OAuth 2.0 endpoints

Endpoints provide OAuth clients the ability to communicate with the OAuth server or authorization server within a definition.

All endpoints can be accessed through URLs. The syntax of the URLs is specific to the purpose of the access.

If you are responsible for installing and configuring the appliance, you might find it helpful to be familiar with these endpoints and URLs.

API protection definitions

The API protection definitions naming follows the standard Advanced Access Control naming convention. The syntax is:

https://<hostname:port>/<junction>/sps/oauth/oauth20

For example:

https://server.oauth.com/mga/sps/oauth/oauth20

The following table describes the endpoints that are used in an API protection definition.

Notes:

There is only a single set of endpoints.
Not all authorization grant types use all three endpoints in a single OAuth 2.0 flow.

Table 1. OAuth 2.0 endpoint definitions and URLs
Endpoint name	Description	Example
Authorization endpoint	An authorization URL where the resource owner grants authorization to the OAuth client to access the protected resource.	`https://server.oauth.com/mga/sps/oauth/oauth20/authorize`
Token endpoint	A token request URL where the OAuth client exchanges an authorization grant for an access token and an optional refresh token.	`https://server.oauth.com/mga/sps/oauth/oauth20/token`
Clients manager endpoint	A URL for resource owners to manage their trusted clients. The resource owner can use the clients manager endpoint to access and modify the list of clients that are authorized to access the protected resource. The trusted clients manager shows the client name and permitted scope of an authorized client. Note: The list does not show clients that are disabled or deleted from the definition. The resource owner can optionally remove trusted client information from the list. In doing so, the resource owner is prompted for consent to authorize the next time the OAuth client attempts to access the protected resource.	`https://server.oauth.com/mga/sps/oauth/oauth20/clients`
Session endpoint	A URL where an `access_token` can be exchanged for a web session. The client uses the endpoint to obtain an authenticated web session for the resource owner that is typically used in hybrid mobile application scenarios. Note: The session endpoint is disabled by default and can be enabled by using advanced configuration. The client must send a `POST` request with the `access_token` in the body. `POST /mga/sps/oauth/oauth20/session HTTP/1.1Host: server.oauth.com Content-Type: application/x-www-form-urlencoded access_token=abc123...`	`https://server.oauth.com/mga/sps/oauth/oauth20/session`
Authorization grant management endpoint	A URL where you can view your authorization grants and the tokens and attributes of each authorization grant.	`http://server.oauth.com/mga/sps/mga/user/mgmt/html/device/device_selection.html`
Logout endpoint	A URL where you can end a session by revoking an `access_token`. The token must be provided in the Authorization header or a session cookie must be used.	`http://server.oauth.com/mga/sps/oauth/oauth20/logout`
Introspect endpoint	A URL where an `access_token` can be inspected by an `oauth_client`. For more details, see OAuth introspection. Note: The introspect endpoint is disabled by default and can be enabled by using the advanced configuration.	`https://server.oauth.com/mga/sps/oauth/oauth20/introspect`
Revocation endpoint	A URL where you can revoke OAuth tokens issued to a client. For more details, see OAuth revocation endpoint.	`https://server.oauth.com/mga/sps/oauth/oauth20/revoke`
Metadata endpoint	Final portion of URL is a path parameter that is the name of your API Protection definition. Template file available: `<locale>/oauth20/metadata.json` If a custom template is needed per definition use: `<Locale>/oauth20/<Your_API_Definition_Name>/metadata.json` Example: {"issuer":"https://mywebseal.com", "authorization_endpoint":"https://mywebseal.com/sps/oauth/oauth20/authorize", "token_endpoint":"htps://mywebseal.com/sps/oauth/oauth20/token", "userinfo_endpoint":"https://mywebseal.com/sps/oauth/oauth20/userinfo", "jwks_uri":"http://mywebseal.com/sps/oauth/oauth20/jwks/testDef", "response_types_supported":["token","id_token","token id_token","code"], "response_modes_supported":["fragment","form_post"], "grant_types_supported":"implicit","password","authorization_code"], "id_token_signing_alg_values_supported:["RS256"], "introspect_endpoint":"https://mywebseal.com/sps/oauth/oauth20/introspect", "revocation_endpoint":"https://mywebseal.com/sps/oauth/oauth20/revoke"}	`https://server.oauth.com/mga/sps/oauth/oauth20/metadata/<Definition_Name>`
Userinfo Endpoint	The Userinfo endpoint is an OAuth 2.0 protected resource that returns claims about the authenticated end-user. These claims are normally represented by a JSON object that contains a collection of name and value pairs for each claim. For more info, see http://openid.net/specs/openid-connect-core-1_0.html#UserInfo	`https://server.oauth.com/mga/sps/oauth/oauth20/userinfo`
JWKS Uri	The URL of the JSON Web Key (JWK) Set document for the OpenID Provider. This data contains the signing key (or keys) that the Relying Party uses to validate signatures from the OpenID Provider. Optionally, the JWK Set can contain the Server's encryption key (or keys), which Relying Parties use to encrypt requests to the Server.	`https://server.oauth.com/mga/sps/oauth/oauth20/jwks/<Definition_Name>`