Requesting the user information as a Resource Server
Forming the request
The URL used to request the user information of the Resource Owner of an OAuth 2.0 Access Token >https://beta.oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/identity.Endpoint | Description | Method |
---|---|---|
https://beta.oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/identity | This endpoint is the target of the request for the user information of the Resource Owner of an OAuth 2.0 Access Token. | HTTP-GET |
JSON Web Token
In order to pass the accesstoken, you need to provide a JSON Web Token in the header.
The JSON Web Token has following requirements:
- An asymetric JSON Web Key, the public key has been provided to Digitaal Vlaanderen through digitaal.vlaanderen@vlaanderen.be preferably a certificate. We provide tooling to generate this JSON WebKey here.
- A
kid
key identifier defined in the header of the JSON web token, this should be the certificate SHA1 thumbprint if the JSON Web Key itself is an X509 certificate - An
iss
claim containing the Resource Server Name (case sensitive) in the payload of the JSON web token. This name has been provided by Digitaal Vlaanderen. - A
sub
claim containing the access token of which you want user information in the payload of the JSON web token - A
jti
claim in the form of a GUID that is generated randomly and is different for each token request in the payload of the JSON web token - An
exp
claim indicating the expiration time of the token in the payload of the JSON web token, it should not exceed ten minutes fromiat
- An
iat
claim indicating at which time the JWT was issued in the payload of the JSON web token - An
aud
claim containing the url endpoint you are calling without trailing slash and in small cases in the payload of the JSON web token, here this must behttps://beta.oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/identity
JWT Valid example
Header
{
"alg": "RS256",
"kid": "98E449C2AC53DB1FEC4425B9E4A11628EB68AE5D",
"typ": "JWT"
}
Payload
{
"sub": "5Op37vHN_T9zYV6vkA",
"iss": "My Resource Server Name",
"iat": "1552909601",
"exp": "1552909700",
"jti": "63233cd9-21b8-4fa1-8858-66b715f7a866",
"aud": "https://beta.oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/identity"
}
Putting the JSON Web Token in the header of the body
The JSON Web Token needs to be in the Authorization Header of the request with the Bearer Scheme
Example
GET /ws/oauth/v2/authorization/identity HTTP/1.1
Host: beta.oauth.vlaanderen.be
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Ijk4RTQ0OUMyQUM1M0RCMUZFQzQ0MjVCOUU0QTExNjI4RUI2OEFFNUQiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiI1T3AzN3ZITl9UOXpZVjZ2a0EiLCJpc3MiOiJNeSBSZXNvdXJjZSBTZXJ2ZXIgTmFtZSIsImlhdCI6IjE1NTI5MDk2MDEiLCJleHAiOiIxNTUyOTA5NzAwIiwianRpIjoiNjMyMzNjZDktMjFiOC00ZmExLTg4NTgtNjZiNzE1ZjdhODY2IiwiYXVkIjoiaHR0cHM6Ly9vYXV0aC52bGFhbmRlcmVuLmJlL2F1dGhvcml6YXRpb24vb2F1dGgvdjIvYXV0aG9yaXphdGlvbi9pZGVudGl0eSJ9.FRnz_sSupNEjcGfeJOOM6sJs1LvfuzvPbEANOd-hjrcCkOlxdBbHCKWNTv1zuGs-yCjZx1iTAig-3PPVND4g_fdzuSPjQmgwyZK3dGl1u5EBNTancXD1oarzt3pA364p0OwbSK_y0dpXfI4R0GuvGQmiLuo4JKAblz1xBD2fsQnWBhwS28shxCSppxKX8ec-oR7NMept5PZV2VTHB5aVKMDRPiEcjspfdyP3KXV92eJ2og4dDsBT0BDNB2XdYhMue0gXEXA94FoB513zKPH032iGeroD8xl3GBLlR_FohmUr6ft0QLdzjegv55VlWM1ETwz3nEIFlMFk6mKMQpufeg
Handling the response
The response is a JSON Web Token containing the available user information. It consists of claims about the user
Example
{
"iss":"urn:informatievlaanderen.be/sts",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":"JohnDoe",
"http://schemas.agiv.be/ws/2011/01/identity/claims/contactid":"3063",
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role":"Administrator Of An Awesome App",
"http://schemas.agiv.be/ws/2011/01/identity/claims/oauth/scope":"KLIPPlanaanvraag",
"http://schemas.agiv.be/ws/2011/01/identity/claims/oauth/scope":"GIPODBijwerken"
}
Handling an error
When there is an error a JSON result is returned with the error information.
Example
{
"error":"invalid_token"
}