{ "openapi": "3.0.1", "info": { "title": "Entrust Identity as a Service Authentication API", "description": "This document describes how to control access to your application using Identity as a Service Authentication API calls.\n\n# Prerequisites\n\nConfirm the following before configuring your application to use the API calls included in this guide:\n\n1. An Authentication API application has been created within Identity as a Service.\n2. A resource rule has been created for your Authentication API application.\n3. Each user who will access the application has an Identity as a Service account.\n4. Each user who will access the Identity as a Service application has had all their authenticators assigned to them\n and activated.\n\n# Identity as a Service Authentication APIs\n\nIdentity as a Service uses three API calls to complete an authentication challenge:\n\n1. Get User's Authenticators\n2. Select Authenticator\n3. Complete Authentication Challenge\n\nThese API calls must be made sequentially to complete Identity as a Service authentication. Information is provided in\nresponse to each API call that is required to complete the next call. Completing each of these API calls in order allows\nusers to log in to the application.\n\n# List of supported Authenticators\n\nThe following authenticators are supported for authentication using Identity as a Service API calls:\n\n- Passwords\n- Knowledge-based authentication (KBA)\n- Temporary Access Codes\n- One-time passcodes (OTP)\n - OTPs can also be dynamically linked with transaction details when used with Authentication API applications for\n PSD2 (Payment Service Directive).\n- Grid cards\n- Hardware and software tokens\n - Tokens supporting signatures can also be dynamically linked with transaction detail values when used with\n Authentication API applications for PSD2.\n- Entrust Soft Token Push authentication\n- Mobile Smart Credential Push authentication\n- Passkey/FIDO2\n\nThe next section describes how to authenticate through API calls using some of the authenticators listed above. These\nexamples involve single-factor authentication. See **Two-factor Authentication** for assistance with using Identity as a\nService's Authentication APIs to facilitate two-factor authentication.\n\n## Transaction Details\n\nA transaction detail consists of a detail name, a value, and a list of supported usages. Valid usage values are RBA and\nTVS. When not defined, the transaction detail is used both for RBA (risk-based authentication) and TVS (transaction\nverification/signing).\n\nWhen using a push authenticator, such as Entrust Soft Token Push authentication or Mobile Smart Credential Push\nauthentication, transaction details may be included in the challenge request. Transaction details are passed to the\nmobile device and displayed to the user when confirming authentication.\n\nWhen using an OTP authenticator with Authentication API or OIDC applications for PSD2, the OTP is dynamically linked with\ntransaction details. The transaction details are included in the challenge request. Identity as a Service generates a\nnew, specific OTP tied directly to the request and transaction details. The OTP is then sent to the user using Email or\nSMS messaging. The user reviews the transaction details and uses the associated OTP to complete the authentication\nchallenge.\n\nWhen using a TOKEN authenticator with Authentication API or OIDC applications for PSD2, the token response is dynamically \nlinked with transaction detail values. The transaction details are included in the challenge request. The user reviews the\ntransaction details and enters the transaction values (consecutively) into the token and obtains the signature. The\nsignature is then used to complete the authentication challenge.\n\nWhen using a TOKEN authenticator with Authentication API or OIDC applications, the token response can be processed offline.\nThe challenge requests include the transactions details. The transaction details consist of a detail name and a value. The\nchallenge response contains a list of QR codes based on the active tokens and the transaction details. The user scans a\nQR code in the Entrust Identity application, reviews the transaction details, confirms the transaction, and obtains an\nOTP. The OTP is then used to complete the authentication challenge.\n\nTo use the offline QR code transaction with TOKEN authenticator, the request user challenge body and user authentication\nbody need to have the flag offlineTVS set to be true:\n\n``` \n\"offlineTVS\": true \n``` \n\nThe following restrictions apply to transaction details:\n\n- The detail name cannot be duplicated.\n- The length of the detail name and value cannot exceed 255 characters.\n- The number of transaction details cannot exceed 25.\n\nWhen dynamically linking transaction details with Authentication API or OIDC applications that use an OTP authenticator \nor TOKEN authenticator for PSD2, the same transaction details must be specified in both the user challenge (Select \nauthenticator) request and the user authenticate (Complete authentication challenge) request. They must match.\n\nWhen using transaction details with push authentication as part of the user challenge (Select authenticator) request,\nthe use of the same transaction details can be optionally specified in the user authenticate (Complete authentication\nchallenge) request. If specified, they must match.\n\nWhen using the transaction details, it is recommended that the transaction details are always supplied in both the user\nchallenge (Select authenticator) request and the user authenticate (Complete authentication challenge) request. This is\nmandatory for PSD2 authentications.\n\nTransaction details can be used with OIDC applications only in the JWT IDaaS workflow. The risk-based authentication\n(RBA) transaction details passed in the user authenticate challenge and authenticate complete requests can be included\nin the OAuth2 JWT access token using the `transaction_details` claim. For details, see [OIDC/OAuth JWT IDaaS Workflow](#oidcoauth-jwt-idaas-workflow).\n\nTo use transaction details with a push authenticator or an OTP authenticator API or OIDC applications for PSD2, the \nrequest user challenge body should contain a JSON object with an array of these details. For example:\n\n```json\n{\n \"transactionDetails\": [\n {\n \"detail\": \"Account\",\n \"value\": \"67432\",\n \"usage\": [\n \"TVS\"\n ]\n },\n {\n \"detail\": \"Amount\",\n \"value\": \"$10,001\",\n \"usage\": [\n \"TVS\"\n ]\n },\n {\n \"detail\": \"Purpose\",\n \"value\": \"Transfer\",\n \"usage\": [\n \"TVS\"\n ]\n }\n ]\n}\n```\n\nTo use transaction details with a TOKEN authenticator API or OIDC applications for PSD2, the request user challenge body \nshould contain a JSON object with an array of these details. Some tokens may only support numeric transaction values. For\nexample:\n\n```json\n{\n \"transactionDetails\": [\n {\n \"detail\": \"Account\",\n \"value\": \"67432\",\n \"usage\": [\n \"TVS\"\n ]\n },\n {\n \"detail\": \"Amount\",\n \"value\": \"10001\",\n \"usage\": [\n \"TVS\"\n ]\n }\n ]\n}\n```\n\n## Mobile SDK Push Messages\n\nWhen using a customized push message for TOKENPUSH notification, you need to configure a Soft Token SDK.