search

Authorize

circle-info

This page must be considered part of the iSHARE Framework

This page is considered normative and is therefore compliant with RFC 2119.

circle-info

Note

Since request objectarrow-up-right is too large for GET requests only POST method should be supported.

circle-info

Note

According to RFC 6749arrow-up-right, scopes are case-sensitive.

hashtag
Redirect human service consumer for authentication

post
/[v2.1.1]/connect/authorize

OpenID Connect endpoint for redirecting Human Service Consumer for authentication by the Identity Provider. Server response is directed to the /service_provider/openid_connect1.0/return endpoint.

Header parameters
Content-TypestringRequired

Defines request body content type. MUST be equal to application/x-www-form-urlencoded.

Example: x-www-form-urlencoded
Body
response_typestringRequired

OAuth 2.0 Response Type. For iSHARE using the Authorization Code Flow, with value code id_token is REQUIRED. MUST be identical to the response_type value in the request JWT.

Example: code id_token
scopestringRequired

OAuth 2.0 scope for OpenID Connect 1.0. The scope parameter MUST contain atleast the openid and the iSHARE scope values. In addition to that it MAY also contain one or more scopes identifying the attributes from the Human Service Consumer that are requested (depending on the OpenID implementation of the Identity Provider). The iSHARE scope contains the minimal information required for authorisations. The scope parameter MUST be identical to the scope value in the body parameter of the /authorize request.

Example: openid iSHARE
client_idstringRequired

OpenID Connect 1.0 client ID. Used in iSHARE for all client identification for OAuth/OpenID Connect. MUST contain a valid party identifier. MUST be identical to the client_id value in the request JWT.

Example: did:ishare:EU.NL.NTRNL-10000001
requeststringRequired

OpenID Connect 1.0 JWT request parameter containing all request parameters. See also Generic iSHARE JWT specifications for a.o. basic content and signing requirements. Additionally the signed JWT MUST be encrypted as a JWE as a user can access this JWT itself and decode the data contained therein.

