APIs

Obtaining Access Tokens

Authenticate client applications with Raidiam Authorisation Server. Get access tokens enabling your application to access Connect APIs.
﻿
OAuth Access Tokens are digital credentials that grant permission to access specific resources -- Raidiam Connect APIs -- on behalf of a user or application without exposing user credentials, like usernames and passwords.
Specifications
The Raidiam Authorisation Server adheres to the stringent requirements of the Financial Grade API (FAPI) 2.0 Security Profile, ensuring robust data protection and safeguarding against unauthorized API access. Below, you’ll find a comprehensive list of specifications related to the integration process for obtaining access tokens issued by the Raidiam Authorisation Server:
﻿Proof Key for Code Exchange RFC7636﻿
﻿OAuth 2.0 Pushed Authorization Requests (PAR) RFC9126﻿
﻿JWT-Secured Authorization Request (JAR) RFC9101 and connected:

﻿JSON Web Token RFC7519﻿
﻿JSON Web Signature (JWS) RFC7515﻿
﻿JSON Web Encryption (JWE) RFC7516

﻿OAuth 2.0 Authorization Framework RFC6749﻿ -- Authorization Code Grant Type section 1.3.1﻿
﻿OAuth 2.0 Authorization Framework RFC6749﻿ -- Client Credentials Grant section #4.4﻿
Client authentication:

tls_client_auth -- Mutual-TLS Client Authentication and Certificate-Bound Access Tokens RFC8705﻿
private_key_jwt - Assertion Framework for OAuth 2.0 Client Authentication RFC7521﻿
Access Token Scope
An access token scope is a parameter used in OAuth to define the specific permissions or actions that the access token allows when accessing a resource on behalf of a user. Scopes help control the level of access granted to the application, ensuring that the token only has the permissions necessary for the requested operation.
An application can request one or more scopes. This information:
Must be included in the call to the PAR endpoint, OAuth Authorization Endpoint, and OAuth Token Endpoint.
Is presented to the user in the consent screen (after the call to the OAuth Authorization Endpoint)
The access token issued to the application is limited to the scopes granted by the user -- for OAuth Authorization Code Flow -- and to scopes requested by the applications in machine-to-machine scenarios using the OAuth Client Credentials Flow.
In Raidiam Connect, applications can utilize the following scopes:
directory:software: for client-management-related operations like getting a list of all applications registered within the ecosystem or federation, generating Software Statement Assertions, scanning for new Data Receiver applications, retrieval of public certificates, and more. Additionally, with the directory:software scope, you can perform READ operations on all resources available within the Trust Framework.

Application that has a token with the directory:software scope can perform WRITE operations only on the APIs related to this application. In other words, an application with this scope can request, for example, an application-level certificate only for itself and not for other application.

Requesting the directory:software scope can be done using the client credentials flow without involving the users.
﻿
﻿directory:website: for web-based operations like administering the underlying Trust Framework, onboarding Organisations, and more on behalf of a Super User -- a Trust Framework Administrator -- or other User Type with appropriate permissions.

Requesting the directory:website scope implies using the OAuth Authorization Code Flow and involves authenticating users and getting their consent.

If your organisation needs to get tokens with the directory:website scope in a machine-to-machine scenario (with the Client Credentials Flow), it can be done by creating a Role that has such metadata configured and assigning it to the Organisation and Application. Contact your Trust Framework Administrator﻿ to request such a role.

trust_framework_profile: scope necessary when using the OAuth Authorization Code Flow and Raidiam Connect as a Single Sign On (SSO) provider to other external platforms.

Scopes related to OpenID Connect when using the OAuth Authorization Code Flow:

openid: to indicate that the application intends to use OIDC to verify the user's identity.
profile: to get basic profile information like the user's name, family name, and more.
﻿email: to get the user's email address﻿
In Raidiam Connect, the scopes your application can request are determined by the application's Role and its associated Metadata. 
﻿
To request the directory:websitescope, the application needs to have the scope Role Metadata Type assigned with the value set to directory:website.
In Connect, all applications are assigned the client_credentials flow and directory:software scope by default.
Note that the application Role is not the value of the scope parameter.
Client Authentication Methods
Client applications may authenticate themselves using the following ways:
tls_client_auth -- Mutual-TLS Client Authentication and Certificate-Bound Access Tokens RFC8705﻿
private_key_jwt - Assertion Framework for OAuth 2.0 Client Authentication RFC7521﻿
Obtaining Tokens: CheatSheet
Grant Type
When
Other Specifications
Client Authentication Method
Scopes
Authorization Code Flow
When performing web-based operations related to administrative tasks
﻿Proof Key for Code Exchange RFC7636
﻿
﻿OAuth 2.0 Pushed Authorization Requests (PAR) RFC9126
 
