Requesting the user information as a Resource Server
Forming the request
The URL used to request the user information of the Resource Owner of an OAuth 2.0 Access Token >https://beta.oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/identity.| Endpoint | Description | Method |
|---|---|---|
| https://beta.oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/identity | This endpoint is the target of the request for the user information of the Resource Owner of an OAuth 2.0 Access Token. | HTTP-GET |
JSON Web Token
In order to pass the accesstoken, you need to provide a JSON Web Token in the header.
The JSON Web Token has following requirements:
- An asymetric JSON Web Key, the public key has been provided to Digitaal Vlaanderen through digitaal.vlaanderen@vlaanderen.be preferably a certificate. We provide tooling to generate this JSON WebKey here.
- A
kidkey identifier defined in the header of the JSON web token, this should be the certificate SHA1 thumbprint if the JSON Web Key itself is an X509 certificate - An
issclaim containing the Resource Server Name (case sensitive) in the payload of the JSON web token. This name has been provided by Digitaal Vlaanderen. - A
subclaim containing the access token of which you want user information in the payload of the JSON web token - A
jticlaim in the form of a GUID that is generated randomly and is different for each token request in the payload of the JSON web token - An
expclaim indicating the expiration time of the token in the payload of the JSON web token, it should not exceed ten minutes fromiat - An
iatclaim indicating at which time the JWT was issued in the payload of the JSON web token - An
audclaim containing the url endpoint you are calling without trailing slash and in small cases in the payload of the JSON web token, here this must behttps://beta.oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/identity
JWT Valid example
Header
{
"alg": "RS256",
"kid": "98E449C2AC53DB1FEC4425B9E4A11628EB68AE5D",
"typ": "JWT"
}
Payload
{
"sub": "5Op37vHN_T9zYV6vkA",
"iss": "My Resource Server Name",
"iat": "1552909601",
"exp": "1552909700",
"jti": "63233cd9-21b8-4fa1-8858-66b715f7a866",
"aud": "https://beta.oauth.vlaanderen.be/authorization/ws/oauth/v2/authorization/identity"
}
Putting the JSON Web Token in the header of the body
The JSON Web Token needs to be in the Authorization Header of the request with the Bearer Scheme
Example
GET /ws/oauth/v2/authorization/identity HTTP/1.1
Host: beta.oauth.vlaanderen.be
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6Ijk4RTQ0OUMyQUM1M0RCMUZFQzQ0MjVCOUU0QTExNjI4RUI2OEFFNUQiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiI1T3AzN3ZITl9UOXpZVjZ2a0EiLCJpc3MiOiJNeSBSZXNvdXJjZSBTZXJ2ZXIgTmFtZSIsImlhdCI6IjE1NTI5MDk2MDEiLCJleHAiOiIxNTUyOTA5NzAwIiwianRpIjoiNjMyMzNjZDktMjFiOC00ZmExLTg4NTgtNjZiNzE1ZjdhODY2IiwiYXVkIjoiaHR0cHM6Ly9vYXV0aC52bGFhbmRlcmVuLmJlL2F1dGhvcml6YXRpb24vb2F1dGgvdjIvYXV0aG9yaXphdGlvbi9pZGVudGl0eSJ9.FRnz_sSupNEjcGfeJOOM6sJs1LvfuzvPbEANOd-hjrcCkOlxdBbHCKWNTv1zuGs-yCjZx1iTAig-3PPVND4g_fdzuSPjQmgwyZK3dGl1u5EBNTancXD1oarzt3pA364p0OwbSK_y0dpXfI4R0GuvGQmiLuo4JKAblz1xBD2fsQnWBhwS28shxCSppxKX8ec-oR7NMept5PZV2VTHB5aVKMDRPiEcjspfdyP3KXV92eJ2og4dDsBT0BDNB2XdYhMue0gXEXA94FoB513zKPH032iGeroD8xl3GBLlR_FohmUr6ft0QLdzjegv55VlWM1ETwz3nEIFlMFk6mKMQpufeg
Handling the response
The response is a JSON Web Token containing the available user information. It consists of claims about the user
Example
{
"iss":"urn:informatievlaanderen.be/sts",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name":"JohnDoe",
"http://schemas.agiv.be/ws/2011/01/identity/claims/contactid":"3063",
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role":"Administrator Of An Awesome App",
"http://schemas.agiv.be/ws/2011/01/identity/claims/oauth/scope":"KLIPPlanaanvraag",
"http://schemas.agiv.be/ws/2011/01/identity/claims/oauth/scope":"GIPODBijwerken"
}
Handling an error
When there is an error a JSON result is returned with the error information.
Example
{
"error":"invalid_token"
}