HID RMS OpenID Calls

The following sections provide detailed examples of OpenID requests in an HID RMS context.

Prerequisites:

Configure a channel with HID RMS (that is, Customer Banking Portal)
Create a system user with a static login authenticator (for example, use spl-api and create a System Static Login authenticator with the password as password01)
Create a non-system user with a static login authenticator (for example, spl-consumer in the Consumer Online Banking group with a Customer Static Password authenticator with the password as password01)

Note: In the following examples, the exchanges include RMSINFO (in POST) and RMSDETAILS (in response):

They are in a plain JWT format
JWT can be converted online (for example, using a website such as https://jwt.io/) to access content details
The JWT content is specific to the RMS Provider

When integrating with HID RMS, the content of the JWTs are JSONs containing the following items:

RMSINFO (Decoded)

RMSINFO (Decoded)
Content	Step 1: TM_CLIENT_IP containing the client IP of the end user’s device (required) TM_SESSION_SID containing value from the generated HID RMS cookie named "TS01d4cc80" (required) TM_DEVICE_TAG containing value from the generated HID RMS cookie named "C8hDRqP6KY" (required) TM_APP_SESSION_ID containing a session ID issued by the protected application This identifier must be persistent throughout the whole session (required). TM_APP_DEVICE_ID containing a unique device identifier assigned by the protected application (optional) TM_ENVIRONMENT_ID containing a value to identify the environment the application is running on (optional) TM_APP_USER_ALIAS containing the unique channel specific login (optional) Also, required for Step 2: TM_SESSION_TRANSFER is the value of TM_SESSION_TRANSFER on first step call
Example	Copy `{ "TM_APP_DEVICE_ID":"123456", "TM_APP_USER_ALIAS":"Sample user alias", "TM_SESSION_SID":"rYFcm65pkhoawGRFgN1URNXYHl3QAplH", "TM_CLIENT_IP":"X.Y.Z.T", "TM_APP_SESSION_ID":"S5CaeUEr0HxroxLQRcEl8IpQrlxqcZnPHJYaFJEy", "TM_DEVICE_TAG":"0OenNqAdlQ3apoVfHhdrbngavX4Uj3PT", "TM_ENVIRONMENT_ID":"Production" }`

Content

Step 1:

TM_CLIENT_IP containing the client IP of the end user’s device (required)
TM_SESSION_SID containing value from the generated HID RMS cookie named "TS01d4cc80" (required)
TM_DEVICE_TAG containing value from the generated HID RMS cookie named "C8hDRqP6KY" (required)
TM_APP_SESSION_ID containing a session ID issued by the protected application

This identifier must be persistent throughout the whole session (required).
TM_APP_DEVICE_ID containing a unique device identifier assigned by the protected application (optional)
TM_ENVIRONMENT_ID containing a value to identify the environment the application is running on (optional)
TM_APP_USER_ALIAS containing the unique channel specific login (optional)

Also, required for Step 2:

TM_SESSION_TRANSFER is the value of TM_SESSION_TRANSFER on first step call

Example

Copy

{
    "TM_APP_DEVICE_ID":"123456",
    "TM_APP_USER_ALIAS":"Sample user alias",
    "TM_SESSION_SID":"rYFcm65pkhoawGRFgN1URNXYHl3QAplH",
    "TM_CLIENT_IP":"X.Y.Z.T",
    "TM_APP_SESSION_ID":"S5CaeUEr0HxroxLQRcEl8IpQrlxqcZnPHJYaFJEy",
    "TM_DEVICE_TAG":"0OenNqAdlQ3apoVfHhdrbngavX4Uj3PT",
    "TM_ENVIRONMENT_ID":"Production"
}

RMS_DETAILS (Decoded)

RMS_DETAILS (Decoded)
Content	Provides the complete score explanation and the reasons for a high score.
Example	Copy { "session":{ "score":688, "standalone_signals":[ {"id":4426,"type":"PHISHING_PROBE_LOAD"}, {"id":4427,"type":"NEW_USER_DEVICE"}, {"id":4430,"type":"NEW_USER_LANGUAGE"} ], "detections":[] }, "action":{ "score":0, "standalone_signals":[], "detections":[] }, "risk":897, "device":{ "score":99, "standalone_signals":[ {"id":4429,"type":"UNKNOWN_WEBINJECT"}, {"id":4437,"type":"UNKNOWN_WEBINJECT"}, {"id":4450,"type":"UNKNOWN_WEBINJECT"} ], "detections":[] }, "user":{ "score":110, "standalone_signals":[], "detections":[] }, "tags":[] }

Content

Provides the complete score explanation and the reasons for a high score.