Example: eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0.Nuh5_NlmJRUtZKQYn_CLSxIYbyRwaegXZYBl4szaLUDnFIYG1m7jOpqCHmkFVb06Kq4Ir5we1_A9tXaww0c_CfMMTM8PPnV-z6hyNKhyXcdeXi0ywg9yLMWuBglHN4KjeeTzo-2earBq_KebvIearLPL3JtEcZKKU-LIpVmI2Ohcp8UARhVnCgLNn5OEnoI-w_kZGcqFnZK8omJjef1TySXZ8O57ZcH7xX_uOjtW6poootk8hD-1Ga88fkL8_q1CaveNpgbvy_yg9VvC3V9R3lvkJa8BTAhjoEhg5iB5UJeqft1RG3zlaiHOuLSGNEMejcRzTjHr0YS7OFVe--1fsn3GkEReoaoK-eBGy51PsKcZI8DEzq5K2zalmYUE1eDUKBMtwVTJrOOZHhrrRn-j8Irjx3_tUcHnhX04j9u913tlQZTQ42xa88-DDvYir3gyK5OxKYkxzR2E-aOD8IPzZDn5uEFuA0-RwfFTa_g9F9dzADpKMFzCgzWJDfFRBvY-y8_ZFuzgM-Om-5qRYG3p4I9aKCWcVf5MhcNW-arXi41wJS0H2mujqGSHZjJUpBvfXJ7M4-DqRU5WtKTS2qteTkMBd7IDjttQ1F4nULcw4MTihjlmYIREUJXHuAI98a9EbUJ1BSzfXsKYGpphtH8hcCvQIkD6UA89vhSrAnlh_0s.Gwv1eQtS4gZi78wm.XLttIUHGr5FKtxhK1tg6E1SxPgk7EZ1gYaZ2FRuea99bKPla3LVbvrdLIf1D_Ys_s7YcKW-kgTq47gTpCfEqOkvOXpjS-r0FGOyN3Gd2JBrmcxEgoBjzQyLMQCw7BrB8GmyCubwvfIW3tNPSbRkwZHwNpc59yFycIp_3e5-T_RZkS7OpH2bQ0aQyloE89UWzyAnJGkaQZOBCGCxV6CZlko02vNyAal5D9J2RNyGDwy0KKGeal87bIOEkGwS87ElyyNYUr6xZj1D4Q8A35mMwvxEN93lr_8e5GrFP4XH3Xx0gGP-A7dqKiWi5GzFIVLwNlAB0EKPHalkx9swhBoRplDvhKL8MBB93m_ReIgCVyfegBDERAkIDIF1ufd8IcVuX99_76TQr_9-MEWXsFdP4OrlS2Zd5QRZg6vJVh9CBy8xvq52ABD0wWqvXUw2kzvRMbUEgHMXcEHXJuAWj7RwdhuUDx-PhDzRgGvl3jxXqsQ8-ELUAhXJGFH4WWbxiEAFkxYszMp1xxCytKmi-e8CFaOTAeeOtyXqVJccuuVnee9cqWj-4ddyBEC_DtqOzpBWjNJVfibZwXphfeAcoQwRuzw1mKYM8t35HWOEK4F0Y8GiyWRyjSmvb7q-52-k6nDwsWVR1V--XjnfmFjL2AKNAGtZ-VWujJG_hXNO50XMVvoLjhyNEv-R2w9pKIzAJgOEEVUCK9LDdsXhqXrhSP6x9pQj2CoAh9nj2lKAq83z5RSvpWukxo-ROoASXX8RjCNo-zaimTfcI8XERM0pj93NPU4P2bquYQ9LgBkz4HouiWe8Zp-6tKwLMCw_o5iOWekU6fy4DeySCWRBhaawnPgnCnAAGO5w_sE01llyzzLrA46rAzA9k_2QKrPe213Wz7mFTG5gmZqnDknaA4zXXTCP2xwWpTh1pbyEMk9UxgSQUxlDT5HdOpSUMG4l5k6kKEdnQDMCx2E5TBWI6bxp2q1WTwt16k6qZigfgFPjvK0YFxcE3Yq0OkI0TJZMjSQ0CnVKvcHriizM5abIDQwwKxpLAkQ3gJl837vNaJfzIh47gfg7q1BOr0NAcmYyEDPghI3SgItrCqS0NJDWjVw6tZeH5MP7n8uxklf8wCzyUX2TzKwNV_xLk7A5sqKvLActLzW14KfgPSjfOKE9YBdzx3LbII3zwIs3tOcRNaAxPiARI5tYTXfVJuGCHjqlGTa7HoGfWSx8dhG7Py1kfWOfukHtwS1UmQuPsPrvBlA8ZRzn52wHnNgP1IOpBDQAPw7r57EKgEqRXHQc5EzdEEgIAInaNxySMkbSVKVYhcamvkWtowjzRvuq1IHhQYbEDOb4yHAu2w3ODqourlDHRblO3kS3w0a2ei5mhdjTdM1dKlpuuoBJKTIknI2hSBSGtq_V4RrSxL6UUYIGUtOy2gNB_wSyeqc65GoKKi_iBQRTmxpAId3EoG3PIUZ03EJGAZkhs_Q3RU_EyFco3MJbbu4i3fmPZNdrYClMlCJrwqo--hiKtkBrSnbP19oEKIJ5d-fN8YpaVA7UpdaMZnhUMeDjs-_fkDDWmHnWkC43iZ_tT2u5HCGGkVcTSIF932XqNORadCk1r9aPbnU1AlnAa4BWwQzebVPv7SXXKdTquLCbLZeWBWLlydmXx7A1YKExoHDvEd5hzUdU4dRNobkp5ETyyi8EMPswkcMJ9cDRCOnOxrlqTa7AmNZqvB1y8KsCVQlAB69KlpjQzjKytb2-NqbgLmx_HZJl6-g28rBWuefWIrkmZ58rSSxv88K50xtFRH27R_1uO3jS-P0e33q5iWS9RnMigO3cp4m5oABw7J0jbW3UIFfR8ZbOYnbSfz0Mc57ZQHk55a9iFwpEVhU8sPnoc4CsMz9inUhucMkaqi5e5lhiRk9dGkvMBIs-1XI2MREi0ZBLNFc8Yjyxrj-3rM6AKMux3mNSZ95NN9m5Lzp4R9gfcKyUEac-JZ3ECE38iUuMxjewZ5534ZhbZCh5FpSSn0vnvAp-eAWYZ5QGcldQ9kfBfkrGkY5mgTnyELDO-LNW6n80q6hoLErSnvIAzt5gEMFGLvhYUUklfekhA30MwFXnFgRw6qeOmzgOwVUkFRca2E_0zyYvi5f2P-EPhoWfrKpoNAxdjFiVUS7irxBd-FjrKSZEbHAvEhcWmnachdRMYlCA6HhnxUA5dP3SkzFQEK6cLY_XoW6T55xupL40nKxg1sEbl4kHN2Ln-HPvJ78D32W8DVZwk60oIbF-sgsOLnga99UViVa1-Zl7ofZ-7nbLR52OiShHbm12Js2aiHMMsIxI-pP1DfDMLy3Ncf3TugpWjh-bufWeQUldSWX0d5OzXzBzwkKF4QhWdRNsIYdr7MeBDi57SKZ9M52fVXvN7KqVKAJkJmCejBAQ9ppijMCAzuiuxkfgVX1LJBkbUPpgiIhnvVh59szYb8OIS66pfYUWD7NtIQ9e9XdKuBBgLhhZxdSDmKsCjY6coQyT51Vr9Kwyg9Hmy_4BlDHcplQZKgsjGLBzvYYzZv4JL8pRBMc3p7-EkhxgZNCbGBgPJyIixLWL0ZbkR6THoCwTp76UPUYQxefK0VJOH4m-7C9ZPnnFDQwmHOiT0MwjvFflnb1_FRlEuoQRAJdEnUysFYwbITVoB0R5FPqV4J9379JwELFEtGHdHvFgxK-6YywP5-VTnva_cFWbHm7E15B_IFfVOHedlJzfoGHYMPAI7auR9b4E-2zSYsSKkT14mdoVI63toaYZKZ6oZNAvwNLvi7M7D1ulHi0tA8UcM80Jkl4PD3KYZ6pziNhC8tenPlTfs-Ilj19UjyyyF3fxgAek1GOPq61RwTZseU5NsYuaRaVfRpxxBy9kcrwiyA_5YeR9jln9_N0HzJLHo96e40gwlEBzBbJuAHzKR_EwvtH9scct6eGIon9-85qQ3uy99HlMQmYYcoHVWDJNpDlJxkGLUJR_GlQRiZ9pypGyLVME68YCVncWBaPjR_MGek9TvHsmFU1kaevKeVtbl5veX_6j6_nf8UgQaTQseVurcHAyW-dITLUOQv_vn-K90LIT2MADLl-j9AIoW5mjUKINRTbdmAxBFDYa9-xw7gt-jRpqZQCNfOPGVKGpvvt43a8Y81AAB9hBCCy4xYMZbMuIDrMM6CxlBX22P2GwCGJeCgGOL8