If Message Signing is required: JWT-Secured Authorization Request (JAR) RFC9101 and connected:

﻿JSON Web Token RFC7519﻿
﻿JSON Web Signature (JWS) RFC7515﻿
﻿JSON Web Encryption (JWE) RFC7516﻿
tls_client_auth -- Mutual-TLS Client Authentication and Certificate-Bound Access Tokens RFC8705
﻿
private_key_jwt - Assertion Framework for OAuth 2.0 Client Authentication RFC7521﻿
directory:website
openid
email
profile
﻿
﻿
﻿
﻿
﻿
Client Credentials Flow
Managing an application, performing READ operations for all resources available within the platform, pulling a list of all registered clients, getting a list of all available authorisation servers to scan for Data Providers, obtaining information about the APIs published within the ecosystem or federation, and more
n/a
tls_client_auth -- Mutual-TLS Client Authentication and Certificate-Bound Access Tokens RFC8705
﻿
private_key_jwt - Assertion Framework for OAuth 2.0 Client Authentication RFC7521﻿
directory:software
flowchart TB
id1{What would you like to do?}
id2[Manage Client, Pull Registered Apps]
id3[Administer Trust Framework]
id1-->id2
id1-->id3
id4{{grant_type=client_credentials}}
id5{{scope=directory:software}}
id2-->id4
id2-->id5
id6{Client Authentication?}
id7{{tls_client_auth}}
id8{{private_key_jwt}}
id2-->id6
id6-->id7
id6-->id8
id9(Request Org or App Level Transport Certificate)
id100(Utilize mTLS endpoint aliases)
id7-->id9
id7-->id100
id10(Request Signing Certificate to sign JWT)
id8-->id10
id11{{grant_type=authorization_code}}
id3-->id11
id12(Use Pushed Authorization Requests - PAR)
id11-->id12
id13(Use Proof Key of Code Exchange)
id11-->id13
id110(Use Message Signing if required for your application)
id11-->id110
id3-->id6
id14[Available Scopes]
id3-->id14
id15{{directory:website}}
id16{{openid}}
id17{{profile}}
id18{{email}}
id14-->id15
id14-->id16
id14-->id17
id14-->id18
flowchart TB
id1{What would you like to do?}
id2[Manage Client, Pull Registered Apps]
id3[Administer Trust Framework]
id1-->id2
id1-->id3
id4{{grant_type=client_credentials}}
id5{{scope=directory:software}}
id2-->id4
id2-->id5
id6{Client Authentication?}
id7{{tls_client_auth}}
id8{{private_key_jwt}}
id2-->id6
id6-->id7
id6-->id8
id9(Request Org or App Level Transport Certificate)
id100(Utilize mTLS endpoint aliases)
id7-->id9
id7-->id100
id10(Request Signing Certificate to sign JWT)
id8-->id10
id11{{grant_type=authorization_code}}
id3-->id11
id12(Use Pushed Authorization Requests - PAR)
id11-->id12
id13(Use Proof Key of Code Exchange)
id11-->id13
id110(Use Message Signing if required for your application)
id11-->id110
id3-->id6
id14[Available Scopes]
id3-->id14
id15{{directory:website}}
id16{{openid}}
id17{{profile}}
id18{{email}}
id14-->id15
id14-->id16
id14-->id17
id14-->id18
﻿
﻿

Grant Type	When	Other Specifications	Client Authentication Method	Scopes
Authorization Code Flow	When performing web-based operations related to administrative tasks	Proof Key for Code Exchange RFC7636 OAuth 2.0 Pushed Authorization Requests (PAR) RFC9126 If Message Signing is required: JWT-Secured Authorization Request (JAR) RFC9101 and connected: JSON Web Token RFC7519 JSON Web Signature (JWS) RFC7515 JSON Web Encryption (JWE) RFC7516	tls_client_auth -- Mutual-TLS Client Authentication and Certificate-Bound Access Tokens RFC8705 private_key_jwt - Assertion Framework for OAuth 2.0 Client Authentication RFC7521	directory:website openid email profile

Client Credentials Flow	Managing an application, performing READ operations for all resources available within the platform, pulling a list of all registered clients, getting a list of all available authorisation servers to scan for Data Providers, obtaining information about the APIs published within the ecosystem or federation, and more	n/a	tls_client_auth -- Mutual-TLS Client Authentication and Certificate-Bound Access Tokens RFC8705 private_key_jwt - Assertion Framework for OAuth 2.0 Client Authentication RFC7521	directory:software

Relevant Endpoints

Client Credentials Flow: Obtain Access Token