Example

Copy

{
    "session":{
        "score":688,
        "standalone_signals":[
            {"id":4426,"type":"PHISHING_PROBE_LOAD"},
            {"id":4427,"type":"NEW_USER_DEVICE"},
            {"id":4430,"type":"NEW_USER_LANGUAGE"}
        ],
        "detections":[]
    },
    "action":{
        "score":0,
        "standalone_signals":[],
        "detections":[]
    },
    "risk":897,
    "device":{
        "score":99,
        "standalone_signals":[
            {"id":4429,"type":"UNKNOWN_WEBINJECT"},
            {"id":4437,"type":"UNKNOWN_WEBINJECT"},
            {"id":4450,"type":"UNKNOWN_WEBINJECT"}
        ],
        "detections":[]
    },
    "user":{
        "score":110,
        "standalone_signals":[],
        "detections":[]
    },
    "tags":[]
}

For further information, see:

Static Password Authentication (No Step-up Authentication)

Copy

Step 1 - POST

POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer RTp7HwAAAWd49XAymijxrvKMwWLZ5fZ6S1VF6gyf
Content-Length: 280
Host: [base-server-url]
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

grant_type=password&username=testp1&password=activcard2018&context=RMSINFO:eyJhbGciOiJub25lIn0.eyJUTV9BUFBfREVWSUNFX0lEIjoiMTIzNDU2IiwiVE1fQVBQX1VTRVJfQUxJQVMiOiJTYW1wbGUgdXNlciBhbGlhcyIsIlRNX1NFU1NJT05fU0lEIjoicllGY202NXBraG9hd0dSRmdOMVVSTlhZSGwzUUFwbEgiLCJUTV9DTElFTlRfSVAiOiJYLlkuWi5UIiwiVE1fQVBQX1NFU1NJT05fSUQiOiJTNUNhZVVFcjBIeHJveExRUmNFbDhJcFFybHhxY1puUEhKWWFGSkV5IiwiVE1fREVWSUNFX1RBRyI6IjBPZW5OcUFkbFEzYXBvVmZIaGRyYm5nYXZYNFVqM1BUIiwiVE1fRU5WSVJPTk1FTlRfSUQiOiJQcm9kdWN0aW9uIn0.:false

Copy

Step 1 - Response

HTTP/1.1 200 OK
Cache-Control: no-store
X-Powered-By: Undertow/1
Server: JBoss-EAP/7
Pragma: no-cache
Content-Disposition: attachment;filename=response.json
Date: Tue, 04 Dec 2018 11:35:29 GMT
Connection: keep-alive
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 769
{
    "access_token":"TXvBKAAAAWd5AGiHxQ\/X8RV\/IIrAug4yr9Jhuzqu",
    "context":{
        "TM_ACTION_ID":"4454",
        "LEVEL_OF_ASSURANCE":"1",
        "RMS_DETAILS":"eyJhbGciOiJub25lIn0.e…”,
        "token_type":"Bearer",
        "expires_in":3600
    }
}

Static Password Authentication with an OTP Step-up

Note: In the following example, TM_AUTHENTICATION_TYPE_LIST shows the step-up policies that are available (for example, AT_CUSTOTP,AT_PASA).

Copy

Step 1 UP Authentication - POST

POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer RTp7HwAAAWd49XAymijxrvKMwWLZ5fZ6S1VF6gyf
Content-Length: 280
Host: [base-server-url]
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
 
