New Version Available
There's a new version of Comply One API! We strongly-recommend to start migrating your API Clients as this version will not be supported in the near future. Please review the new version and read the Migration Guides
New Version Migration Guides
Authorization Code
This authentication flow is suitable for API Clients that can securely maintain a client secret between themselves and Stems Accounts because authenticatiing requires a Client ID and a Client Secret. This authentication flow is not suitable for insecured applications such client-side applications such as React JS and Angular JS applications.
When using this authentication flow, an Authorization Code is issued to the API Client, which can then exchange it for an ID Token and an Access Token. This provides the benefit of not exposing any tokens to the browser and possibly other malicious applications with access to the browser.
The Authorization Code flow goes through the following steps:
- The client sends a request to Stems Accounts' Authorization Endpoint
- Stems Accounts responds back with an Authorization Code
- The client issues a request to Stems Accounts' Token Endpoint using the obtained Authorization Code
- Stems Accounts responds back with an ID Token, an Access Token and optionally a Refresh Token
- The client validates the ID Token
Authentication Request
To obtain an Authorization Code, the API Client starts by redirecting the user to Stems Accounts's Authorization Endpoint. The request must include the following querystring parameters:
| Parameter | Description |
|---|---|
| client_id | Required. The ID of your API Client. Refer to the Authentication Section to create an API Client |
| response_type | Required. The value should be code |
| redirect_uri | Required. This is the url Stems Accounts will redirect back to after a successful authentication. The redirect_uri needs to match the url configured for the API Client |
| response_mode | Optional. The only value supported is form_post which instructs Stems Accounts to send the response as a form post. If this value is ommitted, the response will be sent as a fragment encoded redirect |
| scope | Required. One or more scopes (separated by a space) that have been already pre-configured for the API Client. Note, if you need to request a Refresh Token you should include the offline_access scope |
| ui_locales | Optional. A space-separated list of language tag values as defined in RFC5646. Currently, Stems only supports en, es, ru, kk and nl. You can also specify a region, for example, en-US, en-AU, etc. Unsupported locales will be ignored and it will default to en-US |
| prompt | Optional. This parameter is not required. If specified, the only supported value is login which instructs Stems Accounts to always prompt the user to login even if it already has an active session |
| state | Recommended. Stems Accounts will echo back the state value on the response, this is an opaque string value for correlating request and response |
| nonce | Optional. Stems Accounts will echo back the nonce value in the identity token, this is for correlating the ID Token to the request and mitigate replay attacks |
A typical authentication request to Stems Accounts' Authorization Endpoint using the Authorization Code flow would look like the following example:
GET /auth/connect/authorize?
client_id=YOUR_CLIENT_ID
&redirect_uri=http:%2f%2fcontoso.com
&response_mode=form_post
&response_type=code+id_token
&scope=openid+profile+roles+email+offline_access+resources_accounts_api
&state=9087BDF7DF9G7HDF9HG7FGH
&nonce=636704982903393456 HTTP/1.1
Host: accounts.stems.com.auIf the request to the Authorization Endpoint is successful, Stems Accounts will issue a POST request to the url specified in the redirect_uri with the Authorization Code in the body of the request if the response_form was present in the authentication request.
The body of the response from Stems Accounts will include the following form data:
| Field | Value/Description |
|---|---|
| code | The Authorization Code that the API Client can use to exchange it for an ID Token, Access Token and optionally a Refresh Token |
| state | If the state parameter was provided in the request to the authorization endpoint, API Clients MUST verify that this value matches the one provided in the authentication request |
| session_state | The current session's state |
When the response_form is not included in the authentication request, Stems Accounts will redirect back to the redirect_uri with the Authorization Code included in the url query string as in the example below:
GET /?code=85ff37999de045455b6eea8f194235fe
&state=345G2KJHG32JK5G34KLH2F46HK
&session_state=59306c731065bd5bef7d78ec90b4dc5a HTTP/1.1
Host: contoso.comThe Authorization Endpoint could return errors if the API Client is not setup properly or the request had invalid or missing parameters. When an error occurs, the Authorization Endpoint will return to the API Client's redirect_uri with an error parameter containing an error code and an optional error_description fragment parameter with details about the error.