DZnoqCm3tTyCOTB_-lhzZ-lMFnVf1s7TTBdDag2SVpKZQC2X9cMjga3clLIWxd30rzyQiLIt4fsOWZ0garIMOJ99ZkAX83dJDlpTqR3Fz_RG99xEzghoYjEv1MdLK5fPcBK5KqUbeVu9P3hKdk9qxAtWEyH4vsnACH5jncFpcFftsQ5YlbJTGRlLoyxK7GIWG_0SciyUb9xPPmP17jveoadK4mwN-TJLHFc3F2hnqV72z0x2VreWODuG3801rpsZgEysp-Fj-8Tw9aiX4R0Tim3XgXIhb4mwhMLSAuXsLShaoisz_RK62Drjdhobg1zduid-ZLJ5Nc_FlGZDsH3znVMmWTYFikhz78BxgTGM3wkwOTB8MfZ0BjPbvw4ClFcLEt26w-ikwot52t5lYUT7EgRVySVh0dx3ilgJ0VLGx0snP_TwqaJOx0rO9WHZ4BEoJQSmWwvxIrAhbn9TBc3l58z9-9AcZMhWjveb5ZoMzhRz8lKcQYo7fCUfB-oFXungcIuTrijeu8WXLKai2BQZV-VOdZ296_mpb0RURksux8QsjG21Ac-t8dp2tzsEQNmuiYIrwEBLb1TEUJcxRVWCJKfOcx9nopNrnui9DZouIK5Vi5L_sAE05p_P3fN0ZBQ0WrrUwU9dY1CK14GP_hLhA2ND42VwOXMrOR3dP8o6b5kd7m2ARXvVJZTxKyv-641tTNkQpou6lTKkh6J-pGGtocYJxcSoP-foILQJFEaDgBS3S7ruVXfi8hAV3C5Bj39vYkk0mecbXL3WEMiuUNXOHcTx-p0N80WJ--sl9-2bVcnhxF_MRGsprJrobaJP66tEj5mTo6uMRmoglwHepbY20KA3RLF-353N13dt-Bge-Xz2TnS43wE1K-vBQE-2X10kg57XnBtOcGMFL5E6WMa9deMRhQvcLavokpt7m3-p4IWixNO1zPGLsSYBf3g0p66grMQVGYLe38ZAa4RXudevbGp-72d4bEIkY_S0ekXYi-BDe7MAP8ntoQG76LW9rHlmcWWtcQf4J-PL7dGZGEk5x834CcFWTbmRcyr1zpgrUqGa1Y9v1iHXxiuG4PJ1eNGImRDfSHHgjhNqgeKQZr4JOra3d61bdA7j0urgcDF8J0ArUQHZuJ8znhxtepRkSEaMVqgrUhS-T6eYWYfe0FCGx8UHhlsZmMiYMXzj8RVPtYH1mDqq-kukGnefr7Maz2XHCLR4XjkD0Wq8y-jzk92dtqQoc1U57GOf9S8WlzXfwO3_KgcF565YR01sluJ1Gob0lRS4wl98MTJTF-8f9j6zG-EyOCOkVDJib4ExXRpSK284GV6BqQlktgMawW4b6PtnNwwaDiQ_rXyVyFOuzvlNqZDdFlAqBOKeqxckkGgQKuQpK_o25cfLiEIx46pIzzXrgk41gfSTsemFU1SHu7qYrUlr414xwBzONsRBsvyJ5fNjhoDv14y--LG5ewOLVrLwPjqC7xI0YDjmB82A7BEo4Tf9ZnBbWq_HsEKVk639Rfj3hkxs9wIU1sSIv2K5NOiU7N0jXaEIMh03HD79qgF9ax8g_3PLcpCCNPtxa2jZ27UCT2q65KQkUC1P2z1jwW3PaUH0BFeg3_kZT2Bx5YGOLhF2v3pS4tBtYSnMPDzeDUIFByw0U-6FDMaC4d_-ysXvDRmc7WObZsspPIMd0gyp7rtDAv4y8FDMMBbLMyC2tgzUpiUC9KBQU_RcOxb6lTaeh25TENrB-LS69U9qDC9FTNV6VP8o86ay35QkjDvFCH4cwZE96pZLv4VEv7m40Un9RchJdF-MQfkfbBRWhDi3vb--STSOrZ9nSBRenBkpIQNXGr-c-_X3xMVgZppI0uDPfsbcZVow3XLka4tmhWTPAFN_yU7_RfDrcJrfsfoJs3hsg8zM6-WyNYAZ9mnfn2ltTi8SzvyXyOOLP3raQfV_BxTxRCpG_Kbp5k1CbSGPcwBL13J