This proxy provides the ability to authenticate with a SAML identity federation through a mobile native application.
The proxy has an OpenID Connect frontend and a SAML2 backend. The frontend act as a OpenID Connect provider and accepts request from OpenID Connect Relying Parties. The backend act as a SAML2 Service Provider.
The OP Supports the Authorization Code Flow
Get the endpoints and the capabilities of of the OP
GET https://apptest.skolfederation.se/.well-known/openid-configuration HTTP/1.1 Host: apptest.skolfederation.se |
Example request that would be sent by the User Agent to the Authorization Server
GET https://apptest.skolfederation.se/Saml2/OIDC/authorization ?scope=openid &response_type=code &client_id=7ueo1swctdtc &redirect_uri=se.skolfederation.7ueo1swctdtc%3A%2F%2Flocalhost &state=b34ge6c2efe18do &nonce=e62gr1vz7e46tl HTTP/1.1 Host: apptest.skolfederation.se |
openid
scop value and may include others.Example Token Request that would be sent by the Client to the Authorization Server
POST https://apptest.skolfederation.se/OIDC/token HTTP/1.1 Host: apptest.skolfederation.se Content-Type: application/x-www-form-urlencoded client_id=7ueo1swctdtc &grant_type=authorization_code &code=fglxlhtyfQwYbYS6WxSbIA &redirect_uri=se.skolfederation.7ueo1swctdtc%3A%2F%2Flocalhost |
Example Refresh Request that would be sent by the Client to the Authorization Server
POST https://apptest.skolfederation.se/Saml2/OIDC/token HTTP/1.1 Host: apptest.skolfederation.se Content-Type: application/x-www-form-urlencoded client_id=7ueo1swctdtc &grant_type=refresh_token &refresh_token=96f5d26d9aa74175b &scope=openid |
Example of a UserInfo Request that would be sent by the Client to the Authorization Server
GET https://apptest.skolfederation.se/OIDC/userinfo HTTP/1.1 Host: apptest.skolfederation.se Authorization: Bearer 2fde563078f04f2 |
Authorization: The Access Token MUST be sent as a Bearer Token
Example of a Introspection Request that would be sent by the Resource Service to the Authorization Server. The Resource Service must be registered as a Client whit the gran_type set to client_credential.
POST https://apptest.skolfederation.se/OIDC/introspection HTTP/1.1 Host: apptest.skolfederation.se Accept: application/json Content-Type: application/x-www-form-urlencoded Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW token=2fde563078f04f2&token_type_hint=access_token |
Fetch the public RSA key that are used to validate the ID Token.
GET https://apptest.skolfederation.se/OIDC/jwks HTTP/1.1 Host: apptest.skolfederation.se |
Use appropriate library to download the JWK Set and validate the ID Token.
The following optional Claim are used within the ID Token returned by the Proxy.
Openid Connect Core section 3 ID Token