- Print
- PDF
Application integration API
- Print
- PDF
Available in Classic and VPC
This section describes how to integrate registered applications with Single Sign-On. Integration is carried out through the integration API provided by Single Sign-On. The features provided by the Single Sign-On integration API are as follows:
- Grant permissions
- Issue tokens
- Cancel tokens
- Return authenticated user claims
- Return ID token signature key
- Before using the Single Sign-On integration API, it is recommended to learn the key concepts related to OAuth 2.0 in Single Sign-On concepts.
- This section describes only the APIs used for Single Sign-On integrations. For a complete description of the APIs provided by Single Sign-On on the NAVER Cloud Platform, see Single Sign-On API guide.
Grant permissions
This section describes the APIs required to interact with the resource owner and obtain permissions to access protected resources.
Requests
The request sent by the client to the IDP to access protected resources is as follows:
GET /tenants/{Tenant Id or Alias}/oauth2/authorize
Request path
Parameter name Type Requirement status Restrictions Description Tenant Id or Alias
String Required - Tenant ID or tenant alias issued when creating a tenant Request parameters
Parameter name Type Requirement status Restrictions Description response_type
String Required code
ortoken
Values required when proceeding with the authorization code or implicit flow client_id
String Required - Client ID issued when registering the application redirect_uri
String Required Must match the redirect URI entered when registering the application The URL of the page you will be directed to after granting permissions scope
String Required - Accessible scope. To request additional scopes, include one or more scope values separated by a space. state
String Optional - A random value for CSRF defense. After granting state permissions, go to the page entered in redirect_uri
, including the state valuecode_challenge
String Optional - The value of the code challenge required when applying PKCE code_challenge_method
String Optional plain
orS256
The value of the code challenge method required when applying PKCE
See below for an example.
If
response_type
iscode
GET /tenants/{Tenant Id or Alias}/oauth2/authorize?client_id=${Client Id}&scope=${Scope}&response_type=code&redirect_uri=${Redirect URI}&state=${State} HTTP/1.1 Host: sso.ncloud.com
If you requested permissions by adding
code_challenge
andcode_challenge_method
GET /tenants/{Tenant Id or Alias}/oauth2/authorize?client_id=${Client Id}&scope=${Scope}&response_type=code&redirect_uri=${Redirect URI}&state=${State}&code_challenge=${Code Challenge}&code_challenge_method=${Code Challenge Method} HTTP/1.1 Host: sso.ncloud.com
If
response_type
istoken
GET /tenants/{Tenant Id or Alias}/oauth2/authorize?client_id=${Client Id}&scope=${Scope}&response_type=token&redirect_uri=${Redirect URI}&state=${State} HTTP/1.1 Host: sso.ncloud.com
Response
The response to the request is as follows:
If
response_type
iscode
HTTP/1.1 302 Found Location: {Redirect URI} ?code=${Authorization code} &state=${State}
Parameter name Type Requirement status Restrictions Description redirect_uri
String Required redirect_uri
included in the requestThe URL of the page you will be directed to after granting permissions code
String Required Expires after 1 minute to prevent the risk of leakage Authorization code generated by the IDP state
String Optional - Value requested by the client If
response_type
istoken
HTTP/1.1 302 Found Location: {Redirect URI} ?access_token={Access Token} &token_type=Bearer &expires_in={Access Token Expire Date} &state={State}
Parameter name Type Requirement status Restrictions Description redirect_uri
String Required redirect_uri
included in the requestThe URL of the page you will be directed to after granting permissions access_token
String Required - Permission granted access token expires_in
Number Required - Access token's validity period state
String Optional - Value requested by the client
Issue tokens
Describes the API necessary to obtain a token for credentials after access permissions have been granted.
Requests
After granting permissions or using a refresh token, the request sent to obtain an access token or ID token is as follows:
POST /tenants/{Tenant Id or Alias}/oauth2/token
Request path
Parameter name Type Requirement status Restrictions Description Tenant Id or Alias
String Required - Tenant ID or tenant alias issued when creating a tenant Request headers
Header name Type Requirement status Restrictions Description Authorization
String Required Basic Base64 Client identifier Content-Type
String Required application/x-www-form-urlencoded
Media type of the resource Request parameters
Parameter name Type Requirement status Restrictions Description grant_type
String Required authorization_code
orrefresh_token
Token return method code
String Optional Use this if grant_type
isauthorization_code
Authorization code delivered by IDP redirect_uri
String Optional Use this if grant_type
isauthorization_code
redirect_uri
included in the permission grant requestscope
String Optional Use this if grant_type
isrefresh_token
scope
to editcode_verifier
String Optional Used if grant_type
isauthorization_code
, and it must be equal to or smaller than thescope
previously grantedValues corresponding to code_challenge
,code_challenge_method
included in the permission request
See below for an example.