3OHJgBTB6fdhyzr9hBjKicqoXTm1p9tQ0CSyVwzyyayuM7YnEzgc72Mg6HmEFb4lzRJaRs468IeSGie4HwqNmNDbvtgGHi_E2atYplBYcvPVdqgLbJqw1jjsU6HFfAmcU48YJQFIN98ycSOZUykmfEad5IVwGbbvO0MAcDOtoV43glHGTJSX9QdQzfrAB5dWrg9LW1fvFDmwMa6byPmYqbWCXSrOXdfy4lhCuXktZxhzrgQ5vE0qG3yaPf10ZbvOxoz8Aiy0FMKtJSdey_kXDbdpZA3-T66mgoTboqK_e09sZ5f2vCNICtXGUFmRtjP64OQNMnZWl-OuO3IFaS0nlZDjcCeSQxZ0pB2qi-AOnMjWrXXpxlpGr4IGkc4UO8IteUMfSysQVZ1bdrzxUj4YsDvahL4U6i_99r7Y71XsglxbxN9LSWyMiKFAwh4U2vrlNoLI2TA5prjAExkxXhnftHBONuZv7R_8MYIi7tJUxSuGJSckKC77E27lIXc4EB47W38w4mIiGdK4FwC-agC2OjlPs54aPA7FW0UbLFul8IqeJAME4S_XmrNlF4jyDgL9Km4NbWxKor25x_iflFnq4RahSm8lc0PJCMxD8UHlo4dkgzQTfEY8EBh3Vk4rACLdf5R8MQMvVxhN3dd5i08dkpurKKXrLvYy7Agpbr_AwxvzeLYGJyp41is8b0sCemP1EDhxflCeJS9vf9uYnXE-fIQpqYX3kXOkd9Dg-uKZzV8dlcY-14jCF-MSbY1Qn7e2EvFBP6L8J3qasdFW71hRSsS3CyusCr1XEk_r1YiZyL0zzALBcWaNKT-xCsNfT3SNZqCI5a4M0sislieipZdImFjvi4HaJ7hsx8fS1KMXQ6B6iCYnwQVw_BMhJ4YDAkhKgRV-BXgWd7DobjqIEOqshHix7yulYrxmEy9EKPu1otswITUUxBlgH9TsoUd9FpZVEwE7VmXxHL2ELY7-xPb7Q94M69jGVCOGyyuVtEENhsI4R17bzAo1YQoT0K_-Sd8EWdsVxt83YVijIAoK_P-xy7sOwFkDtCtJzN-H5YZ12Fl3d3DSam_iwON8Lb9sa3MszCCJGZAsAssIPfXQvGEzohQZQmwsd759Rcv5okGzbZFCn0oj-9X67TEA5cpzgp3_hvdicpa5A0qtosnb1GlEbwNcYZu56WWOT2ElQ_6nBudf6B9rPi2tqytqe7z7QRkPyHnu-_F3kusWpIiyMzPJiPexDZXnqNTe3NPwwpqXjvz3HjWXZaWLtkA4lUJYK7rqs7E47bRXr8BHi07TtVrgX038HZ660FJzhTUBr8yvLs_pl8Lo5qDfTfdC4tAHMQjLH4PG7y6DnEjeqnzdbMV7MfFfx8-V4KCWKB3qfYlOSbadelrQDYO4MtnSRBw5TWEdIZhwhH7qxwKkQ_rw7Xbaeici5ETByGKJc7QZC6mjTtYAoXTyKf7gfRibLfTQuo3NRJdDUmITWiPDLVBMMINR3z-tGWD42BD8_inv8TKivcwPKGRT-mWPqJoEBkmyOpufiC9oLzG-vI39IwSInYauR6COHpg9csjB_YC82ZjvfPCzFabCvD6EDYRZa46d0DiXnxWHiAHqXaNrvuwT4i18cpCbN1yV9x9m3g3GDmTXgvIcXEgIrspdcyFukIQN5515VCuiVAFWJFNAr0y3JuaEd5kQAqXkX6QyRuFhKUJElY1CUVuGRkmqyjZ7iNOsJvQCxNr244cGXIAMTgyq82rs2xBE1KtqylNT1ZFGrjPEOjcPARTzagTbtLehoLoslaVCJeDjcmNO6BJLtuDzk6b9qjCBNDYSkfxQZ7q-4vPVNhCXlOggY8Scw8Q9T34xklVLeT_peC767-Eu6NpmOvegC0qczwlH0ePK-2OvIjGUE6fO7AvXfsNvJqYMnYj89IdFQj833VyCttn0jYF3Va346U96TnWxsp3LGtcc3gxoAitia84z