Overview of OAuth Specified Endpoints and their Support by iWelcome

The following overview lists endpoints that have been specified in the core OAuth specification and related extensions.

Endpoint Specification Mandatory/
Optional
Supported by
iWelcome as
Authorisation
Server (IdP)
Description
authorisation endpoint [ rfc6749 - OAuth 2.0 ]


Mandatory



✅ POST, GET
Endpoint that is capable of processing:
  • Authorisation Request messages
    and returns
  • Authorisation Response messages or
  • Access Token response message or
  • Error Response messages
  • token endpoint [ rfc6749 - OAuth 2.0 ]

    Mandatory


    ✅ POST
    Endpoint that receives
  • Access Token Request messages and
  • Refresh Request messages
    and returns
  • Access Token Response messages or
  • Error Response messages.
  • redirection endpoint [ rfc6749 - OAuth 2.0 ] n.a. n.a. This endpoint is not applicable for iWelcome as an Authorisation Server; it is a redirection endpoint at the OAuth client.
    device registration endpoint [ OAuth device ] Mandatory ✖️
    introspection endpoint [ RFC7662 Token Introspection ] Protected endpoint that allows protected resources to query the Authorization Server to determine the set of metadata for a given token that was presented to them by an OAuth 2.0 client.
    token revocation endpoint [ RFC 7009 Token Revocation ] Endpoint that allows clients to revoke their tokens when the end-user logs out, changes identity, or uninstalls the respective application.
    TokenInfo endpoint proprietary n.a.
    ⚠️Endpoint would be deprecated by Q4 2020, and should not be used for new projects. It will be replaced with TokenIntrospect & UserInfo endpoints.
    Public proprietary endpoint that can be used by the Resource Server to check the validity of an Access Token (it may be revoked) and obtain more detailed information about the token or the enduser's attribute values.
    userinfo endpoint [ OIDC ] Mandatory
    client registration endpoint [ OIDC ] Optional ✖️ RESTful web API for registering client apps with the OP. Registration may be protected (require pre authorisation) or open (public).
    session management [ OIDC ] Optional ✖️ Enables client apps to check if a logged in user still has an active session with the OpenID Connect provider. Also facilitates logout.
    provider JWK set [ OIDC ] Optional JSON document containing the provider’s public keys (typically RSA) in JSON Web Key (JWK) format. These keys are used to secure the issued ID tokens and other artifacts.
    provider metadata [ OIDC ] Optional JSON document listing the OP endpoint URLs and the OpenID Connect/OAuth 2.0 server features that it supports. Client apps can use this information to configure their requests to the OP.
    webfinger [ OIDC ] Optional ✖️ Enables dynamic discovery of the OpenID Connect provider for a given user, based on their email address or some other information.

    iWelcome Endpoints for OAuth Clients and OAuth Resource Servers

    iWelcome provides the possibility to support multiple brands from a single environment (so called 'Multi-branding'). This impacts the URLs that are used to make the endpoints available. iWelcome supports 2 mechanisms to do so:

    • one domain with multiple brands
    • multiple domains that imply the brand

    One domain

    Endpoint URL
    authorisation endpoint https://< DomainURI >/auth/oauth2.0/v1/authorize
    token endpoint https://< DomainURI >/auth/oauth2.0/v1/token
    UserInfo https://< DomainURI >/auth/oauth2.0/v1/userinfo
    introspect https://< DomainURI >/auth/oauth2.0/v1/introspect
    revoke https://< DomainURI >/auth/oauth2.0/v1/revoke
    OpenID well-known https://< DomainURI >/auth/oauth2.0/v1/.well-known/openid-configuration
    JWKS https://< DomainURI >/auth/oauth2.0/v1/jwk_uri

    One domain with multiple brands

    Endpoint URL
    authorisation endpoint https://< DomainURI >/< Brand >/auth/oauth2.0/v1/authorize
    token endpoint https://< DomainURI >/< Brand >/auth/oauth2.0/v1/token
    introspect https://< DomainURI >/< Brand >/auth/oauth2.0/v1/introspect
    revoke https://< DomainURI >/< Brand >/auth/oauth2.0/v1/revoke
    UserInfo https://< DomainURI >/< Brand >/auth/oauth2.0/v1/userinfo
    OpenID well-known https://< DomainURI >/< Brand >/auth/oauth2.0/v1/.well-known/openid-configuration
    JWKS https://< DomainURI >/< Brand> /auth/oauth2.0/v1/jwk_uri

    Multiple domains

    Endpoint URL
    authorisation endpoint https://< BrandedDomainURI1 >/auth/oauth2.0/v1/authorize
    https://< BrandedDomainURI2 >/auth/oauth2.0/v1/authorize
    token endpoint https://< BrandedDomainURI1 >/auth/oauth2.0/v1/token
    https://< BrandedDomainURI2 >/auth/oauth2.0/v1/token
    introspect https://< BrandedDomainURI1 >/auth/oauth2.0/v1/introspect
    https://< BrandedDomainURI2 >/auth/oauth2.0/v1/introspect
    revoke https://< BrandedDomainURI1 >/auth/oauth2.0/v1/revoke
    https://< BrandedDomainURI2 >/auth/oauth2.0/v1/revoke
    UserInfo endpoint https://< BrandedDomainURI1 >/auth/oauth2.0/v1/userinfo
    https://< BrandedDomainURI2 >/auth/oauth2.0/v1/userinfo
    OpenID well-known https://< BrandedDomainURI1 >/auth/oauth2.0/v1/.well-known/openid-configuration
    https://< BrandedDomainURI2 >/auth/oauth2.0/v1/.well-known/openid-configuration
    JWKS https://< BrandedDomainURI1 >/auth/oauth2.0/v1/jwk_uri
    https://< BrandedDomainURI2 >/auth/oauth2.0/v1/jwk_uri