grant_type=password&username=testp1&password=activcard2018&context=RMSINFO:eyJhbGciOiJub25lIn0.eyJUTV9BUFBfREVWSUNFX0lEIjoiMTIzNDU2IiwiVE1fQVBQX1VTRVJfQUxJQVMiOiJTYW1wbGUgdXNlciBhbGlhcyIsIlRNX1NFU1NJT05fU0lEIjoicllGY202NXBraG9hd0dSRmdOMVVSTlhZSGwzUUFwbEgiLCJUTV9DTElFTlRfSVAiOiJYLlkuWi5UIiwiVE1fQVBQX1NFU1NJT05fSUQiOiJTNUNhZVVFcjBIeHJveExRUmNFbDhJcFFybHhxY1puUEhKWWFGSkV5IiwiVE1fREVWSUNFX1RBRyI6IjBPZW5OcUFkbFEzYXBvVmZIaGRyYm5nYXZYNFVqM1BUIiwiVE1fRU5WSVJPTk1FTlRfSUQiOiJQcm9kdWN0aW9uIn0.:false

Copy

Step 1 UP Authentication - Response

HTTP/1.1 400 Bad Request
Cache-Control: no-store
X-Powered-By: Undertow/1
Server: JBoss-EAP/7
Pragma: no-cache
Content-Disposition: attachment;filename=response.json
Date: Tue, 04 Dec 2018 13:00:52 GMT
Connection: keep-alive
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 928
 
{
    "hid_failure": {
        "reason":51,
        "context": {
            "TM_AUTHENTICATION_TYPE_LIST":"AT_CUSTOTP,AT_PASA",
            "TM_ACTION_ID":"4464",
            "LEVEL_OF_ASSURANCE":"1",
            "RMS_DETAILS":"eyJhbGciOiJub25lIn0.e…",
            "TM_SESSION_TRANSFER":"hb4dGrRnmXN7xC9pVBH6e6XOCggneOLhDwRYagsA"
        },
        "authType":"AT_CUSTPW"
    },
    "error_description":"Invalid grant: Step-up authentication required",
    "error":"invalid_grant"
}

Copy

Step 2 OTP - POST

POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer RTp7HwAAAWd49XAymijxrvKMwWLZ5fZ6S1VF6gyf
Content-Length: 396
Host: [base-server-url]
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
 
grant_type=password&username=testp1&password=662122&authType=AT_CUSTOTP&mode=SYNCHRONOUS&context=RMSINFO:eyJhbGciOiJub25lIn0.eyJUTV9BUFBfREVWSUNFX0lEIjoiMTIzNDU2IiwiVE1fQVBQX1VTRVJfQUxJQVMiOiJTYW1wbGUgdXNlciBhbGlhcyIsIlRNX1NFU1NJT05fU0lEIjoicllGY202NXBraG9hd0dSRmdOMVVSTlhZSGwzUUFwbEgiLCJUTV9DTElFTlRfSVAiOiJYLlkuWi5UIiwiVE1fQVBQX1NFU1NJT05fSUQiOiJTNUNhZVVFcjBIeHJveExRUmNFbDhJcFFybHhxY1puUEhKWWFGSkV5IiwiVE1fREVWSUNFX1RBRyI6IjBPZW5OcUFkbFEzYXBvVmZIaGRyYm5nYXZYNFVqM1BUIiwiVE1fRU5WSVJPTk1FTlRfSUQiOiJQcm9kdWN0aW9uIn0.:false

Copy

Step 2 OTP - Response

HTTP/1.1 200 OK
Cache-Control: no-store
X-Powered-By: Undertow/1
Server: JBoss-EAP/7
Pragma: no-cache
Content-Disposition: attachment;filename=response.json
Date: Tue, 04 Dec 2018 13:02:33 GMT
Connection: keep-alive
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 743
 
{
    "access_token":"TXvBKAAAAWd5UCD78H5sKTurkzygh6kMhyA7\/XyL",
    "context": {
        "TM_ACTION_ID":"4465",
        "RMS_DETAILS":"eyJhbGciOiJub25lIn0.e…",
        "token_type":"Bearer",
        "expires_in":86400
    }
}

