Introduction

The CoreOne Authentication Service offers various endpoints according to the OIDC specification. Each of the endpoints is briefly described here.

Discovery Endpoint

The discovery endpoint can be used by applications to retrieve the metadata about the CoreOne Authentication Service. It contains information about all the other endpoints, the configured claims, scopes and so on.

https://idp.coreone.ch/.well-known/openid-configuration

Authorization Endpoint

The authorization endpoint can be used to request tokens.

https://idp.coreone.ch/connect/authorize

User Info Endpoint

The user info endpoint can be used to retrieve information about the user. In order to retrieve data from this endpoint, the caller needs to provide a valid access token.

https://idp.coreone.ch/connect/userinfo

Device Authorization Endpoint

The device authorization endpoint can be used to request device and user codes, typically used by device flow authorization process.

https://idp.coreone.ch/connect/deviceauthorization

Introspection Endpoint

The introspection endpoint validates whether a token has access to the API resource and if the token is active. Authentication at the introspection endpoint occurs using the API resource's secret

Request

POST https://idp.coreone.ch/connect/introspect
Authorization: Basic base64({api_resource_name}:{api_resource_secret})
Content-Type: application/x-www-form-urlencoded

token={access_token}

Response

Code

Message

200

{
    "nbf": "int",
    "exp": "int",
    "iss": "String",
    "aud": ["String"],
    "client_id": "String",
    "sub": "String",
    "auth_time": "int",
    "idp": "String",
    "given_name": "String",
    "family_name": "String",
    "c1s_appcustomerid": "String",
    "display_name": "String",
    "c1s_tenantid": "String",
    "c1s_coreidentityid": "String",
    "local": "String",
    "c1s_role": ["String"],
    "iat": "int",
    "amr": "String",
    "active": "boolean",
    "scope": "String"
}

400

invalid request

401

unauthorized request

Note: Before working with the response, always check if the IsError property is set to make sure the request was successful.

Revocation Endpoint

The revocation endpoint allows the revocation of access tokens (reference tokens only https://itsense.atlassian.net/wiki/spaces/IKB/pages/1992982615/Token#Self-Contained-vs-Reference-Token) and refresh tokens.

Request

token
The token to revoke (required)
token_type_hint
Either access_token or refresh_token (optional)

POST https://idp.coreone.ch/connect/revocation 
Content-Type: application/x-www-form-urlencoded
Authorization: Basic base64({client_id}:{client_secret})

token={token}&token_type_hint={token_type_hint}

Response

Code	Message
200

End Session Endpoint

The end session endpoint can be used to trigger a single sign-out process.

https://idp.coreone.ch/connect/endsession

Request

post_logout_url
Where the user should be redirected to after the logout
id_token_hint
The actual id token of the user to identify the user

GET https://idp.coreone.ch/connect/endsession?post_logout_url={post_logout_url}&id_token_hint={id_token_hint}
Content-Type: application/x-www-form-urlencoded

Response

Code	Message
302	Redirect to the logout url
200	If no logout url is specified