\n\nWhen a Soft Token SDK is created, a Push Message is generated with a default flag set to **true**. Users can add,\nmodify, and delete push message configurations. To delete a row with a default flag set to true, users must first add a\nnew push message and set it as the default message before deleting the default message.\n\nIf you want to send customized messages to the device, you need to set the **pushMessageIdentifier** parameter in the\nrequest to match the **identifier** column of the customized push message. For example, if you create a customized push\nmessage with the Identifier column in the push message table in the SDK settings set to Hello, you must set\npushMessageIdentifier to Hello.\n\nIf a match is not found, it throws an error. If you have a Soft Token SDK, and you do not set pushMessageIdentifier, the\ndefault push message will be used.\n\nThe parameter pushMessageIdentifier is case-insensitive. And it is optional.\n\n# Examples\n\n## OTP\n\n### Get User's Authenticators\n\nThe first step is to submit a POST request to get all the authenticators that can be used to log in to the\napplication. For example:\n\n```\nhttps://customer.region.trustedauth.com/api/web/v2/authentication/users\n```\n\nThe body of this request should contain a JSON object with User ID (containing the user id or a user alias value) and\nthe ID of the application being accessed. For example:\n\n```json\n{\n \"userId\": \"jsmith\",\n \"applicationId\": \"1111111-111111-111111-11111111\"\n}\n```\n\nAn API response is received after entering the request. For example:\n\n```json\n{\n \"availableSecondFactor\": null,\n \"userMachineSettings\": {\n \"machineAuthenticatorEnabled\": true,\n \"deviceFingerprintRequired\": false,\n \"attributeExclusions\": [],\n \"userMachineAuthenticators\": []\n },\n \"machineAuthenticator\": null,\n \"authenticationTypes\": [\n \"OTP\",\n \"TOKEN\"\n ],\n \"time\": 1520961989641,\n \"otpDeliveryInfo\": {\n \"otpDefaultDelivery\": \"SMS\",\n \"availableOTPDelivery\": [\n \"SMS\",\n \"EMAIL\",\n \"VOICE\"\n ]\n }\n}\n```\n\nThe authenticator types listed in the response are those that can be used to complete an authentication challenge and\nlog in. **authenticationTypes** lists all the authenticators that have been assigned to the user and can be used to\ncomplete a first-factor authentication challenge. **availableSecondFactor** lists the authenticators that can be used to\ncomplete a second authentication challenge after the user has completed a first-factor challenge. The authenticators\nlisted as **authenticationTypes** and **availableSecondFactor** are defined by cross-referencing the authenticators\nassigned to the user with those the application’s resource rule allows to be used for authentication.\n\n### Select Authenticator\n\nThe next step is to select which authenticator to use from those listed in the previous API response. The authenticator\nis selected by entering a POST request. That request must be sent to the correct URL with the name of authenticator at\nthe end. The URL is different for each authenticator that you want to select using the API call. For example:\n\n```\nhttps://customer.region.trustedauth.com/api/web/v2/authentication/users/authenticate/OTP\n```\n\nThe body of this request should contain a JSON object with User ID (containing the user id or a user alias value) and\nthe ID of the application being accessed. For example:\n\n```json\n{\n \"userId\": \"jsmith\",\n \"applicationId\": \"1111111-111111-111111-11111111\"\n}\n```\n\nAn API response is received after entering the request. For example:\n\n```json\n{\n \"status\": null,\n \"firstName\": null,\n \"lastName\": null,\n \"authenticationCompleted\": false,\n \"machineAuthenticator\": null,\n \"userMachineSettings\": {\n \"machineAuthenticatorEnabled\": false,\n \"deviceFingerprintRequired\": false,\n \"attributeExclusions\": [],\n \"userMachineAuthenticators\": []\n },\n \"kbaChallenge\": null,\n \"token\": \"GCFi6gQPNM7eMZ3AQ7vboW8d5vL6x7vtO8tn4yAYNOpV5UYI2Xo5MZg0zYE7m/R1U1cCFm83ocC1KZ3PJbeD9zqZvPQSvxxt1KIbtD9DERd21oAVEbnqqj9/8DYUBQQoxBRfwVINlCpVt8X0ZaDMSka53ZIO9VifLwS2gjy7KNRCD9DLcDznasaYoGB2YSvj+w4bE3Z9j0bgtYmhy9swn8wmd6QMSP4eb9mH2KcqgXzCUPxTxeTZu0EkIToXD1LN8v9BCyScdCLNJ/DjOGwfmpnT4hveKX5qe/dHjgsCME5kjmHtWKlmS0SPMMMgRyNII0nCcKMZI1Khd60ubnnVoFcAUpFWG1vGJwhN6ipiuwie+EW4wAXSE1HicHhY1Q/jUQev3PvVBi+GzSKowDIorhVzApd1WP0a4686yQEMGWRdqDRltXHw7udKU8UqN5tCqUK6bZsX7x2NxabqJmmxUFBbNncuzPMPJrPNMVQtw0z8BlWCyRqYl64BZAIMTpf8F/uFPLrOHgpaV1yEiMuQBea2Hf9LyXX5Dv2L44LvABIyPZ7Jy7paeffJ7ozfLwS2VpSnjTD/1ir+p6lMYjlcfJ7l5gEoW/dS8w==\",\n \"otpdeliveryType\": \"SMS\",\n \"expires\": 1520966778923,\n \"time\": 1520965879202\n}\n```\n\nOnce an authentication type is selected through the API call, Identity as a Service also provides the information\nnecessary to complete the authentication challenge. For example, if OTP is selected, Identity as a Service generates an\nOTP and sends it to the user, so they can complete the authentication challenge. If **kbaChallenge** is selected,\nIdentity as a Service generates the questions that must be answered to authenticate.\n\n### Complete authentication challenge\n\nThe last step is to complete the authentication process. The response for the requested authentication must be included\nin the last API call. For example, a POST request for OTP would be sent to:\n\n```\nhttps://customer.region.trustedauth.com/api/web/v1/authentication/users/authenticate/OTP/complete\n```\n\nThe request must include the end user’s response to the authentication challenge. For example, the OTP received by the\nuser must be included in the request to complete an OTP challenge.\nThe URL must contain the selected authenticator (for example, OTP). An Authorization header field must be added in the\nheader section of this request. The Authorization header stores the value received as \"token\" in the last request. The\nAuthorization header can be sent with or without a type value of \"Bearer\". For example:\n\n```\nAuthorization: Bearer \n```\n\nor\n\n```\nAuthorization: \n```\n\nThe body of this request should contain the Application ID and authenticator response. For example:\n\n```json\n{\n \"applicationId\": \"1111111-111111-111111-11111111\",\n \"response\": \"123454665\"\n}\n```\n\nAn API response is received after entering the request. For example:\n\n```json\n{\n \"status\": null,\n \"firstName\": \"John\",\n \"lastName\": \"Smith\",\n \"authenticationCompleted\": true,\n \"machineAuthenticator\": null,\n \"userMachineSettings\": null,\n \"kbaChallenge\": null,\n \"token\": \"GNVGALEyZRj9xQnp4+cRoQ3DrMViO+wdXMyeBdG4+63V0O1+B5eBl83HVbOW7daHMf4xPzuJ/TD5j3w5zrIKE6RObuzIfyELpEWlr+JAzuXHCQocmFa1eNz2B2VshyZl3tbes9P3P6pniXZgpG0MdbEALfDm9PydJ4hcqcqDM1XsTcxSBnv+LFWV1HFKzL018Af17iJpnz8VBzOi/x5N8enkZ5g+XO/uXNCiBqDdfMkxkDzkreDXOoiGo7KPEzsuXFQLIigwnYLC2BufWaOnP2KLYGjjH7A2O+tyKsepVREKRTMDcdkcfqJsyJKm3xWl/HW1SCg2Ql2naQ6V4fK6IjrCQqZbPSQV4GL75NB1wqTf3e6ijCJwBJH9JXIov9E8Tw66sKy7dQAlODuLQ9LwhNv6BF+Ndy6HJlCDQjD0Oket4Sp8t0HDe0mTU5FnMc/ch3zuFtVHdGarjPtnt6PIZdUFn1A585q4GeY8nJwyMFu8MpRJyM81sdDe5/nEarDtPPXp3NbY+0kl4fIozogosyHzNstPcZV4rza3XQXB6047lKqs0uUeigwo2TkbKVPHxwleIxcs9d+wpQAZHhfP3IDTwa2Qq7J9PYMEfQsnz3dIFOZdNbDnusYHvp+5LppVWvky4vX5QV5ldAc2B4t+RCvtSvIABVCR+nftzLUcSm02fKU=\",\n \"otpdeliveryType\": null,\n \"expires\": 1520968457173,\n \"time\": 1520967582294\n}\n```\n\nIdentity as a Service receives the request once it is entered and validates it.