error_uri": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
error* | string
()
invalid_requestaccess_deniedinvalid_clientinvalid_grantunauthorized_clientunauthorized_grant_typeinvalid_scopeinvalid_targeterror_descriptionerror_uri | A single error code | ||
error_description | string | A human-readable text providing additional information, used to assist in the understanding and resolution of the error occurred | ||
error_uri | string |
Unauthorized Unauthorized
{
"error": "invalid_request",
"error_description": "string",
"error_uri": "string"
}| Property | Type | Description | Constraints | Default |
|---|---|---|---|---|
error* | string
()
invalid_requestaccess_deniedinvalid_clientinvalid_grantunauthorized_clientunauthorized_grant_typeinvalid_scopeinvalid_targeterror_descriptionerror_uri | A single error code | ||
error_description | string | A human-readable text providing additional information, used to assist in the understanding and resolution of the error occurred | ||
error_uri | string |
Cache-ControlstringThe authorization server MUST include the HTTP "Cache-Control" response header field with a value of "no-store" in any response containing tokens, secrets, or other sensitive information.
curl -X POST 'https://authn.masstack.com/v1/device-authorize' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Accept: application/json' \
--data-urlencode 'client_id=string' \
--data-urlencode 'scope=string' \
--data-urlencode 'resource=https://api.example.com'