IDAAS core API references
The OneWelcome Identity Platform provides access to the following Identity and Access (IDAAS) core APIs:
- Access config API
- Access token customization web hook API
- Credential API
- Dynamic client registration (DCR) API
- Event API
- Event stream API
- Logs API
- Notification API
- OAuth 2.0 and OpenID Connect API
- OAuth and OIDC client registration API
- OAuth consent API
- Reverse lookup API
- SCIM API v1/v2 protected with Basic authentication
- SCIM API v1/v2 protected with fine-grained OAuth2 scopes
- SCIM API v1/v2 protected with OAuth2 scopes
- SCIM API v1.1 protected with Basic authentication
- SCIM API v1.1 protected with fine-grained Oauth2 scopes
- SCIM API v1.1 protected with OAuth2 scopes
- Session management API
- User details customization hook API
Client registration endpoints
Domain/ API: Client Registration
Used to register OAuth and OIDC client applications.
| Operation description | Logical endpoint name [1] | Method | Endpoint path |
|---|---|---|---|
| Create an OAuth/OIDC client | registration_endpoint | POST | /auth/oauth2.0/v1/connect/register |
| Obtain details for an OAuth/OIDC client | registration_endpoint | GET | /auth/oauth2.0/v1/connect/register |
| Unregister an OAuth/OIDC client | registration_endpoint | DELETE | /auth/oauth2.0/v1/connect/register/ |
| Proprietary administration endpoint to unregister an OAuth/OIDC client | clients_endpoint | DELETE | /auth/oauth2.0/v1/connect/clients/ |
OAuth consent endpoints
Domain/ API: OAuth consent
Manages consents given by user on documents and processing purposes.
| Operation description | Logical endpoint name [1] | Method | Endpoint path |
|---|---|---|---|
| Retrieve documents | documents_endpoints | GET | /consent/v1/documents |
| View document consent per user | document_consents endpoint | GET | /consent/v1/document-consents |
| Give document consent per user | document_consents_ endpoint | POST | /consent/v1/document-consents |
| Revoke document consent per user | document_consents_ endpoint | DELETE | /consent/v1/document-consents |
| Retrieve processing purposes | processing_purposes_ endpoint | GET | /consent/v1/processing-purposes |
| View attribute consent per user | attribute_consents_ endpoint | GET | /consent/v1/attribute-consents |
| Give attribute consent per user | attribute_consents_ endpoint | POST | /consent/v1/attribute-consents |
| Revoke attribute consent per user | attribute_consents_ endpoint | DELETE | /consent/v1/attribute-consents |
Session management endpoints
Domain/ API: Session Management
Controls session servers for an account (but for session creation done via authentication API, SSO).
| Operation description | Logical endpoint name [1] | Method | Endpoint path |
|---|---|---|---|
| Terminate session (logout) | terminate_session endpoint | GET | /login/terminate_session |
OAuth/OIDC endpoints
Domain/ API: OAuth/OIDC
Allows applications to delegate authentication and authorization towards the OneWelcome Identity Platform and get SSO (per OAuth/OIDC specs).
| Operation description | Logical endpoint name [1] | Method | Endpoint path |
|---|---|---|---|
| Obtain OAuth authorization or OIDC authentication | authorize_endpoint | GET | \/auth\/oauth2.0\/v1\/authorize |
| Obtain OAuth access token | token_endpoint | POST | \/auth\/oauth2.0\/v1\/token |
| Device authorization request | device_authorization endpoint | POST | \/auth\/oauth2.0\/v1\/device\/code |
| Device authorization decision endpoint | device_authorization decision_endpoint | POST | \/auth\/oauth2.0\/v1\/device\/user |
| Determine the active state and meta-information of an OAuth token | introspection_endpoint | POST | \/auth\/oauth2.0\/v1\/introspect |
| Obtain claims about the authenticated user | userinfo_endpoint | GET | \/auth\/oauth2.0\/v1\/userinfo |
| (Deprecated) Obtain information about an OAuth token and the authenticated user | token_info_ endpoint | GET | \/auth\/oauth2.0\/v1\/token-info |
Event endpoints
Domain/ API: Event
Used to access events generated by the OneWelcome Identity Platform.
| Operation description | Logical endpoint name [1] | Method | Endpoint path |
|---|---|---|---|
| Obtain events | events_endpoint | GET | /event-api/v2/events |
| Submit events | events_endpoint | POST | /event-api/v2/events |
Notification endpoints
Domain/ API: Notification
Notifies external systems of changes in users' consents.