2C1-CDcISHWakiAifqOBtDc7szLPf6_FAfLpRoj_8Ovz3kKe5gxyuc5FHBtb5K8eoNC4IuMymn0FiEiM0Tx_YXc-0Iur3PJJrvHX_Fu8uB8BVYNs5ZFd9m_-w0f5BiknvNVQnwpGrIQg1jv4iFg7hg4QA63cnyFq3pRsLoyXEb02AqUvkCBly00Wnt2vN_lt5Ee0SQryxX8oEeoMxUTvnhNTMhDwz02xzjOMSwrssUC7LRV8Ew-tlj_M3UTBm0VT0u1D5yntCOHfTPUsNxPv3pwtwMr4obNIFbQP_nHS8HBQ3MLNSwWLSggo1SeOPUsVN2Fp53EGiTl-2F4WQ3sWGzlUmrKHJc2iUjdUBX6e0U9VISiO2CikTi9pqS8_-YkCkqy9jl9XAL6mg7qcGiAOcfvmFUhuOXj01GB8aKMoGEEDYeKtNhEtoHB0sLybpjwc0z4ltptcQR4qJTJf8kIviFJ0-2sntLwdQki9vZ2UmfLpKwGvJNbnVU2Ko_XTl0VRdTBM5qyPCBzUIIvgaMIKNgVfsSIBNStt8wZnXt2mKHBxaNZEo28FRp0hebSkshcuQ-XWi9E2HwE3JmN1At6DSreac4XeJDXbRaHNtfC3-eKGJizTFhowRzxTLQ207UHzvsD2iBFOIRFf8RN5Ci5E4_zszTWeXaJ2Cn0fcS5FF49oNvN8C-yo9YZYz1GnnX5x3TKqJ7XdgyYalUW4UICk_ZoDIrVjnrGH_oVQ_I1VfIcUuOtqROko4spCJXZVIbm1haLgxjGd2oESj0T6Jn2ov1pc0yKzmcowKxT0UcjMa13z1ewvTJNfOGr9BMMrlVk9pr67GavgYwYyn9MAjt1UPmwwNVFC8-XnVljUz10IK1-logfjm7wz_kU6j9xb8sQcuE3SyIat50XcRNDZ7e5OdXLVRW9obvuKJqOrr4b_C-LO0bPZWP9equvEoCsulfE7XiS2SKWAwBboQeNYBkBVBAhqZ5NoQXpdl5DUeBjZC2MLWWojQSXAZUGIZNFJoidyrZQ_RsR_sPTHCE90TQacqTqKMqolLDCmmZVcig62CsBar15ojju_L4H_4EqwaAlclE7sOiTASQgTxkomvG3CWz1-81E6xvr3hbGwcNztP7Q_jEYaDtrJaNPSaYWTrmI7OuiuFkpQcMwxqnnoGQ_l1cMHlrKuaXswW645wpwppGLYLKFYdItr3bkhQ6_a0WBtLtCjraZuxXZUMdrLqvpdTHglB0DRrGZ6OcTLW6bbhtZYMFrZ2Vsjt_8dza94LeS1e1Kt0E3RkfRqPSx2bg-XV4OMbzyIniq2vK7vZn0zJFfYoyMj3IruJM-9HcNW2RJMJ-6w4zKo8u5haTCdOaMABLb6so0Ogd6m2w4cvpZunGvuVQXcn-6pkNamXlyW2OuUOEn1ILmlHMrHZCPcUXzBomIhUzvgTtO_1KV6hdgETb6uuYHKvKMEa7E97toEfci4gYHJUKqZ1osef9LUeQ9OzwGpX14zhyiaU7Ee7e1xc-wyllyzvym9cDYLhTgk8C0sc1ibZBEScwh8q2T2Fm7h00fDO0kb1fcsoNiu3B_9PxHYHoX03tbTb-pbdCMqt8WzjvrCWxlW_xeUOvbSP6B5KEMghtOB7mOMAlZysYelYee5saKfb5HoOlZ3xk-XhHiSzH1J-IU3V0Q5N3C7QFYFEbOIcOOvMEDQeJB2w04Kges856YMnZZ4BoqSkvUVvlrnghUQVGoPYoo0036HAyScMxvvXtOOK5s6wR6EgVba7GqTuUI5tq89-ZJjVAqeM7o5zVgqba8wk-oEzpb09ZVtdpXDnPIRJ8Gii0fv06Hm6n8pc9-b4TsjiKY7ZgDIbNtsqg_m3gnEom5PLQpOf6uns1WlvZ8SDZq1g6b_wCH3GibvskuC9Cw9Qi24Ng.jhXt3g-QUqeibO6LdVRpzw
Responses
chevron-right
200

