import { AuthorizationResponse } from "https://deno.land/x/authlete_deno@v1.2.10/src/dto/authorization_response.ts";
import { AuthorizationResponse } from "https://deno.land/x/authlete_deno@v1.2.10/src/dto/authorization_response.ts";
Response from Authlete /auth/authorization
API.
Properties
The flag which indicates whether the end-user authentication must satisfy one of the requested ACRs.
This property has true
only when the authorization request from
the client contains claim
request parameter and it contains an
entry for acr
claim with "essential":true
.
For more details, see OpenID Connect Core 1.0, 5.5.1. Individual Claims Requests.
The list of ACRs (Authentication Context Class References) requested
by the client application. The value come from (1) acr
claim in
claims
request parameter, (2) acr_values
request parameter,
or (3) default_acr_values
configuration parameter of the client
application.
For more details, see the following links.
The next action that the service implementation should take.
The authorization details. This represents the value of the
authorization_details
request parameter which is defined in
"OAuth 2.0 Rich Authorization Requests".
The list of claims that the client application requests to be
embedded in the ID token. The value comes from scope
and claims
request parameters of the original authorization request.
For more details, see the following links.
The list of preferred languages and scripts for claim values
contained in the ID token. The value comes from claims_locales
request parameter.
For more details, see OpenID Connect Core 1.0, 5.2. Claims Languages and Scripts.
The information about the client application.
The flag which indicates whether the value of the client_id
request parameter included in the authorization request is the
client ID alias or the original numeric client ID.
The display mode which the client application requests by display
request parameter. When the authorization request does not contain
display
request parameter, this property has Display.PAGE
as
the default value.
For more details, see OpenID Connect Core 1.0, 3.1.2.1. Authentication Request.
The dynamic scopes which the client application requested by the
scope
request parameter. See the description of DynamicScope
for details.
The value of the id_token
property in the claims
request
parameter or in the "claims"
property in a request object.
A client application may request certain claims be embedded in
an ID token or in a response from the UserInfo endpoint. There
are several ways. Including the claims
request parameter and
including the "claims"
property in a request object are such examples.
In both the cases, the value of the claims
parameter/property
is JSON. Its format is described in 5.5. Requesting Claims using
the "claims" Request Parameter
of OpenID Connect Core 1.0.
The following is an excerpt from the specification. You can find
userinfo
and id_token
are top-level properties.
{
"userinfo":
{
"given_name": {"essential": true},
"nickname": null,
"email": {"essential": true},
"email_verified": {"essential": true},
"picture": null,
"http://example.info/claims/groups": null
},
"id_token":
{
"auth_time": {"essential": true},
"acr": {"values": ["urn:mace:incommon:iap:silver"] }
}
}
This property holds the value of the id_token
property in JSON
format. For example, if the JSON above is included in an authorization
request, this property holds JSON equivalent to the following.
{
"auth_time": {"essential": true},
"acr": {"values": ["urn:mace:incommon:iap:silver"] }
}
Note that if a request object is given and it contains the claims
property and if the claims
request parameter is also given,
this property has the value in the former.
The value of login hint, which is specified by the client application
using login_hint
request parameter.
For more details, OpenID Connect Core 1.0, 3.1.2.1. Authentication Request.
The maximum authentication age which is the allowable elapsed time
in seconds since the last time the end-user was actively authenticated
by the service implementation. The value comes from max_age
request parameter or default_max_age
configuration parameter
of the client application. 0
may be returned which means that
the max age constraint does not have to be imposed.
For more details, see the following links.
The list of prompts contained in the authorization request
(= the value of prompt
request parameter).
For more details, see OpenID Connect Core 1.0, 3.1.2.1. Authentication Request.
The value of the purpose
request parameter.
The purpose
request parameter is defined in 8. Transaction-specific
Purpose
of OpenID Connect for Identity Assurance 1.0
purpose
OPTIONAL. String describing the purpose for obtaining certain user data from the OP. The purpose MUST NOT be shorter than 3 characters and MUST NOT be longer than 300 characters. If these rules are violated, the authentication request MUST fail and the OP returns an errorinvalid_request
to the RP.
NOTE: This property has a valid value only when Authlete server you are using supports OpenID Connect for Identity Assurance 1.0.
The payload part of the request object.
This property is unset if the authorization request does not include a request object.
The resources specified by the resource
request parameters
or by the resource
property in the request object. If both are
given, the values in the request object take precedence. See
"Resource Indicators for OAuth 2.0" for details.
The response content which can be used to generate a response
to the client application. The format of the value varies depending
on the value of action
.
The scopes that the client application requests by scope
request
parameter. When the authorization request does not contain scope
request parameter, this property has a list of scopes which are
marked as default by the service implementation. This property
may be unset if the authorization request does not contain valid
scopes and none of registered scopes is marked as default.
You may want to enable end-users to select/deselect scopes in
the authorization page. In other words, you may want to use a
different set of scopes than the set specified by the original
authorization request. You can replace scopes when you call Authlete
/auth/authorization/issue
API. See the description of
AuthorizationIssueRequest.scopes
property for details.
The information about the service.
The subject (= end-user's unique ID) that the client application
requests. The value comes from sub
claim in claims
request
parameter. This property may be unset (probably in most cases).
For more details, see OpenID Connect Core 1.0, 5.5. Requesting Claims using the "claims" Request Parameter.
The ticket which has been issued to the service implementation
from Authlete' /auth/authorization
API. This ticket is needed
for calling /auth/authorization/issue
API and /auth/authorization/fail
API.
The list of preferred languages and scripts for the user interface.
The value comes from ui_locales
request parameter.
For more details, see OpenID Connect Core 1.0, 3.1.2.1. Authentication Request.
The value of the userinfo
property in the claims
request
parameter or in the "claims"
property in a request object.
A client application may request certain claims be embedded in
an ID token or in a response from the UserInfo endpoint. There
are several ways. Including the claims
request parameter and
including the "claims"
property in a request object are such examples.
In both the cases, the value of the claims
parameter/property
is JSON. Its format is described in 5.5. Requesting Claims using
the "claims" Request Parameter
of OpenID Connect Core 1.0.
The following is an excerpt from the specification. You can find
userinfo
and id_token
are top-level properties.
{
"userinfo":
{
"given_name": {"essential": true},
"nickname": null,
"email": {"essential": true},
"email_verified": {"essential": true},
"picture": null,
"http://example.info/claims/groups": null
},
"id_token":
{
"auth_time": {"essential": true},
"acr": {"values": ["urn:mace:incommon:iap:silver"]}
}
}
This property holds the value of the userinfo
property in JSON
format. For example, if the JSON above is included in an authorization
request, this property holds JSON equivalent to the following.
{
"given_name": {"essential": true},
"nickname": null,
"email": {"essential": true},
"email_verified": {"essential": true},
"picture": null,
"http://example.info/claims/groups": null
}
Note that if a request object is given and it contains the claims
property and if the claims
request parameter is also given,
this property has the value in the former.