Static Password Authentication with a Push-based Step-up

Copy

Step 1 UP Authentication - POST

POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer RTp7HwAAAWd49XAymijxrvKMwWLZ5fZ6S1VF6gyf
Content-Length: 280
Host: [base-server-url]
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
 
grant_type=password&username=testp1&password=activcard2018&context=RMSINFO:eyJhbGciOiJub25lIn0.eyJUTV9BUFBfREVWSUNFX0lEIjoiMTIzNDU2IiwiVE1fQVBQX1VTRVJfQUxJQVMiOiJTYW1wbGUgdXNlciBhbGlhcyIsIlRNX1NFU1NJT05fU0lEIjoicllGY202NXBraG9hd0dSRmdOMVVSTlhZSGwzUUFwbEgiLCJUTV9DTElFTlRfSVAiOiJYLlkuWi5UIiwiVE1fQVBQX1NFU1NJT05fSUQiOiJTNUNhZVVFcjBIeHJveExRUmNFbDhJcFFybHhxY1puUEhKWWFGSkV5IiwiVE1fREVWSUNFX1RBRyI6IjBPZW5OcUFkbFEzYXBvVmZIaGRyYm5nYXZYNFVqM1BUIiwiVE1fRU5WSVJPTk1FTlRfSUQiOiJQcm9kdWN0aW9uIn0.:false

Copy

Step 1 UP Authentication - Response

HTTP/1.1 400 Bad Request
Cache-Control: no-store
X-Powered-By: Undertow/1
Server: JBoss-EAP/7
Pragma: no-cache
Content-Disposition: attachment;filename=response.json
Date: Tue, 04 Dec 2018 14:12:07 GMT
Connection: keep-alive
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 928
 
{
    "hid_failure": {
        "reason":51,
        "context": {
            "TM_AUTHENTICATION_TYPE_LIST":"AT_CUSTOTP,AT_PASA",
            "TM_ACTION_ID":"4466",
            "LEVEL_OF_ASSURANCE":"1",
            "RMS_DETAILS":"eyJhbGciOiJub25lIn0.e…",
            "TM_SESSION_TRANSFER":"PW8D0TP5k2aGdIvMIXqNK3fBgSg5eBV7XHAH8sgx"
        },
        "authType":"AT_CUSTPW"
    },
    "error_description":"Invalid grant: Step-up authentication required",
    "error":"invalid_grant"
}

Copy

Step 2 with AT_PASA (Using an OpenID CIBA Request) - POST

POST  https://[base-server-url]/{tenant}/authn/bcauthorize HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/json
Authorization: Bearer RTp7HwAAAWd49XAymijxrvKMwWLZ5fZ6S1VF6gyf
Content-Length: 767
Host: [base-server-url]
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

{
    "scope": "openid hid-tx-sign",
    "client_notification_token": "8d67dc78-7faa-4d41-aabd-67707b374255",
    "acr_values": "mod-mf",
    "login_hint_token": "eyJhbGciOiJub25lIn0.eyJhdXRocG9sIjoiQVRfUEFTQSIsInRkcyI6IlBsZWFzZSB2YWxpZGF0ZSBMb2dvbiIsImNoYW5uZWwiOiJDSF9ESVJFQ1QiLCJ1c2VyY29kZSI6InRlc3RwMSIsImRldmljZWlkIjoiMTIzNTUiLCJjcmVhdGVTZXNzaW9uIjoiMCIsIlJNU0luZm8iOiJleUpoYkdjaU9pSnViMjVsSW4wLmV5SlVUVjlUUlZOVFNVOU9YMU5KUkNJNkluSlpSbU50TmpWd2EyaHZZWGRIVWtablRqRlZVazVZV1Voc00xRkJjR3hJSWl3aVZFMWZRMHhKUlU1VVgwbFFJam9pTVRBdU1UWXVOekV1TnpraUxDSlVUVjlUUlZOVFNVOU9YMVJTUVU1VFJrVlNJam9pVUZjNFJEQlVVRFZyTW1GSFpFbDJUVWxZY1U1TE0yWkNaMU5uTldWQ1ZqZFlTRUZJT0hObmVDSXNJbFJOWDBSRlZrbERSVjlVUVVjaU9pSXdUMlZ1VG5GQlpHeFJNMkZ3YjFabVNHaGtjbUp1WjJGMldEUlZhak5RVkNKOS4ifQ."
}

Note: In the POST the login_hint_token JWT decoded value is:

