Credential API
This document describes the Onegini IDP API operations to validate credentials.
API-3 Validate person credentials
Endpoint: POST /api/credentials/validate
The endpoint allows to validate person credentials.
Request parameters must include username, encrypted password and encryption parameter to ensure the encryption security.
The parameter password
contains password encrypted according to the following example and converted to Base64. The parameter encryption_parameter
contains a 16 byte random initialization vector converted to Base64. The Initialization vector must be a secure random value generated again for every single call. The Base64 encoding used in the request is the standard Basic Base64 according to RFC 4648 (so, NOT the URL and filename safe variant).
The response will be an HTTP 200 OK
with person details enclosed in the body in case credentials are valid or HTTP 401 Unauthorized
in case the username and password combination is invalid.
Error messages contain an error code and description. The following errors may occur:
HTTP ERROR | Error Code | Description |
---|---|---|
400 | 3001 | Missing required request parameter |
400 | 3002 | Invalid parameter encryption |
403 | 3003 | Person found but is missing one or more verified attributes which are required |
503 | 1001 | The credentials API is currently not available |
Example request
/api/credentials/validate
Request body:
{
"username": "[email protected]",
"password": "+V7wn+NyMG7cVelxIIiJYrUkqJiNDJRsqw==",
"encryption_parameter": "+V7wNOIFDSYo8yhsfdhSAh9asdfDJRsqw=="
}
Example response
Body:
{
"name": {
"first_name": "John",
"last_name": "Snow",
"display_name": "John Snow"
},
"email_addresses": [
{
"primary": true,
"tag": "",
"verified": false,
"value": "[email protected]"
}
],
"phone_numbers": [
{
"primary": true,
"tag": "MOBILE",
"value": "+49712129815"
}
],
"custom_attributes": [
{
"name":"foo",
"value":"bar"
}
],
"preferred_locale": "nl",
"reference_id": "3ba13d11-2e4b-49fa-ade6-5a18e448ae2b"
}