| Operation description | Logical endpoint name [1] | Method | Endpoint path |
|---|---|---|---|
| Subscribe to notifications for a single resource type | notification_subscription endpoint | POST | \/notification\/v1\/subscriptions |
| Get the details of a subscription | notification_subscription endpoint | GET | \/notification\/v1\/subscriptions\/ |
| Unsubscribe from notifications | notification_subscription endpoint | DELETE | \/notification\/v1\/subscriptions\/ |
Retrieve a set of notifications of a subscription with a subscription_id |
notification_endpoint | GET | \/notification\/v1\/subscriptions\/ |
Credential endpoints
Domain/ API: Credential
Manages user's credentials, such as password, email, or phone number.
| Operation description | Logical endpoint name [1] | Method | Endpoint path |
|---|---|---|---|
| Request to make an email address the user's primary email | primary_email request_endpoint | POST | \/credential\/v1\/primary-email-request |
| Confirm a user's email address | primary_email confirmation_endpoint | POST | \/credential\/v1\/primary-email-confirmation |
| Unprotected endpoint to confirm a user's email address without authenticating the user | public_primary email_confirmation_endpoint | POST | \/credential\/v1\/public\/primary-email-confirmation |
| Request to make a phone number primary | primary_phone number_request_endpoint | POST | \u200b\/credential\u200b\/v1\u200b\/primary-phone-number-request |
| Change and confirm a user's phone number | primary_phone number_confirmation_endpoint | POST | \/credential\/v1\/primary-phone-number-confirmation |
| Obtain information about the user's password | metadata_endpoint | GET | \u200b\/credential\u200b\/v1\u200b\/users\u200b\/ |
| Change password for the provided userID | password_endpoint | PUT | \/credential\/v1\/users\/ |
SAML endpoints
Domain/ API: SAML
Allows applications to delegate authentication to the OneWelcome Identity Platform and get SSO.
| Operation description | Logical endpoint name [1] | Method | Endpoint path |
|---|---|---|---|
| Web SSO redirect | sso_httpredirect endpoint | GET | \/auth\/saml2.0\/v1\/SSORedirect\/metaAlias\/<Brand> |
| Web SSO post | sso_httppost endpoint | POST | \/auth\/saml2.0\/v1\/SSOPOST\/metaAlias\/<Brand> |
| Web IDP SLO redirect | slo_httpredirect endpoint | GET | \/auth\/saml2.0\/v1\/IDPSloRedirect\/metaAlias\/<Brand> |
| Web IDP SLO post | slo_httppost endpoint | POST | \/auth\/saml2.0\/v1\/IDPSloPOST\/metaAlias\/<Brand> |
SCIM endpoints
Domain/ API: - SCIM API v1/v2 protected with Basic authentication - SCIM API v1/v2 protected with fine-grained OAuth2 scopes - SCIM API v1/v2 protected with OAuth2 scopes - SCIM API v1.1 protected with Basic authentication - SCIM API v1.1 protected with fine-grained Oauth2 scopes - SCIM API v1.1 protected with OAuth2 scopes
Provisions users to the OneWelcome Identity Platform from a source user repository (users can be created as active or inactive).
| Operation description | Logical endpoint name [1] | Method | Endpoint path |
|---|---|---|---|
| Create a user | SCIM_users endpoint | POST | \/scim\/Users\n\n\/scim\/v1\/Users |
| Full update of a user | SCIM_users endpoint | PUT | \/scim\/Users\/ |
| Partial update of a user | SCIM_users endpoint | PATCH | \/scim\/Users\/ |
| Retrieve a known user | SCIM_users endpoint | GET | \/scim\/Users\/ |
| Query users | SCIM_users endpoint | GET | \/scim\/Users\n\n\/scim\/v1\/Users |
| Delete a user | SCIM_users endpoint | DELETE | \/scim\/Users\/ |
| Create a user in employee segment | SCIM_employees endpoint | POST | \/employees\/scim\/v1\/Users |
| Full update of a user in employee segment | SCIM_employees endpoint | PUT | \/employees\/scim\/v1\/Users\/ |
| Partial update of a user in employee segment | SCIM_employees endpoint | PATCH | \/employees\/scim\/v1\/Users\/ |
| Retrieve a known user in employee segment | SCIM_employees endpoint | GET | \/employees\/scim\/v1\/Users\/ |
| Query users in employee segment | SCIM_employees endpoint | GET | \/employees\/scim\/v1\/Users |
| Delete a user in employee segment | SCIM_employees endpoint | DELETE | \/employees\/scim\/v1\/Users\/ |
Reverse lookup endpoints
Domain/ API: Reverse Look-Up
Used to look up users at an external lookup service (the URL for this endpoint is configurable in the OneWelcome Identity Platform).
| Operation description | Logical endpoint name [1] | Method | Endpoint path |
|---|---|---|---|
| OneWelcome Identity Platform request to user lookup service | user_look up_endpoint | POST | endpoint not hosted by the OneWelcome Identity Platform |
[1] Logical endpoint name as defined for endpoint discovery.
Convention: "xxx_endpoint" indicates it's a web API.