Token Request
Once the Authorization Code has been received from Stems Accounts, the API Client can issue a POST request to the Stems Accounts' Token Endpoint. The request MUST include the following form parameters:
| Parameter | Description |
|---|---|
| client_id | Required. The ID of your API Client. Refer to the Authentication Section to create an API Client |
| client_secret | Required. The pre-configured secret of your API Client |
| grant_type | Required. For this authentication flow the value must be set to authorization_code |
| code | Required. The Authorization Code received from Stems Accounts after the authentication request |
| redirect_uri | Required. This is the pre-configured redirect uri for your API Client. In this case, this parameter is used to validate your API Client |
A typical token request will look like the following example:
POST /auth/connect/token HTTP/1.1
Host: accounts.stems.com.au
Content-Type: application/x-www-form-urlencoded
client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
&grant_type=authorization_code
&code=69241171b4663455345a992b81
&redirect_uri=http%3A%2F%2Fcontoso.comIf the request is successful, Stems Accounts will return a JSON response that includes the ID Token, Access Token and optionally a Refresh Token. A Refresh Token will only be returned if the authentication request included the offline_access scope.
The JSON object returned from Stems Accounts includes the following properties:
| Property | Description |
|---|---|
| id_token | The ID Token associated with the current user's session |
| access_token | The Access Token that can be used to authenticate calls to Comply One API. Refer to the Authentication Section for more information about how to authenticate API requests |
| expires_in | Expiration time of the Access Token in seconds since the response was generated |
| token_type | The type of Access Token received |
| refresh_token | A Refresh Token you can use to renew the Access Token. Refer to the Refreshing a token section for more information about how to renew an Access Token. This property will not be returned if the offline_access scope was not present in the authentication request |
The JSON object returned in response to a token request would look like the following example:
{
"id_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VhdfghdfghuYW1lIjoiYmlkb2ZA",
"access_token":"3f867823462836289d32ae2636",
"expires_in":1800,
"token_type":"Bearer",
"refresh_token":"9cbd79ed0394872394747e22b5e0d2c2f"
}If the token request fails, Stems Accounts will return a JSON object with details about the error. The following is an example error response
{
"error":"unauthorized_client"
}ID Token Validation
Once the API Client has received the ID Token, it is strongly recommended that it is validated to make sure it hasn't been tampered with. To validate it, you can issue a POST request to Stems Accounts' Token Validation Endpoint
The request to the Token Validation Endpoint must include the following form parameters in the body of the request:
| Parameter | Description |
|---|---|
| client_id | Required. The ID of your API Client. Refer to the Authentication Section to create an API Client |
| token | Required. The ID Token to validate |
A typical request to the Token Validation Endpoint would look like the following example:
POST /auth/connect/identitytokenvalidation HTTP/1.1
Host: accounts.stems.com.au
Content-Type: application/x-www-form-urlencoded
client_id=YOUR_CLIENT_ID
&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFIf the response is successful, Stems Accounts will return the ID Token decrypted in a JSON object with the following properties:
| Property | Description |
|---|---|
| iss | Issuer. This is the ID Token issuing authority. You MUST validate that is set to https://accounts.stems.com.au/auth |
| aud | Audience. This MUST match the ID of your API Client. client_id |
| exp | Expiration. This is the expiration time of the ID Token in seconds since EPOCH. The API Client should reject expired ID tokens |
| nonce | If a nonce value was sent in the Authentication Request, the client will need to verify that it is the same value as the one that was sent in the Authentication Request. The Client SHOULD check thenonce value for replay attacks |
| iat | Issued At. The time the ID Token was issued. Clients should reject tokens that were issued too far away from the current time |
| sid | Session ID. API Clients should store it to correlate requests to end a session |
| sub | Subject. The current user's ID |
The JSON object returned might contain other properties such as idp,name, given_name and family_name but these properties don't need to be validated. An example JSON response would look like the following example:
{
"iss":"https://accounts.stems.com.au/auth",
"aud":"YOUR_CLIENT_ID",
"exp":"1534928229",
"nbf":"1534927929",
"nonce":"6545656756756",
"iat":"1534927929",
"sid":"34c64aaa675675670bd54de16670",
"sub":"85972345",
"auth_time":"1534901287",
"idp":"idsrv",
"name":"john@contoso.com",
"given_name":"John",
"family_name":"Smith",
"role":"[{\"id\":7779,\"cid\":2442,\"rid\":4,\"evm\":false}]",
"amr":"password"
}Logging Out
Logging out will require the API Client to redirect the browser to the Logout endpoint passing the ID Token in the id_token_hint querystring parameter as below:
https://accounts.stems.com.au/auth/connect/endsession?id_token_hint=THE_ID_TOKENIf your API Client needs to clean up any existing session data after logout (e.g. destroying cookies or clearing localStorage variables), Stems Accounts will issue a GET request to the Logout Uri configured for the API Client passing in a sid querystring parameter in the request with the current session id