\n\nIn the example above, **authenticationCompleted** is marked as true because the response sent in the post request was\nvalid.\n\nThe response from the call would indicate a failure if an invalid value is passed in the body of the response. For\nexample:\n\n```json\n{\n \"errorCode\": \"invalid_user_response\",\n \"errorMessage\": \"\",\n \"parameters\": null\n}\n```\n\n## TOKENPUSH\n\n### Get users authenticators\n\nThe first step is to submit a POST request to get all the authenticators that can be used to log in to your\napplication. For example:\n\n```\nhttps://customer.region.trustedauth.com/api/web/v2/authentication/users\n```\n\nThe body of this request should contain a JSON object with User ID (containing the user id or a user alias value) and\nthe ID of the application being accessed. For example:\n\n```json\n{\n \"userId\": \"jsmith\",\n \"applicationId\": \"1111111-111111-111111-11111111\"\n}\n```\n\nAn API response is received after entering the response. For example:\n\n```json\n{\n \"availableSecondFactor\": null,\n \"userMachineSettings\": {\n \"machineAuthenticatorEnabled\": true,\n \"deviceFingerprintRequired\": false,\n \"attributeExclusions\": [],\n \"userMachineAuthenticators\": []\n },\n \"machineAuthenticator\": null,\n \"authenticationTypes\": [\n \"TOKENPUSH\",\n \"TOKEN\",\n \"OTP\"\n ],\n \"time\": 1521485688570,\n \"otpDeliveryInfo\": {\n \"otpDefaultDelivery\": \"SMS\",\n \"availableOTPDelivery\": [\n \"SMS\",\n \"EMAIL\",\n \"VOICE\"\n ]\n }\n}\n```\n\nTOKENPUSH is listed as one of the user's available authenticators (**authenticationTypes**) in the example above.\n\n### Select Authenticator\n\nThe next step is to send a POST request to use token push authentication. Send the request to a URL with TOKENPUSH at\nthe end. For example:\n\n```\nhttps://customer.region.trustedauth.com/api/web/v2/authentication/users/authenticate/TOKENPUSH\n```\n\nThe body of this request should contain a JSON object with User ID (containing the user id or a user alias value) and\nthe ID of the application being accessed. The body of this request may also include transaction details, as described\nabove. For example:\n\n```json\n{\n \"userId\": \"jsmith\",\n \"applicationId\": \"1111111-111111-111111-11111111\",\n \"transactionDetails\": [\n {\n \"detail\": \"Amount\",\n \"value\": \"$10,001\"\n },\n {\n \"detail\": \"Purpose\",\n \"value\": \"Transfer\"\n }\n ]\n}\n```\n\nTo use specific message notifications with a Soft Token SDK, configure the message table and then set the\npushMessageIdentifier as a parameter in the JSON object.\n\n```json\n{\n \"userId\": \"jsmith\",\n \"applicationId\": \"1111111-111111-111111-11111111\",\n \"pushMessageIdentifier\": \"hello\"\n}\n```\n\nAn API response is received after entering the request. For example:\n\n```json\n{\n \"status\": null,\n \"firstName\": null,\n \"lastName\": null,\n \"authenticationCompleted\": false,\n \"machineAuthenticator\": null,\n \"userMachineSettings\": {\n \"machineAuthenticatorEnabled\": true,\n \"deviceFingerprintRequired\": false,\n \"attributeExclusions\": [],\n \"userMachineAuthenticators\": []\n },\n \"kbaChallenge\": null,\n \"token\": \"GHldL54iaM9Rn4I4TZ85BzYJVsvxn0sWZxWdUZfFWZxzAawEvJDd4tC9frfvxy6hV7BJDsg2GN3mbxzezsN+AT5tKlX8mPhoWrcUyGYawVxZsbvfmsVesAzNey9RPXyfOvuWqh6BDkpqrL68E1ik+dN50aFK88G4DWxQJ5+oYn0bnarJlLyr4hH62XBCMOmr1T2dTe2SFm+Brj8NI6wKdCnptWAG8QguAlVnXOVntBCzQ/XMFs6ktEnbeCIqXgsUIc2zVd7iXpNMjX5Cl3pgqozCY7UKHFW9WGxFcRz/5+1Y4DuAEGk6VygrdMLV2Hi0UaFN280JQY2jzC1eb6089JOtcm2Rnqi+Zg6OYbzscQfp+o2ARj8IlltQOIgjueiCG5X/AdIbEqc5/nFhbg/d+wNV9M6Fk2bX25iTa6mcIMp2Gvo2mhM8q0ysqzAnXjgveaikymJIx01/q0ctKNCHNN8pgXMF4sNU+GRm2vqdQXcbuTc0krALqtF40QN97JdoBSACUMN4M7gYzFC2SBsArIZwmXAqgCDvzWYq9FhUekgrIr18Bxl7yUFRJLDU\",\n \"otpdeliveryType\": null,\n \"expires\": 1521484056513,\n \"time\": 1521483156531\n}\n```\n\n### Complete Authentication challenge\n\nThe user receives a push notification to the device registered with the Entrust Soft Token mobile application. The last\nstep is to complete the authentication process using the token push authenticator. Note that in the push authentication\ncase, there is no response that must be passed to the last API call. The post request should be sent to this API call:\n\n```\nhttps://customer.region.trustedauth.com/api/web/v1/authentication/users/authenticate/TOKENPUSH/complete\n```\n\nAs in the first example, this request will also include an Authorization header field. The Authorization header can be\nsent with or without a type value of \"Bearer\". For example:\n\n```\nAuthorization: Bearer \n```\n\nor\n\n```\nAuthorization: \n```\n\nThe body of this request should contain a JSON object with the ID of the application being accessed. For example:\n\n```json\n{\n \"applicationId\": \"1111111-111111-111111-11111111\"\n}\n```\n\nAn API response to the request is received. The response will vary depending on whether the user has completed the push\nauthentication challenge or not. For example, if the user has not yet processed the request, the API response appears as\nshown:\n\n```json\n{\n \"status\": \"NO_RESPONSE\",\n \"firstName\": null,\n \"lastName\": null,\n \"authenticationCompleted\": false,\n \"machineAuthenticator\": null,\n \"userMachineSettings\": null,\n \"kbaChallenge\": null,\n \"token\": null,\n \"otpdeliveryType\": null,\n \"expires\": 0,\n \"time\": 1521485352309\n}\n```\n\nIf the user selected a **Confirm** response for the push request, the API response appears as shown:\n\n```json\n{\n \"status\": \"CONFIRM\",\n \"firstName\": \"John\",\n \"lastName\": \"Smith\",\n \"authenticationCompleted\": true,\n \"machineAuthenticator\": null,\n \"userMachineSettings\": null,\n \"kbaChallenge\": null,\n \"token\": \"GFu9JJTpgxlAgudDrdm49fxU/sCVVf41jyxM97GDMdHhrqjSwM23bGZt2JBdCWJ/hgo0cq1DN7DYfM74+Xd/EYpMt+Ijn8iWQY2fOohCQLtC4wTJAWkQ2D5iKNGNli3iazbt65mpkqZ7Z5V5krsS1REKLES54jpDjqO4y6a+d8N9SPD8OfQx71cCGf58iDPHm96My2WH/cqvfg0Nl+8NKgtmzpLiG9HayE7KwGqOPlpsQoxuk9Mt6q8z5GL+uZ4zBV8h07KmhWxmFloaJEdJYIqQQbPHrgIZdXNHceGsJjSctkm/68Ib5ZHrtEW/IzHmMDPjau93xP9KB363TTudpO37LlprDBWvjdu+YgkN2ofUO0wsS9aVW9zu/u5LgLLk8WqpX+sS3pWD7naxqpTF0l8+hV7UknTx9n7GEIWlSZnz+5cTJe/qw9n5MXgZMkYhv6aaScKdx+gPlKFqWW7t+8xrvCBX5jybi7qknYsJxjsDnJ9xbfd5AsdE7jdZLkGIrbuh4LeJekz4S3UkC23++9jx99d+OHw9DZjSDAIYx5bApkhPje8wXRwCfHOGq/YuasmwH0lOdOmKVJs51EUbolHfSqVsIXR3SQZqCkVA82yMdYSiY/3Z65mA5EMeyyd0YNXfMGO8nw==\",\n \"otpdeliveryType\": null,\n \"expires\": 1521486237824,\n \"time\": 1521485466748\n}\n```\n\nIf the user selected a **Cancel** response for the push request, the API response appears as shown:\n\n```json\n{\n \"errorCode\": \"no_transaction\",\n \"errorMessage\": \"\",\n \"parameters\": null\n}\n```\n\n## Two-factor Authentication\n\nTwo-factor authentication supports logging in by completing two-authentication challenges instead of one. This section\ndescribes how to use Identity as a Service's Authentication APIs to complete two-factor authentication. The API calls\nrequired are similar to those required for single-factor authentication:\n\n1. Get User's Authenticators\n2. Select Authenticator (First-factor)\n3. Complete Authentication Challenge (First-factor)\n4. Select Authenticator (Second-factor)\n5. Complete Authentication Challenge (Second-factor)\n\n### Get User's Authenticators\n\nThe first step is to submit a POST request to get all the authenticators that can be used. For example:\n\n```\nhttps://customer.region.trustedauth.com/api/web/v2/authentication/users\n```\n\nThe body of this request should contain a JSON object with User ID (containing the user id or a user alias value) and\nthe ID of the application being accessed. For example:\n\n```json\n{\n \"userId\": \"jsmith\",\n \"applicationId\": \"1111111-111111-111111-11111111\"\n}\n```\n\nAn API response to the request is received. The response would include **authenticationTypes** marked as *\n*PASSWORD_AND_SECONDFACTOR**. It would also include the section **availableSecondFactor**, showing all the\nauthenticators that can be used for second-factor authentication. For example:\n\n```json\n{\n \"availableSecondFactor\": [\n \"TOKENPUSH\",\n \"TOKEN\",\n \"OTP\"\n ],\n \"userMachineSettings\": {\n \"machineAuthenticatorEnabled\": true,\n \"deviceFingerprintRequired\": false,\n \"attributeExclusions\": [],\n \"userMachineAuthenticators\": []\n },\n \"machineAuthenticator\": null,\n \"authenticationTypes\": [\n \"PASSWORD_AND_SECONDFACTOR\"\n ],\n \"time\": 1521647783740,\n \"otpDeliveryInfo\": {\n \"otpDefaultDelivery\": \"SMS\",\n \"availableOTPDelivery\": [\n \"SMS\",\n \"EMAIL\",\n \"VOICE\"\n ]\n }\n}\n```\n\n### Select Authenticator (First-factor)\n\nThe next step is to send a POST request to use first-factor authentication. It must be sent to a URL with\nPASSWORD_AND_SECONDFACTOR at the end of it. For example:\n\n```\nhttps://customer.region.trustedauth.com/api/web/v2/authentication/users/authenticate/PASSWORD_AND_SECONDFACTOR\n```\n\nThe body of this request should contain a JSON object with User ID (containing the user id or a user alias value) and\nthe ID of the application being accessed. For example:\n\n```json\n{\n \"userId\": \"jsmith\",\n \"applicationId\": \"1111111-111111-111111-11111111\"\n}\n```\n\nAn API response is received after entering the request. For example:\n\n```json\n{\n \"status\": null,\n \"firstName\": null,\n \"lastName\": null,\n \"authenticationCompleted\": false,\n \"machineAuthenticator\": null,\n \"userMachineSettings\": {\n \"machineAuthenticatorEnabled\": false,\n \"deviceFingerprintRequired\": false,\n \"attributeExclusions\": [],\n \"userMachineAuthenticators\": []\n },\n \"kbaChallenge\": null,\n \"token\": \"GC/qKOp/15eRQ8QnJ8DXA+RCtlXYxuAEyC5mF9WxT4byFl6EQYlPUUIaMMnbEq3+vQ3EGi4Mcp/sX3ttDdRzU6GMdjPHL21i9tNAw22fNE+ZsUtwoPzhCO6b5YRKQcJ9jJBADp+2o05oF/iQFaWeOnP6E1cW6zPAD4DYXwwbXe6pR46/XN6XDrR+C5JiCklwlY2Pf3L5fAG4Bl0QCEmEjeTpLCp7wbWsRv45RNgBE8O2MTLoRigzxMRen6+Hw94E2SD2EHvf4+IetJAsTFgfnx1YMabuHfrw5D0jlN0veaHmxp0yF0iitMkyNWPwoNEh+XltvVKYDas3Q9V16Xk5/rMKWgOYHp/Z/U8pf6heUgA6yeLo5dXIqC+TkSpibRpere/gBkVAskjePYs60BIpMiqiXAisKaIi4t3D50/X/6JXNvoinL60XHu+I97DrCQ20ozhn7aG1jHRNIGYFU+JDR9+qAOhmUQbZVQV9Ngqg7Av4jBDkBWAquA/E6zhZe4vDQo7WV0=\",\n \"expires\": 1521648764763,\n \"otpdeliveryType\": null,\n \"time\": 1521647864782\n}\n```\n\n### Complete authentication challenge (First-factor)\n\nThe next step is to complete the first-factor authentication challenge. For an example, a POST request to complete a\nPassword authentication challenge would be sent to the following URL:\n\n```\nhttps://customer.region.trustedauth.com/api/web/v1/authentication/users/authenticate/PASSWORD_AND_SECONDFACTOR/complete\n```\n\nAs in the first example, this request will also include an Authorization header field. The Authorization header can be\nsent with or without a type value of \"Bearer\". For example:\n\n```\nAuthorization: Bearer \n```\n\nor\n\n```\nAuthorization: \n```\n\nThe body of this request should contain a JSON object with the password response and the ID of the application being\naccessed. For example:\n\n```json\n{\n \"applicationId\": \"1111111-111111-111111-11111111\",\n \"response\": \"password\"\n}\n```\n\nThe response received from this request would include a new token and a field **authenticationCompleted** that would be\nmarked as false. For example:\n\n```json\n{\n \"status\": null,\n \"firstName\": null,\n \"lastName\": null,\n \"authenticationCompleted\": false,\n \"machineAuthenticator\": null,\n \"userMachineSettings\": {\n \"machineAuthenticatorEnabled\": true,\n \"deviceFingerprintRequired\": false,\n \"attributeExclusions\": [],\n \"userMachineAuthenticators\": []\n },\n \"kbaChallenge\": null,\n \"token\": \"GO7mOyRuLzfTOXLk/IbzsDEuw8cFQspxz8TCWRwcrrhtoBw/o7udXt94eTkbkDFcbMVpfqHZJcJ4vavS4MEN6wp0d7MFhd0n9A9XymY5KHKyMvrqJlqh8+NrIZjkiA0sZvrAhu+6IRGfTYfoe/DwWclJi2JNNxpMX/17b7QHZdrj5ItbJUp3wHhAswUX02uWn/Fxwnt3cxGVHgmtTaVfz42JBkiIeRcOiv81iJqfTuSrd+S29RqO4PCKYGw1pKhymottvV3eVGNxdPvwSrLgXusfuCyfAB8tGl047WJQOKaHZ7k4GbzC1QKjldNWHrMAtiLUMWaxgvpU/vANJUibIPXJ6+1i7X7U6THJJg4fBG+pJo8jPKPI1B+XxE1mNBdLdMEdfUSKwUqv3BGg8g+WsL+ZLkbSzrswuoyBKWioEVXkxUVDtRghDLDjiRFjyQMwD+MhvdoC46a10IMkz1G5kKkQ6xaTTwhkEsh2iGeWtn6WDcC0PILFX4NmiF/g650j41aFWAyOD5ULBKV04a2dYKdadGfaAH0=\",\n \"expires\": 1521648936739,\n \"otpdeliveryType\": null,\n \"time\": 1521648060983\n}\n```\n\n### Select Authenticator (Second-factor)\n\nThe next step is to send a POST request to use a specific second-factor authentication. It must be sent to a URL with\nPASSWORD_AND_SECONDFACTOR at the end of it. For example:\n\n```\nhttps://customer.region.trustedauth.com/api/web/v2/authentication/users/authenticate/PASSWORD_AND_SECONDFACTOR\n```\n\nThe body of this request should contain a JSON object with the ID of the application being accessed, the token that was\nreceived from the last request, and a second-factor authenticator. All the available second-factor authenticator options\nwere received in the first call we made. For example:\n\n```json\n{\n \"applicationId\": \"1111111-111111-111111-11111111\",\n \"secondFactorAuthenticator\": \"OTP\",\n \"authToken\": \"GO7mOyRuLzfTOXLk/IbzsDEuw8cFQspxz8TCWRwcrrhtoBw/o7udXt94eTkbkDFcbMVpfqHZJcJ4vavS4MEN6wp0d7MFhd0n9A9XymY5KHKyMvrqJlqh8+NrIZjkiA0sZvrAhu+6IRGfTYfoe/DwWclJi2JNNxpMX/17b7QHZdrj5ItbJUp3wHhAswUX02uWn/Fxwnt3cxGVHgmtTaVfz42JBkiIeRcOiv81iJqfTuSrd+S29RqO4PCKYGw1pKhymottvV3eVGNxdPvwSrLgXusfuCyfAB8tGl047WJQOKaHZ7k4GbzC1QKjldNWHrMAtiLUMWaxgvpU/vANJUibIPXJ6+1i7X7U6THJJg4fBG+pJo8jPKPI1B+XxE1mNBdLdMEdfUSKwUqv3BGg8g+WsL+ZLkbSzrswuoyBKWioEVXkxUVDtRghDLDjiRFjyQMwD+MhvdoC46a10IMkz1G5kKkQ6xaTTwhkEsh2iGeWtn6WDcC0PILFX4NmiF/g650j41aFWAyOD5ULBKV04a2dYKdadGfaAH0=\"\n}\n```\n\nAn API response is received after entering the request. For example:\n\n```json\n{\n \"status\": null,\n \"firstName\": null,\n \"lastName\": null,\n \"authenticationCompleted\": false,\n \"machineAuthenticator\": null,\n \"userMachineSettings\": {\n \"machineAuthenticatorEnabled\": true,\n \"deviceFingerprintRequired\": false,\n \"attributeExclusions\": [],\n \"userMachineAuthenticators\": []\n },\n \"kbaChallenge\": null,\n \"token\": \"GMITwEPkGILJI/jBMVT3p8a09JtGag3AzXqjan1+FBNdWjnCi16JNdpNxrBt/iuFYlozZ2Jrf6V6JEZEuQeFtZtFyETEVKNOxhbbOf+u6SmkBSwLQQm529WKUtFssLnQ9Mliojlb/1W8VXkseazUhWuvpab9t7b4Y9BP9RcXdPNdAOtR++dGwuwtAh0O6Edq9SE4yDGn8aRWJuydc7k8aQymLZfFR76y0EbG4mP/m9kZ2pDOjUrhHa8rToLLx3Jr70aHqJr5bNyCrQ96/c+5YTQeLhFL86Ch8LcIAKHh5RI2Ma6X+PTBZ4CwMrU6jUczCjJ6m94jlwIH37P0vv2GdlMZHPqjjmAuHB2SGKA0UxQywL9SbsIhyM2lxhBLUK30wRH0LHlW4reki0vF9gfc+kZQZFaVyj/bJ0P63lTsIywEmPBbCo8o21A5Mram5m+kNcCLg4ZlIaM2bWrvtBX0SxL5Cpx7vy1cUABQw+4ifRgcrwt6KWgIngmu1y/ItwaLCGgvw2dCFd3kPHd+HoXzsb2aVP+9tqo=\",\n \"expires\": 1521648936739,\n \"otpdeliveryType\": \"SMS\",\n \"time\": 1521648184761\n}\n```\n\nThe token received in this request would be used to complete the second-factor authentication in the next step.\n\n### Complete authentication challenge (Second-factor)\n\nThe last step is to send a POST request to complete the second-factor authentication challenge. It must be sent to a URL\nwith PASSWORD_AND_SECONDFACTOR at the end of it. For example:\n\n```\nhttps://customer.region.trustedauth.com/api/web/v1/authentication/users/authenticate/PASSWORD_AND_SECONDFACTOR/complete\n```\n\nAs in the first example, this request will also include an Authorization header field. The Authorization header can be\nsent with or without a type value of \"Bearer\". For example:\n\n```\nAuthorization: Bearer \n```\n\nor\n\n```\nAuthorization: \n```\n\nThe body of this request should contain a JSON object with the second factor response, the ID of the application being\naccessed, and the second factor authenticator being used. For example:\n\n```json\n{\n \"applicationId\": \"1111111-111111-111111-11111111\",\n \"response\": \"123456789\",\n \"secondFactorAuthenticator\": \"OTP\"\n}\n```\n\nAn API response is received after entering the request. For example:\n\n```json\n{\n \"status\": null,\n \"firstName\": \"John\",\n \"lastName\": \"Smith\",\n \"authenticationCompleted\": true,\n \"machineAuthenticator\": null,\n \"userMachineSettings\": null,\n \"kbaChallenge\": null,\n \"token\": \"GENw36RGssBDAmU8UgULDBFGp2cG6aWDO0dWUQU24QyAIDo2KFzfr62MEymgHxlU17EkLPknUUCwXm/azikw04oG2qniwwZVlXghQBFoME3DvenPMCXobOeqRqyDOeLbfLWIXdlNK2jJFIpPcTQqe3puKlAis3VfwltcOgmnQTK2ZnQA6dOICTKa0Kfr+fvUg0fmdBJ8asvryswSdeNjw2ndO638uZYhYks+2QstKxTuHXsslECPPgxa1CCidWm3EDigpH2SJQ9W1FY06zq/8BQMu3sxivWGOtd1p7xg2LldXb0dnoeztI7OQSye/8NbBuzWOdGOrwTIlOSd6mECcsdMQadstzQLoAtdRCsYW0JDVhvaaNjg2l5l7d3Tte20AXKUAKLA4NTpDZSz8N74A7me1pDV5GUXY5BdhwQGqIKtwpQvzt5uv9W/inomGdr+RO9KZGOV4Nfvilqr2yxoo0HfWkNvcsqtUXrHYN4chauqTYB7vqBBQzvhK/ar7lXg4WAjbqAOUvJXhSpuG92dltNRC9TsttUyFZ4RljhyPAyh2MNevhnEIq/jd34BhYmGyUFyshrYQE/fRTI5UvGrSybUX9IJN8dpKua64GhOspO4\",\n \"expires\": 1521648936739,\n \"otpdeliveryType\": null,\n \"time\": 1521648223398\n}\n```\n\nThis response would indicate **authenticationCompleted** as true. This indicates that two-factor authentication was\nsuccessful.\n\n# How risk based authentication (RBA) and authentication APIs work together\n\nRisk-based authentication (RBA) identifies the level of risk associated with each authentication request. Once the risk\nlevel is identified, RBA defines the level of authentication required to authenticate.\n\nAn authentication request consists of three API calls (as described above):\n\n- Get User's Authenticators\n- Select Authenticator\n- Complete Authentication Challenge\n\nAs part of figuring out what authentications are available and required, each application's resource rule uses RBA to\ndetermine the request's risk level. The risk levels possible are low, medium, and high. The risk level of the request\ndefines which authenticators can be used. The following factors are considered when determining the request's risk\nlevel:\n\n1. Date and time of request\n2. Location of request\n3. Source IP address of request origin\n4. Machine Authentication (described in the next section)\n5. Location history of authentication requests received\n6. Travel velocity of authentication requests received\n\n## Machine Authentication\n\nMachine authentication is one of the factors used to evaluate each request's risk. Entrust recommends downloading the\nIdentity as a ServiceGuard Device Fingerprint SDKs from TrustedCare for machine authentication. The SDK collects the\ndevice fingerprint and includes it as part of the machine authentication.\n\nThe risk condition generates a risk score by completing the following steps:\n\n1. The Identity as a Service user's Web Browser assigned the Machine Authenticator generates a machine secret. It\n includes these components:\n - Machine nonce: A value generated when the machine authenticator is registered and stored by the client.\n - Sequence nonce: Another value generated in a previous authentication attempt that is stored by the client. Unlike\n a machine nonce, the sequence nonce is modified every time an authentication API call is made.\n - Device fingerprint – A value collected from the client device.\n\n2. The machine secret is submitted to Identity as a Service in the query request.\n\n3. The machine secret is compared to machine secrets from previous authentication requests to determine a risk level.\n\n4. At the end of a successful authentication, a machine nonce and sequence nonce may be returned to the client. In that\n case, the client should store these values for future authentication attempts.\n\nBelow are example use cases for Machine Authentication:\n\n- Authentication from a new Web Browser that normally requires two-factor authentication. A resource rule could be\n configured to allow users to log by only completing a single-factor authentication if a valid Machine Authenticator is\n detected.