This topic describes how to consume the EmpowerID REST API with the different OAuth 2.0 flows. Please note that before you can use the framework with your application, you must register that application in EmpowerID. This generates an API Key, Client Secret and Client ID for your application.
1. Initiate a request to the EmpowerID Token endpoint, https://<EID Server>/oauth/v2/token
POST /oauth/v2/token HTTP/1.1
Host: <EID Server>
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
client_id={The Client ID of the OAuth app you registered in EmpowerID}
&client_secret={The Client Secret of the OAuth app you registered in EmpowerID}
&grant_type=urn:ietf:params:oauth:grant-type:certificate-bearer
&assertion=xxxxxxxxxxxxxxxxxx
&scope=openid
Header Parameter
Required/Optional
Description
Content-Type
required
Must be application/x-www-form-urlencoded.
Post Body Parameter
Required/Optional
Description
client_id
required
Must be the EmpowerID OAuth application client identifier.
client_secret
required
Must be the EmpowerID OAuth application client secret.
grant_type
required
Must be urn:ietf:params:oauth:grant-type:certificate-bearer
scope
required
A space-separated list of strings that the user consents to. Values include openid for OpenID Connect flow.
1. The SAML assertion should follow the below format and be signed with the signing certificate and converted to Base64 string - base64(sign(<SAML Assertion>)).
When using the below SAML assertion, please do the following:
For <saml:Issuer>, replace <EmpowerID OAuth Application ClientID> with the actual ClientID of the EmpowerID OAuth Application
For <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">, replace <Signing Certificate Thumbprint> with the thumbprint of your signing certificate
The value for <saml:AuthnContextClassRef> is a constant and must not be changed.
Client Certificate Grant using .NET Client Library
1. Initialize ClientSettings by passing the client_id, client_secret, redirect_uri, token_endpoint, authorization_endpoint, tokeninfo_endpoint and userinfo_endpoint. Also initialize a new ClientCertificateGrant by passing the clientSettings model.
var clientSettings = new ClientSettings(
“client_id”,
“client_secret”,
“redirect_uri”,
“https://<EID Server>/oauth/v2/token”,
“https://<EID Server>/oauth/v2/ui/authorize”,
“https://<EID Server>/oauth/v2/tokeninfo”,
“https://<EID Server>/oauth/v2/userinfo”);
var handler = new ClientCertificateGrant (clientSettings);
2. Call the GetAccessToken()method to retrieve the access_token, refresh_token, and other token related information.