When requesting the issuance of an access token including the authorization code after permission has been granted
POST /tenants/{Tenant Id or Alias}/oauth2/token HTTP/1.1 Host: sso.ncloud.com Authorization: Basic Base64(${Client Id}:${Client Secret}) Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=${Authorization code}&redirect_uri=${Redirect URI}
If
code_verifier
is included in the access token issuance request after granting permissionsPOST /tenants/{Tenant Id or Alias}/oauth2/token HTTP/1.1 Host: sso.ncloud.com Authorization: Basic Base64(${Client Id}:${Client Secret}) Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=${Authorization code}&redirect_uri=${Redirect URI}&code_verifier=${Code Verifier}
When requesting an access token with a refresh token
POST /tenants/{Tenant Id or Alias}/oauth2/token HTTP/1.1 Host: sso.ncloud.com Authorization: Basic Base64(${Client Id}:${Client Secret}) Content-Type: application/x-www-form-urlencoded grant_type=refresh_token&refresh_token=${Refresh Token}&scope=${Scope}
Response
The response to the request is as follows:
{
"access_token": "String",
"token_type": "Bearer",
"expires_in": "Number",
"refresh_token": "String"
}
Parameter name | Type | Requirement status | Restrictions | Description |
---|---|---|---|---|
access_token | String | Required | - | Permission granted access token |
token_type | String | Required | Bearer | Type of token |
expires_in | Number | Required | - | Access token's validity period |
refresh_token | String | Required | - | Value of refresh token used when issuing access token |
Cancel tokens
Describes the API required to revoke an access token or refresh token.
Requests
The request to revoke an access token or refresh token is as follows:
POST /tenants/{Tenant Id or Alias}/oauth2/revoke
Request path
Parameter name Type Requirement status Restrictions Description Tenant Id or Alias
String Required - Tenant ID or tenant alias issued when creating a tenant Request headers
Header name Type Requirement status Restrictions Description Authorization
String Required Basic Base64 Client identifier Content-Type
String Required application/x-www-form-urlencoded
Media type of the resource Request parameters
Parameter name Type Requirement status Restrictions Description token
String Required - The token to be revoked token_type_hint
String Required access_token
orrefresh_token
The type of the token to be revoked
Response
The response to the request is as follows:
{
"status": "ok"
}
Return authenticated user claims
Describes the API required to return claims for authenticated users.
Requests
The request to return a user claim is as follows:
POST /tenants/{Tenant Id or Alias}/oauth2/userinfo
Request path
Parameter name Type Requirement status Restrictions Description Tenant Id or Alias
String Required - Tenant ID or tenant alias issued when creating a tenant Request headers
Header name Type Requirement status Restrictions Description Authorization
String Required Bearer Client identifier
Response
The response to the request is as follows:
{
"sub" : "String",
"id_no" : "String",
"user_type" : "String",
"user_id": "String",
"user_name" : "String",
"mbr_no" : "Number"
"groups" : "List"
}
Parameter name | Type | Requirement status | Restrictions | Description |
---|---|---|---|---|
sub | String | Required | - | Subject (end-user) identifier |
id_no | String | Required | - | The user identifier used in NAVER Cloud Platform |
user_type | String | Required | Customer or Sub | User type |
user_id | String | Required | - | Login ID |
user_name | String | Required | - | User name |
mbr_no | Number | Required | - | User's member number |
groups | List | Optional | - | The list of group names to which a sub account belongs when the user_type is Sub |
Return ID token signature key
Describes the API required to return the public key used to sign the ID token.
Requests
The request to send to return the public key used to sign the ID token is as follows:
GET /tenants/{Tenant Id or Alias}/oauth2/jwks
Request path
Parameter name Type Requirement status Restrictions Description Tenant Id or Alias
String Required - Tenant ID or tenant alias issued when creating a tenant
Response
The response to the request is as follows:
{
"keys" : [ {
"kty" : "String",
"e" : "String",
"kid" : "String",
"n" : "String"
} ]
}
Parameter name | Type | Requirement status | Restrictions | Description |
---|---|---|---|---|
kty | String | Required | - | Refer to IETF Datatracker's Key Type |
e | String | Required | - | Refer to IETF Datatracker's RSA Exponent |
kid | String | Required | - | Refer to IETF Datatracker's Key ID |
n | String | Required | - | Refer to IETF Datatracker's RSA Modulus |
Endpoint
The API endpoint is as follows:
Endpoint | URI Path | Description |
---|---|---|
Authorization Endpoint | /tenants/{Tenant Id or Alias}/oauth2/authorize | The client requests grant permissions to interact with the resource owner and access protected resources |
Token Endpoint | /tenants/{Tenant Id or Alias}/oauth2/token | Issue access token and ID token through access permission or refresh token |
Token Revocation Endpoint | /tenants/{Tenant Id or Alias}/oauth2/revoke | Cancel the access token or refresh token |
User Info Endpoint | /tenants/{Tenant Id or Alias}/oauth2/userinfo | Return authenticated user claims |