OK

application/json
codestringRequired
statestringRequired
post
/[v2.1.1]/connect/authorize
200

OK

hashtag
Request

hashtag
Request Parameter JWT

This parameter is an iSHARE compliant JWT, with additional parameters within this token. The request JWT contains the modified sub parameter and the following additional parameters:

  • sub String. This parameter overrides iSHARE compliant JWT payload. A URN specifying subject for this authorization request. Since ID or pseudonym of the user is not known upfront, urn:TBD value should be used (TBD means To Be Determined). In response, a pseudonym of the user MUST be returned by the Identity Provider.

  • response_type String. OAuth 2.0 Response Type. In order to use the Authorization Code Flow in iSHARE, value code is REQUIRED. MUST be identical to the response_type value in the body parameter of the /authorize request.

  • client_id String. OpenID Connect 1.0 client ID. Used in iSHARE for all client identification for OAuth/OpenID Connect. MUST contain a valid iSHARE identifier. MUST be identical to the client_id value in the body parameter of the /authorize request.

  • scope String. OAuth 2.0 scope for OpenID Connect 1.0. The scope parameter MUST contain at last the openid and the iSHARE scope values. In addition to that it and MAY also contain one or more scopes identifying the attributes from the Human Service Consumer that are requested (depending on the OpenID implementation of the Identity Provider). The iSHARE scope contains the minimal information required for authorisations. The scope parameter MUST be identical to the scope value in the body parameter of the /authorize request. MUST be identical to the scope value in the body parameter of the /authorize request.

  • redirect_uri String. OpenID Connect 1.0 redirection URI to which the response will be sent. Note that by transporting the redirect_uri in a signed and encrypted JWT, security considerations regarding un-pre-registered redirect_uri’s are properly addressed.

  • state String. OpenID Connect 1.0 opaque value used to maintain state between the request and the callback. The client application needs to verify if the sent value is equal to the value which comes back from IdP /authorize endpoint response.

  • nonce String. OpenID Connect 1.0 value used to associate a client session with an ID Token. The client application needs to verify if the sent value is equal to the value which comes back from IdP /token endpoint response.

  • acr_values String. OpenID Connect 1.0 authentication context class reference value. Space-separated string that specifies the acr values that the Identity Provider is being requested to use for processing this request, with the values appearing in order of preference. MUST either contain urn:http://eidas.europa.eu/LoA/NotNotified/low, urn:http://eidas.europa.eu/LoA/NotNotified/substantial or urn:http://eidas.europa.eu/LoA/NotNotified/high, depending on the quality of the authentication method. To understand authentication requirements for each level of assurance, please look at LOA table.

  • language String. Optional. iSHARE specific two-letter indicator (ISO 639-1 Code) that guides the language of the user interface shown by the Identity Broker or Identity Provider. If provided must display login page according to provided language, else should display default page.

Example

hashtag
Levels of Assurance

Level of Assurance

Authentication assurance

Low

  • Single factor, e.g. username and password

Substantial

  • Multi-factor, e.g. mobile phone + PIN

High

  • Multi-factor, e.g. mobile phone + PIN

  • Must access private data/keys stored on tamper-resistant hardware token

  • Cryptographic protection of personally identifying information (PII)

hashtag
Example

circle-check

Tip

request parameter is encrypted, so you won’t be able to inspect its payload. However, if you’d like to see JWT payload please refer to the section.

(URL encoding removed, and line breaks added for readability)

hashtag
Response

hashtag
HTTP status codes

hashtag
302 Found

hashtag
Parameters

  • returnUrl On successful request a redirection to login should happen. Once user has logged in, callback to authorize endpoint needs to be done in order to issue a code to Service Provider. This parameter value should be an encoded URL to the callback endpoint.

circle-exclamation

Warning

Authorize callback endpoint usually requires the same parameters that were sent towards authorize endpoint in order to identify which request was that. Signed and encrypted JWT is too long and MUST NOT be included into returnUrl.

hashtag
302 Found Example

(URL encoding removed, and line break added for readability)

hashtag
Callback

On successful login callback towards authorize endpoint is invoked. It’s out of iSHARE’s scope to document Identity Provider’s internal functionality. However there still are a few requirements because Service Provider’s return endpoint expects a specific call.

On successful callback Identity Provider should redirect user to URI which was provided in a request JWT payload redirect_uri parameter with added query parameters that are defined in a section below.

hashtag
Parameters

  • code Authorization code which is going to be used to request for an access token. The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code. The authorization code is bound to the client identifier and redirection URI.

  • state OpenID Connect 1.0 opaque value used to maintain state between the request and the callback. The client application needs to verify if the sent value is equal to this returned value.

hashtag
302 Found Example

PreviousGetting startedNextLogin

Last updated