5. AppProxy Beta

Owned by Stefan Halén
Last updated: Apr 10, 2018
3 min read


This proxy provides the ability to authenticate with a SAML identity federation through a mobile native application.


The proxy has an OpenID Connect frontend and a SAML2 backend. The frontend act as a OpenID Connect provider and accepts request from OpenID Connect Relying Parties. The backend act as a SAML2 Service Provider.


The Flow

Authorization Code Flow

The OP Supports the Authorization Code Flow

  1. Client prepares an Authentication Request containing the desired request parameters.
  2. Client sends the request to the Authorization Server.
  3. Authorization Server Authenticates the End-User.
  4. Authorization Server sends the End-User back to the Client with an Authorization Code.
  5. Client requests a response using the Authorization Code at the Token Endpoint.
  6. Client receives a response that contains an ID Token and Access Token in the response body.
  7. Client validates the ID token and retrieves the End-User's Subject Identifier.
  8. Optional Client sends the UserInfo Request
  9. Optional Authorization Server sends the UserInfo Respons


Endpoints

End PointsURLDocumentation
Discovery URIhttps://apptest.skolfederation.se/.well-known/openid-configurationOpenID Connect Discovery
Authorizationhttps://apptest.skolfederation.se/Saml2/OIDC/authorizationOpenID Connect Core
Tokenhttps://apptest.skolfederation.se/OIDC/tokenOpenID Connect Core
jwkshttps://apptest.skolfederation.se/OIDC/jwksJSON Web Key (JWK)
Userinfohttps://apptest.skolfederation.se/OIDC/userinfoOpenID Connect Core
Introspectionhttps://apptest.skolfederation.se/OIDC/introspectionRFC 7662


Discovery

Get the endpoints and the capabilities of of the OP

GET https://apptest.skolfederation.se/.well-known/openid-configuration HTTP/1.1
    Host: apptest.skolfederation.se

Authorization Endpoint

Example request that would be sent by the User Agent to the Authorization Server

GET https://apptest.skolfederation.se/Saml2/OIDC/authorization
    ?scope=openid
    &response_type=code
    &client_id=7ueo1swctdtc
    &redirect_uri=se.skolfederation.7ueo1swctdtc%3A%2F%2Flocalhost
    &state=b34ge6c2efe18do
    &nonce=e62gr1vz7e46tl HTTP/1.1
Host: apptest.skolfederation.se
  • scope The scope value must containe the openid scop value and may include others.
  • response_type The Proxy supports the Authorization Code Flow. response_type must be set to code
  • client_id The client identifier. There will only be manual registration. Conntact us and we will provide the client_id out-of -band
  • redirect_uri Used for custom URI scheme redirects. We will provide the redirect_uri out-of -band
  • state  Random string value used to maintain state between the request and the callback to mitigate Cross-Site Request Forgery (CSRF, XSRF) attacks
  • nonce Random String value used to associate a Client session with an ID Token and to mitigate replay attacks OpenID Connect Core section 2 ID Token


Token Endpoint

Example Token Request that would be sent by the Client to the Authorization Server

POST https://apptest.skolfederation.se/OIDC/token HTTP/1.1
    Host: apptest.skolfederation.se
    Content-Type: application/x-www-form-urlencoded

    client_id=7ueo1swctdtc
    &grant_type=authorization_code
    &code=fglxlhtyfQwYbYS6WxSbIA
    &redirect_uri=se.skolfederation.7ueo1swctdtc%3A%2F%2Flocalhost
  • grant_type: Must be set to authorization_code
  • code: The Authorization Code retrived from the Authorization Endpoint
  • redirect_uri: The redirect_uri used in the initial Authentication Request

Example Refresh Request that would be sent by the Client to the Authorization Server

POST https://apptest.skolfederation.se/Saml2/OIDC/token HTTP/1.1
    Host: apptest.skolfederation.se
    Content-Type: application/x-www-form-urlencoded

    client_id=7ueo1swctdtc
    &grant_type=refresh_token
    &refresh_token=96f5d26d9aa74175b
    &scope=openid
  • grant_type: Must be set to refresh_token
  • code: The Authorization Code retrived from the Authorization Endpoint
  • redirect_uri: The redirect_uri used in the initial Authentication Request


UserInfo Endpoint

Example of a UserInfo Request that would be sent by the Client to the Authorization Server

GET https://apptest.skolfederation.se/OIDC/userinfo HTTP/1.1
    Host: apptest.skolfederation.se
    Authorization: Bearer 2fde563078f04f2

Authorization: The Access Token MUST be sent as a Bearer Token


Introspection Endpoint

Example of a Introspection Request that would be sent by the Resource Service to the Authorization Server. The Resource Service must be registered as a Client whit the gran_type set to client_credential.

POST https://apptest.skolfederation.se/OIDC/introspection HTTP/1.1
     Host: apptest.skolfederation.se
     Accept: application/json
     Content-Type: application/x-www-form-urlencoded
     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW

     token=2fde563078f04f2&token_type_hint=access_token
  • token: The string value of the token
  • token_type_hint: OPTIONAL. A hint about the type of the token submitted for introspection

JWKS URI

Fetch the public RSA key that are used to validate the ID Token.

GET https://apptest.skolfederation.se/OIDC/jwks HTTP/1.1
    Host: apptest.skolfederation.se

Use appropriate library to download the JWK Set and validate the ID Token.

ID Token

The following optional Claim are used within the ID Token returned by the Proxy.

at_hash

Openid Connect Core section 3 ID Token