Authenticate with the Resource Owner Password

This method does not require end user interaction with the ActivID AS server authentication portal. Instead, the OpenID client needs to pass the end user’s password.

Note: This flow only supports password authentication.

  1. Create an OpenID credential client (public client is not supported):

    The client’s configuration indicates the end user’s authentication policy and authentication channel.

    1. Log on to the ActivID Management Console as an ActivID Administrator (for example, ftadmin).

    2. In the Configuration tab, under Environment, select Adapters and click Add (see Create an OpenID adapter – with same name as the “OpenID administrator).

    3. Select the Access Administration tab and, under User Organization, select Administration Groups.

    4. Click on the name of the System Users group (the Administration Group of the ‘OpenID client’).

    5. Select the Permissions tab, and verify that the Read Reference Data permission is assigned to the group.

  2. Authenticate the OpenID client:

    Use the client’s authentication method to authenticate the client and get the bearer token.

    Copy

    Sample request (PKI authentication via TLS)

    POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
     
    grant_type=urn:hid:oauth:grant-type:client-secret-pki&client_id=client1
    Copy

    Sample response

    HTTP/1.1 200 OK
    Cache-Control: no-store
    Content-Type: application/json;charset=UTF-8
                 
    {
       "access_token": "m8kwawAAAWWLVMh0jZ1DXLwiTag2nsC6iWdH5wcb",
       "context": {"LEVEL_OF_ASSURANCE": "2"},
       "token_type": "Bearer",
       "expires_in": 84600
    }

  3. Authenticate the end user:

    4. Send a token request to the token endpoint with the end user’s password to authenticate the end user.

    The client’s access token (obtained in previous step) will be passed as the bearer token in the request’s Authorization header.

    Copy

    Sample request

    POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1Content-Type: application/x-www-form-urlencoded
    Authorization: Bearer m8kwawAAAWWP5P7bvsa1uHG2Il1aw6sp6Zyt+GwV
     
    grant_type=password&username=test01&password=password01
    Copy

    Sample response

    HTTP/1.1 200 OK
    Content-Type: application/json;charset=UTF-8
     
    {
       "access_token": "TXsPRQAAAWWP7PDvMVoitWv4cFjqAd12FBUtD9ik",
       "context": {"LEVEL_OF_ASSURANCE": "1"},
       "token_type": "Bearer",
       "expires_in": 3600
    }

  1. Use of the end user’s bearer access token by the OpenID Connect API:

    Copy

    Sample request

    GET {tenant}/authn/userinfo HTTP/1.1
    Authorization: Bearer TXsPRQAAAWWP7PDvMVoitWv4cFjqAd12FBUtD9ik
    Copy

    Sample response

    HTTP/1.1 200 OK
    Content-Type: application/jwt;charset=UTF-8
     
    eyJraWQiOiIxNTM0NDI5MTA0Njg1IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ0ZXN0MDEiLCJncm91cGlkcyI6WyJVU0dfQ1VTVDEiXSwicm9sZXMiOltdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0MDEifQ.mlQx6NcCJ4yaAOufq8gY_AP7CeykC0utAd6nibCe1lBOJ-2p-Jj_F4uCVBoY0vpzEsGtn6z2oQPvTHl48gjSSSXtsm8LQSotWPIq-kRBmwuOUkHgg1qKx-u1SHeLm-XM8mN8Iv6YZ_qylvLrahXo9H6ypWHhgcpo4osBy0NcWObgP_2dAVyB0KxJ4RdIOLEzn2iOi_pyTKmxcx_JSV8nm4F1sit1VS8tN8xbbVqBpHEfA_0Bvtij3RhILKzCkd0BOaFfv3bks70UM170fcBfPRB597tpkM5FSkatgY9O4xGpv64_X0CthMbdlb6F6vNmZualSMJhnygAA2VBdHa25A
    2. Copy

    Where the payload in the JWT of the response is

    {
      "sub": "test01",
      "groupids": [
        "USG_CUST1"
      ],
      "roles": [],
      "preferred_username": "test01"
    }

  1. Revoke the end user’s bearer access token:

    Copy

    Sample request

    https://[base-server-url]/{tenant}/authn/revoke HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Authorization: Bearer m8kwawAAAWWQD1MgvVmT6VT5TqfuDBguk04wzX5n
     
    token=TXsPRQAAAWWQEGEv%2B3aQ6sodLAYUpPPzZK%2BOwX9B&client_id=client1
    2. Copy

    Sample response

    HTTP/1.1 200 OK