\n- Authentication from a previously-used machine that normally only requires password authentication. The application's\n resource rule would need to be customized to support Machine Authentication. For example, a resource rule would be\n customized as follows to consider Machine Authentication and only require password authentication:\n - Customize the risk score assigned to users who do not have a Machine Authenticator\n - Customize the risk assigned to users who do have a Machine Authenticator\n - Set low risk authentication to **PASSWORD + NONE**\n - Medium risk authentication to **PASSWORD + OTP**\n\n## EXTERNAL plus Second-factor authentication\n\nIn this type of authentication, a client has already completed the first factor authentication outside of Identity as a\nService and uses Identity as a Service to determine if second-factor authentication is necessary.\n\nThis section describes how to use the Identity as a Service's Authentication APIs to complete, if required,\nsecond-factor authentication.\nThe API calls required are similar to those required for single-factor authentication:\n\n1. Get User's Authenticators\n2. Complete EXTERNAL Authentication (the result indicates if second-factor is required)\n3. Select Authenticator (Second-factor)\n4. Complete Authentication Challenge (Second-factor)\n\nNotes:\n\n- If the Authentication API application is configured such that the client doesn't require to perform second-factor\n authentication, the client will receive an authenticated JWT in step 2.\n- To use some of the risk conditions, the client IP address must be made available to Identity as a Service in all\n requests. You define the source of the client IP address when the Authentication API application is created. The\n examples below assume that you selected **Provided in the API**.\n\n### Get User's Authenticators\n\nThe first step is to submit a POST request to get all the authenticators that can be used. For example:\n\n```\nhttps://customer.region.trustedauth.com/api/web/v2/authentication/users\n```\n\nThe body of this request should contain a JSON object with User ID (containing the user id or a user alias value) and\nthe ID of the Authentication API application being accessed. For example:\n\n```json\n{\n \"userId\": \"jsmith\",\n \"applicationId\": \"1111111-111111-111111-11111111\",\n \"clientIp\": \"1.2.3.4\"\n}\n```\n\nA response with a JSON object to the API request is received. The response includes the **authenticationTypes**\nattribute marked as **EXTERNAL**. It also includes the **availableSecondFactor** attribute showing all the\nauthenticators that can be used for second-factor authentication. For example:\n\n```json\n{\n \"availableSecondFactor\": [\n \"TOKENPUSH\",\n \"TOKEN\",\n \"OTP\"\n ],\n \"userMachineSettings\": {\n \"machineAuthenticatorEnabled\": true,\n \"deviceFingerprintRequired\": false,\n \"attributeExclusions\": [],\n \"userMachineAuthenticators\": []\n },\n \"machineAuthenticator\": null,\n \"authenticationTypes\": [\n \"EXTERNAL\"\n ],\n \"time\": 1521647783740,\n \"otpDeliveryInfo\": {\n \"otpDefaultDelivery\": \"SMS\",\n \"availableOTPDelivery\": [\n \"SMS\",\n \"EMAIL\",\n \"VOICE\"\n ]\n }\n}\n```\n\n### Complete first-factor authentication\n\nThe next step is to complete the first-factor EXTERNAL authentication to determine if second-factor authentication is\nrequired. A POST request to complete the EXTERNAL authentication challenge would be sent to the following URL:\n\n```\nhttps://customer.region.trustedauth.com/api/web/v1/authentication/users/authenticate/EXTERNAL/complete\n```\n\nAs in the first example, this request will also include an Authorization header field. The Authorization header can be\nsent with or without a type value of \"Bearer\". For example:\n\n```\nAuthorization: Bearer \n```\n\nor\n\n```\nAuthorization: \n```\n\nThe body of this request should contain a JSON object with the ID of the API application being accessed. For example:\n\n```json\n{\n \"applicationId\": \"1111111-111111-111111-11111111\",\n \"clientIp\": \"1.2.3.4\"\n}\n```\n\nThe response received from this request would include a new token and the **authenticationCompleted** attribute that\nwould be marked as false. For example:\n\n```json\n{\n \"status\": null,\n \"firstName\": null,\n \"lastName\": null,\n \"authenticationCompleted\": false,\n \"machineAuthenticator\": null,\n \"userMachineSettings\": {\n \"machineAuthenticatorEnabled\": true,\n \"deviceFingerprintRequired\": false,\n \"attributeExclusions\": [],\n \"userMachineAuthenticators\": []\n },\n \"kbaChallenge\": null,\n \"token\": \"GO7mOyRuLzfTOXLk/IbzsDEuw8cFQspxz8TCWRwcrrhtoBw/o7udXt94eTkbkDFcbMVpfqHZJcJ4vavS4MEN6wp0d7MFhd0n9A9XymY5KHKyMvrqJlqh8+NrIZjkiA0sZvrAhu+6IRGfTYfoe/DwWclJi2JNNxpMX/17b7QHZdrj5ItbJUp3wHhAswUX02uWn/Fxwnt3cxGVHgmtTaVfz42JBkiIeRcOiv81iJqfTuSrd+S29RqO4PCKYGw1pKhymottvV3eVGNxdPvwSrLgXusfuCyfAB8tGl047WJQOKaHZ7k4GbzC1QKjldNWHrMAtiLUMWaxgvpU/vANJUibIPXJ6+1i7X7U6THJJg4fBG+pJo8jPKPI1B+XxE1mNBdLdMEdfUSKwUqv3BGg8g+WsL+ZLkbSzrswuoyBKWioEVXkxUVDtRghDLDjiRFjyQMwD+MhvdoC46a10IMkz1G5kKkQ6xaTTwhkEsh2iGeWtn6WDcC0PILFX4NmiF/g650j41aFWAyOD5ULBKV04a2dYKdadGfaAH0=\",\n \"expires\": 1521648936739,\n \"otpdeliveryType\": null,\n \"time\": 1521648060983\n}\n```\n\nIf the Authentication API application is configured in a such a way that users with low risk score do not require to\nperform second-factor authentication, in this step the user would be authenticated and the response would set *\n*authenticationCompleted** as true indicating that EXTERNAL plus second-factor authentication was successful.\n\n### Select Authenticator (Second-factor)\n\nThe next step is to send a POST request to use a specific second-factor authentication. All the available second-factor\nauthenticator options were received in the first call we made. For example, with OTP, the request URL would be:\n\n```\nhttps://customer.region.trustedauth.com/api/web/v2/authentication/users/authenticate/OTP\n```\n\nThe body of this request should contain a JSON object with the ID of the Authentication API application being accessed\nand the token that was received from the last request. For example:\n\n```json\n{\n \"applicationId\": \"1111111-111111-111111-11111111\",\n \"clientIp\": \"1.2.3.4\",\n \"authToken\": \"GO7mOyRuLzfTOXLk/IbzsDEuw8cFQspxz8TCWRwcrrhtoBw/o7udXt94eTkbkDFcbMVpfqHZJcJ4vavS4MEN6wp0d7MFhd0n9A9XymY5KHKyMvrqJlqh8+NrIZjkiA0sZvrAhu+6IRGfTYfoe/DwWclJi2JNNxpMX/17b7QHZdrj5ItbJUp3wHhAswUX02uWn/Fxwnt3cxGVHgmtTaVfz42JBkiIeRcOiv81iJqfTuSrd+S29RqO4PCKYGw1pKhymottvV3eVGNxdPvwSrLgXusfuCyfAB8tGl047WJQOKaHZ7k4GbzC1QKjldNWHrMAtiLUMWaxgvpU/vANJUibIPXJ6+1i7X7U6THJJg4fBG+pJo8jPKPI1B+XxE1mNBdLdMEdfUSKwUqv3BGg8g+WsL+ZLkbSzrswuoyBKWioEVXkxUVDtRghDLDjiRFjyQMwD+MhvdoC46a10IMkz1G5kKkQ6xaTTwhkEsh2iGeWtn6WDcC0PILFX4NmiF/g650j41aFWAyOD5ULBKV04a2dYKdadGfaAH0=\"\n}\n```\n\nAn API response is received after submitting the request. For example:\n\n```json\n{\n \"status\": null,\n \"firstName\": null,\n \"lastName\": null,\n \"authenticationCompleted\": false,\n \"machineAuthenticator\": null,\n \"userMachineSettings\": {\n \"machineAuthenticatorEnabled\": true,\n \"deviceFingerprintRequired\": false,\n \"attributeExclusions\": [],\n \"userMachineAuthenticators\": []\n },\n \"kbaChallenge\": null,\n \"token\": \"GMITwEPkGILJI/jBMVT3p8a09JtGag3AzXqjan1+FBNdWjnCi16JNdpNxrBt/iuFYlozZ2Jrf6V6JEZEuQeFtZtFyETEVKNOxhbbOf+u6SmkBSwLQQm529WKUtFssLnQ9Mliojlb/1W8VXkseazUhWuvpab9t7b4Y9BP9RcXdPNdAOtR++dGwuwtAh0O6Edq9SE4yDGn8aRWJuydc7k8aQymLZfFR76y0EbG4mP/m9kZ2pDOjUrhHa8rToLLx3Jr70aHqJr5bNyCrQ96/c+5YTQeLhFL86Ch8LcIAKHh5RI2Ma6X+PTBZ4CwMrU6jUczCjJ6m94jlwIH37P0vv2GdlMZHPqjjmAuHB2SGKA0UxQywL9SbsIhyM2lxhBLUK30wRH0LHlW4reki0vF9gfc+kZQZFaVyj/bJ0P63lTsIywEmPBbCo8o21A5Mram5m+kNcCLg4ZlIaM2bWrvtBX0SxL5Cpx7vy1cUABQw+4ifRgcrwt6KWgIngmu1y/ItwaLCGgvw2dCFd3kPHd+HoXzsb2aVP+9tqo=\",\n \"expires\": 1521648936739,\n \"otpdeliveryType\": \"SMS\",\n \"time\": 1521648184761\n}\n```\n\nThe token received in this request would be used to complete the second-factor authentication in the next step.