Obtaining Access Tokens

authenticate client applications with raidiam authorisation server get access tokens enabling your application to access connect apis oauth access tokens are digital credentials that grant permission to access specific resources raidiam connect apis on behalf of a user or application without exposing user credentials, like usernames and passwords specifications the raidiam authorisation server adheres to the stringent requirements of the financial grade api (fapi) 2 0 security profile, ensuring robust data protection and safeguarding against unauthorized api access below, you’ll find a comprehensive list of specifications related to the integration process for obtaining access tokens issued by the raidiam authorisation server proof key for code exchange rfc7636 oauth 2 0 pushed authorization requests (par) rfc9126 jwt secured authorization request (jar) rfc9101 and connected json web token rfc7519 json web signature (jws) rfc7515 json web encryption (jwe) rfc7516 oauth 2 0 authorization framework rfc6749 authorization code grant type section 1 3 1 oauth 2 0 authorization framework rfc6749 client credentials grant section #4 4 client authentication tls client auth mutual tls client authentication and certificate bound access tokens rfc8705 private key jwt assertion framework for oauth 2 0 client authentication rfc7521 access token scope an access token scope is a parameter used in oauth to define the specific permissions or actions that the access token allows when accessing a resource on behalf of a user scopes help control the level of access granted to the application, ensuring that the token only has the permissions necessary for the requested operation an application can request one or more scopes this information must be included in the call to the par endpoint, oauth authorization endpoint, and oauth token endpoint is presented to the user in the consent screen (after the call to the oauth authorization endpoint) the access token issued to the application is limited to the scopes granted by the user for oauth authorization code flow and to scopes requested by the applications in machine to machine scenarios using the oauth client credentials flow in raidiam connect, applications can utilize the following scopes directory\ software for client management related operations like getting a list of all applications registered within the ecosystem or federation, generating software statement assertions, scanning for new data receiver applications, retrieval of public certificates, and more additionally, with the directory\ software scope, you can perform read operations on all resources available within the trust framework application that has a token with the directory\ software scope can perform write operations only on the apis related to this application in other words, an application with this scope can request, for example, an application level certificate only for itself and not for other application requesting the directory\ software scope can be done using the client credentials flow without involving the users directory\ website for web based operations like administering the underlying trust framework, onboarding organisations, and more on behalf of a super user a trust framework administrator or other user type with appropriate permissions requesting the directory\ website scope implies using the oauth authorization code flow and involves authenticating users and getting their consent if your organisation needs to get tokens with the directory\ website scope in a machine to machine scenario (with the client credentials flow), it can be done by creating a role that has such metadata configured and assigning it to the organisation and application contact your trust framework participants docid\ zwoo4fno16xiy1mcodij5 to request such a role trust framework profile scope necessary when using the oauth authorization code flow and raidiam connect as a single sign on (sso) provider to other external platforms scopes related to openid connect when using the oauth authorization code flow openid to indicate that the application intends to use oidc to verify the user's identity profile to get basic profile information like the user's name, family name, and more email to get the user's email address in raidiam connect, the scopes your application can request are determined by the application's role and its associated metadata to request the directory\ website scope, the application needs to have the scope role metadata type assigned with the value set to directory\ website in connect, all applications are assigned the client credentials flow and directory\ software scope by default note that the application role is not the value of the scope parameter client authentication methods client applications may authenticate themselves using the following ways tls client auth mutual tls client authentication and certificate bound access tokens rfc8705 private key jwt assertion framework for oauth 2 0 client authentication rfc7521 obtaining tokens cheatsheet grant type when other specifications client authentication method scopes authorization code flow when performing web based operations related to administrative tasks proof key for code exchange rfc7636 oauth 2 0 pushed authorization requests (par) rfc9126 i f message signing is required jwt secured authorization request (jar) rfc9101 and connected json web token rfc7519 json web signature (jws) rfc7515 json web encryption (jwe) rfc7516 tls client auth mutual tls client authentication and certificate bound access tokens rfc8705 private key jwt assertion framework for oauth 2 0 client authentication rfc7521 directory\ website openid email profile client credentials flow managing an application, performing read operations for all resources available within the platform, pulling a list of all registered clients, getting a list of all available authorisation servers to scan for data providers, obtaining information about the apis published within the ecosystem or federation, and more n/a tls client auth mutual tls client authentication and certificate bound access tokens rfc8705 private key jwt assertion framework for oauth 2 0 client authentication rfc7521 directory\ software flowchart tb id1{what would you like to do?} id2\[manage client, pull registered apps] id3\[administer trust framework] id1 >id2 id1 >id3 id4{{grant type=client credentials}} id5{{scope=directory\ software}} id2 >id4 id2 >id5 id6{client authentication?} id7{{tls client auth}} id8{{private key jwt}} id2 >id6 id6 >id7 id6 >id8 id9(request org or app level transport certificate) id100(utilize mtls endpoint aliases) id7 >id9 id7 >id100 id10(request signing certificate to sign jwt) id8 >id10 id11{{grant type=authorization code}} id3 >id11 id12(use pushed authorization requests par) id11 >id12 id13(use proof key of code exchange) id11 >id13 id110(use message signing if required for your application) id11 >id110 id3 >id6 id14\[available scopes] id3 >id14 id15{{directory\ website}} id16{{openid}} id17{{profile}} id18{{email}} id14 >id15 id14 >id16 id14 >id17 id14 >id18