Copy

{
    "authpol": "AT_PASA",
    "tds": "Please validate Logon",
    "channel": "CH_DIRECT",
    "usercode": "testp1",
    "deviceid": "12355",
    "createSession": "0",
    "RMSInfo": "eyJhbGciOiJub25lIn0.eyJUTV9TRVNTSU9OX1NJRCI6InJZRmNtNjVwa2hvYXdHUkZnTjFVUk5YWUhsM1FBcGxIIiwiVE1fQ0xJRU5UX0lQIjoiMTAuMTYuNzEuNzkiLCJUTV9TRVNTSU9OX1RSQU5TRkVSIjoiUFc4RDBUUDVrMmFHZEl2TUlYcU5LM2ZCZ1NnNWVCVjdYSEFIOHNneCIsIlRNX0RFVklDRV9UQUciOiIwT2VuTnFBZGxRM2Fwb1ZmSGhkcmJuZ2F2WDRVajNQVCJ9."
}

Copy

Step 2 with AT_PASA - Response

HTTP/1.1 200 OK
Cache-Control: no-store
X-Powered-By: Undertow/1
Server: JBoss-EAP/7
Content-Disposition: attachment;filename=response.json
Date: Tue, 04 Dec 2018 14:15:26 GMT
Connection: keep-alive
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 57

{
    "auth_req_id":"bdc5d14e",
    "interval":0,
    "expires_in":3600
}

Note: As this was a CIBA-initiated request, the RMS_DETAILS are available in the audit (they are not returned in the response). See HID RMS Auditing.

Block Channel (Block Score Set to 800)

Copy

POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer RTp7HwAAAWd49XAymijxrvKMwWLZ5fZ6S1VF6gyf
Content-Length: 280
Host: [base-server-url]
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

grant_type=password&username=testp1&password=activcard2018&context=RMSINFO:eyJhbGciOiJub25lIn0.eyJUTV9BUFBfREVWSUNFX0lEIjoiMTIzNDU2IiwiVE1fQVBQX1VTRVJfQUxJQVMiOiJTYW1wbGUgdXNlciBhbGlhcyIsIlRNX1NFU1NJT05fU0lEIjoicllGY202NXBraG9hd0dSRmdOMVVSTlhZSGwzUUFwbEgiLCJUTV9DTElFTlRfSVAiOiJYLlkuWi5UIiwiVE1fQVBQX1NFU1NJT05fSUQiOiJTNUNhZVVFcjBIeHJveExRUmNFbDhJcFFybHhxY1puUEhKWWFGSkV5IiwiVE1fREVWSUNFX1RBRyI6IjBPZW5OcUFkbFEzYXBvVmZIaGRyYm5nYXZYNFVqM1BUIiwiVE1fRU5WSVJPTk1FTlRfSUQiOiJQcm9kdWN0aW9uIn0.:false

Copy

Response

HTTP/1.1 400 Bad Request
Cache-Control: no-store
X-Powered-By: Undertow/1
Server: JBoss-EAP/7
Pragma: no-cache
Content-Disposition: attachment;filename=response.json
Date: Tue, 04 Dec 2018 14:34:12 GMT
Connection: keep-alive
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 855

{
    "hid_failure": {
        "reason":53,
        "context": {
            "TM_ACTION_ID":"4471",
            "LEVEL_OF_ASSURANCE":"1",
            "RMS_DETAILS":"eyJhbGciOiJub25lIn0.e…",
            "authType":"AT_CUSTPW"
        },
    "error_description":"Invalid grant: Authentication score is too high, this channel is now blocked for the user",
    "error":"invalid_grant"
}

Missing RMSinfo (for a Channel Configured with HID RMS)

Copy

POST

POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer RTp7HwAAAWd49XAymijxrvKMwWLZ5fZ6S1VF6gyf
Content-Length: 58
Host: [base-server-url]
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)

grant_type=password&username=testp1&password=activcard2018

Copy

Response

HTTP/1.1 400 Bad Request
Cache-Control: no-store
X-Powered-By: Undertow/1
Server: JBoss-EAP/7
Pragma: no-cache
Content-Disposition: attachment;filename=response.json
Date: Tue, 04 Dec 2018 11:32:13 GMT
Connection: keep-alive
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Content-Length: 199

{
    "hid_failure": {
        "reason":58,
        "context": {"LEVEL_OF_ASSURANCE":"1"},
        "authType":"AT_CUSTPW"
    },
    "error_description":"Invalid grant: Missing RMS parameters information from requests",
    "error":"invalid_grant"
}