\n\n### Complete authentication challenge (Second-factor)\n\nThe last step is to send a POST request to complete the second-factor authentication challenge. For example:\n\n```\nhttps://customer.region.trustedauth.com/api/web/v1/authentication/users/authenticate/OTP/complete\n```\n\nAs in the first example, this request will also include an Authorization header field. The Authorization header can be\nsent with or without a type value of \"Bearer\". For example:\n\n```\nAuthorization: Bearer \n```\n\nor\n\n```\nAuthorization: \n```\n\nThe body of this request should contain a JSON object with the second-factor response, the ID of the application being\naccessed, and the second-factor authenticator being used. For example:\n\n```json\n{\n \"applicationId\": \"1111111-111111-111111-11111111\",\n \"response\": \"123456789\",\n \"clientIp\": \"1.2.3.4\"\n}\n```\n\nAn API response is received after submitting the request. For example:\n\n```json\n{\n \"status\": null,\n \"firstName\": \"John\",\n \"lastName\": \"Smith\",\n \"authenticationCompleted\": true,\n \"machineAuthenticator\": null,\n \"userMachineSettings\": null,\n \"kbaChallenge\": null,\n \"token\": \"GENw36RGssBDAmU8UgULDBFGp2cG6aWDO0dWUQU24QyAIDo2KFzfr62MEymgHxlU17EkLPknUUCwXm/azikw04oG2qniwwZVlXghQBFoME3DvenPMCXobOeqRqyDOeLbfLWIXdlNK2jJFIpPcTQqe3puKlAis3VfwltcOgmnQTK2ZnQA6dOICTKa0Kfr+fvUg0fmdBJ8asvryswSdeNjw2ndO638uZYhYks+2QstKxTuHXsslECPPgxa1CCidWm3EDigpH2SJQ9W1FY06zq/8BQMu3sxivWGOtd1p7xg2LldXb0dnoeztI7OQSye/8NbBuzWOdGOrwTIlOSd6mECcsdMQadstzQLoAtdRCsYW0JDVhvaaNjg2l5l7d3Tte20AXKUAKLA4NTpDZSz8N74A7me1pDV5GUXY5BdhwQGqIKtwpQvzt5uv9W/inomGdr+RO9KZGOV4Nfvilqr2yxoo0HfWkNvcsqtUXrHYN4chauqTYB7vqBBQzvhK/ar7lXg4WAjbqAOUvJXhSpuG92dltNRC9TsttUyFZ4RljhyPAyh2MNevhnEIq/jd34BhYmGyUFyshrYQE/fRTI5UvGrSybUX9IJN8dpKua64GhOspO4\",\n \"expires\": 1521648936739,\n \"otpdeliveryType\": null,\n \"time\": 1521648223398\n}\n```\n\nThis response would indicate **authenticationCompleted** as true. This indicates that two-factor authentication was\nsuccessful.\n\n### User logout\n\nTo log the user out, send a POST request which invalidates the user session and logs the user out of Identity as a\nService. For example:\n\n```\nhttps://customer.region.trustedauth.com/api/web/v1/authentication/logout\n```\n\n# OIDC/OAuth Authentication/Authorization Flows and Resource Server API Protection\n\nThe following defines the various OIDC and OAuth flows and endpoints to acquire access tokens that can be used with\nresource servers.\n\n## OIDC/OAuth Authorization Endpoint\n\nThe OIDC/OAuth authorization endpoint `https://customer.region.trustedauth.com/api/oidc/authorize` can be used for both\nOIDC authentication and OAuth authorization tokens.\n\n**Note:** The authorization code flow now supports PKCE (Proof Key for Code Exchange).\n\n### OIDC Authentication\n\nOIDC authentication is used to initiate the process of obtaining id tokens, access tokens to acquire userinfo data, and\nrefresh tokens by including standard OIDC/OAuth parameters, including these:\n\n- `client_id` = `dba4e3c6-f1f3-4d23-9088-fb452064c73f`\n- `scope` = `openid profile offline_access`\n\nThe scope parameter must include the OIDC scope openid.\n\nThe scope parameter should include the OIDC scope values (e.g., profile) to specify which userinfo data to include.\n\nThe scope parameter can also include offline_access in order to obtain a refresh token.\n\nOptional standard OIDC parameters, including acr_values, max_age, and code_challenge, can also be used.\n\nThe OAuth consent page displayed to the user will include the the userid and the application name that will be\nassociated with the generated tokens.\n\n### OAuth2 Authorization\n\nOAuth authorization, optionally with OIDC authentication, is used to initiate the process of obtaining id tokens, \naccess tokens to be used with resource servers, and refresh tokens by including standard OIDC/OAuth parameters, \nincluding these:\n\n- `client_id` = `dba4e3c6-f1f3-4d23-9088-fb452064c73f`\n- `resource` = `https://example.com/apis/calendar`\n- `scope` = `openid profile offline_access view:calendar edit:calendar`\n\nor\n\n- `client_id` = `dba4e3c6-f1f3-4d23-9088-fb452064c73f`\n- `resource` = `https://example.com/apis/calendar`\n- `scope` = `openid profile offline_access all_scopes`\n\nThe resource parameter is used to identify the resource server API for which an OAuth2 JWT access token is being\nrequested by a client application on behalf of a user. This value can be set using the resource parameter or\nalternatively by using the audience parameter.\n\nThe scope parameter should include openid in order to obtain an id token.\n\nThe scope parameter should include the resource server scope values to specify which scopes are being requested for the\nidentified resource server API. As opposed to specifying specific resource server scope values, the scope parameter can\nalso include all_scopes in order to specify that all scopes are being requested for the identified resource server API.\n\nThe scope parameter can also include offline_access in order to obtain a refresh token.\n\nAs with OIDC authentication, the use of the OIDC scope parameter openid is required to obtain an id token and the \nothers are optional (e.g., profile).\n\nOptional standard OIDC parameters, including acr_values, max_age, and code_challenge, can also be used.\n\nThe OAuth consent page displayed to the user will include the userid, the application name, the resource server API\nname, and the resource server scope names that will be associated with the generated tokens.\n\n## OIDC/OAuth JWT IDaaS Workflow\n\n### OIDC/OAuth Authorization JWT Endpoint\n\nThe OIDC/OAuth authorization jwt endpoint `https://customer.region.trustedauth.com/api/oidc/authorizejwt` can be used to \ninitiate both OIDC authentication and OAuth authorization token requests using the JWT IDaaS flow.\n\n#### OIDC Authentication\n\nOIDC authentication is used to initiate the process of obtaining id tokens, access tokens to acquire userinfo data, and \nrefresh tokens by including standard OIDC/OAuth parameters, including these:\n\n- `client_id` = `dba4e3c6-f1f3-4d23-9088-fb452064c73f`\n- `scope` = `openid profile offline_access`\n\nThe client_id parameter must be included and is used to identify the client application.\n\nThe scope parameter must include the OIDC scope openid.\n\nThe scope parameter should include the OIDC scope values (e.g., profile) to specify which userinfo data to include.\n\nThe scope parameter can also include offline_access in order to obtain a refresh token.\n\nOptional standard OIDC parameters, including acr_values, max_age, and code_challenge, can also be used.\n\n#### OAuth2 Authorization\n\nOAuth authorization, optionally with OIDC authentication, is used to initiate the process of obtaining id tokens, \naccess tokens to be used with resource servers, and refresh tokens by including standard OIDC/OAuth parameters, \nincluding these:\n\n- `client_id` = `dba4e3c6-f1f3-4d23-9088-fb452064c73f`\n- `resource` = `https://example.com/apis/calendar`\n- `scope` = `openid profile offline_access view:calendar edit:calendar`\n\nor\n\n- `client_id` = `dba4e3c6-f1f3-4d23-9088-fb452064c73f`\n- `resource` = `https://example.com/apis/calendar`\n- `scope` = `openid profile offline_access all_scopes`\n\nThe resource parameter is used to identify the resource server API for which an OAuth2 JWT access token is being\nrequested by a client application on behalf of a user. This value can be set using the resource parameter or\nalternatively by using the audience parameter.\n\nAs with OIDC authentication, the scope parameter must include openid in order to obtain an id token. The others are \noptional (e.g., profile).\n\nThe scope parameter should include the resource server scope values to specify which scopes are being requested for the\nidentified resource server API for which the user has access to. As opposed to specifying specific resource server \nscope values, the scope parameter can also include all_scopes in order to specify that all scopes the user has access \nto are being requested for the identified resource server API, if this option is enabled for the resource server.\n\nThe scope parameter can also include offline_access in order to obtain a refresh token.\n\nOptional standard OIDC parameters, including acr_values, max_age, and code_challenge, can also be used.\n\nThere is no consent page as identity as a service does not control authentication ui in this flow.\n\nAn API response is received after submitting an OIDC or OAuth2 authentication request. For example:\n\n```json\n{\n \"authRequestKey\": \"QoOuQ3JyccbHqVJxUwHInxSPdn37nSJTgOMn6UE3Yi9c=\",\n \"applicationId\": \"1111111-111111-111111-11111111\"\n}\n```\n\nAfter getting the response, call Authentication APIs sequentially. The documentation takes OTP authenticator as an \nexample in the following.\n\n### Get User's Authenticators\n\nAfter getting the successful response, submit a POST request to obtain the user's available authenticators that can be \nused to log in to the application. For example:\n\n```\nhttps://customer.region.trustedauth.com/api/web/v2/authentication/users\n```\n\nThe body of this request should contain a JSON object with User ID (containing the user id or a user alias value) and \nthe authRequestKey obtained from Authorization JWT endpoint response. The ID of the application is optional in this \ncase. If the authorization jwt endpoint included request parameters such as acr_values or max_age, the body of this \nrequest must contain the previously authenticated authToken (IDaaS JWT) in order for a recentness check to be \nperformed on the previously completed authentication. For example:\n\n```json\n{\n \"userId\": \"jsmith\",\n \"authRequestKey\": \"QoOuQ3JyccbHqVJxUwHInxSPdn37nSJTgOMn6UE3Yi9c=\",\n \"authToken\": \"GMZmc7Jg464fx7Vm5EwfEDyHaCYZLosqI8mdaPF8Xi+0gOZbTKMBXuQRRlrf8hWBQDOLmubJvS+t5K6m9Ox5CVPdyRvlgs2/5zGXO1QGltcWOnraibaY3Ryvt+ceaAXACkM3r922RkysRBxYDsfVGuQTRjxV4KQoJ2oFiQqKy9HoZmh77rn8AfZGn5lOxCFIQrrJPa6NOo8hIROHWNlom3eXwGBNSu10yYgvHmcmDwR9RrUr3A703fdwSsp9VWmEE38SGdZXOdwgipgqvsy2NjXQWaN2KNTMlfgPZXR15t51oqqxjkI8s3mEqpQWk//4ZoUB6bHK93uav6OCVXgDUpTsM5kHQYiLG5IbSXOuT7sgyoL5GutZz57+J2riJXvSNNhG8Z7t2R5J6rhxluYpNJw7mbHSB2k/ujCit+0AtRAgErGyQWiTjLFcHclZm76o2Osy073gQnYEBrNOfJl7fQR8mCcIBU1sYW0OMGzdAUDziNiIBbWE/YNFSTfMzP2UMPRumDQ6LRtDqC1smLR8Byv+547nN7+XQUWqe/KwrYI1OaPiAN2LnmP2goP53ZLbdocmBBRRV2KbytiNmm2cNJdRuEmlTAFp6DuLWyrFK5jGKDFbo8JBlF+HhSzYLpvsRXD0HnAY6OqZg6lQxPN1PYKFL7QCm1YlLJyYMz9uH6CT4O6h4KGjKQFSP+gae0afZzdMla/4PdnFBNh3XuAGGmK8gSPHwRF+qxixzlK9+DZP/Nzk8JZTm305Im1OnZycqh9cbYuk0Fc7bcfqbloiakhrfEKW34C5nwxNJf5PNacQhmRjUzfG4fDpSmehv+Fz4hPZ9X7S7k7GRd971h0V9rc7pJMoILHcLxZ3dCgLTqIDRa04bS6J+mEoSn7wDab4Px1OOY0YDH/VrrluWnnbj1/lI+dLgoJu+IisG2avZ9jC+YS5dU2wVGZT4d0lYd+ijLM/H1CZqgsyspc7Ei/AkXJbt+qEgxKcKRHbxDsvejb13lWgpEJ9ydACCm2+6wJQxp3LsfkpAngYQQ6w2sum0hSip1/gJ6Co+3l9AesdhCj2N3lDr5Z3PPI5SmB6f0cqhm/up9F4MAo9faAg5gujhIAinE8fqZ/7ifg5W7YIwLurUjbryyi0ntDR0/6SiMXYPbwqP8pJAvOmuzrXgqNrKXN+nMTfBkEGqiXbTud4fu4kVudt06GKSnOf1FDdhw8Z5ANV42HZtV00Gw==\"\n}\n```\n\nAn API response is received after entering the request. For example:\n\n```json\n{\n \"availableSecondFactor\": null,\n \"userMachineSettings\": {\n \"machineAuthenticatorEnabled\": true,\n \"deviceFingerprintRequired\": false,\n \"attributeExclusions\": [],\n \"userMachineAuthenticators\": []\n },\n \"machineAuthenticator\": null,\n \"authenticationTypes\": [\n \"OTP\",\n \"TOKEN\"\n ],\n \"time\": 1520961989641,\n \"otpDeliveryInfo\": {\n \"otpDefaultDelivery\": \"SMS\",\n \"availableOTPDelivery\": [\n \"SMS\",\n \"EMAIL\",\n \"VOICE\"\n ]\n }\n}\n```\n\nThe authenticator types listed in the response are those that can be used to complete an authentication challenge and\nlog in. **authenticationTypes** lists all the authenticators that have been assigned to the user and can be used to\ncomplete a first-factor authentication challenge. **availableSecondFactor** lists the authenticators that can be used\nto complete a second authentication challenge after the user has completed a first-factor challenge. The authenticators\nlisted as **authenticationTypes** and **availableSecondFactor** are defined by cross-referencing the authenticators\nassigned to the user with those the application’s resource rule allows to be used for authentication.\n\n### Select Authenticator\n\nIf the previous step indicated authentication is required, the next step is to select which authenticator to use from \nthose listed in the previous API response. This step is the same as [Select Authenticator](#select-authenticator).\n\nIf the authorization jwt endpoint included request parameters such as acr_values or max_age, the body of this request \nmust contain a JSON object with the authRequestKey obtained from Authorization JWT endpoint response in order for the \nappropriate authentication to be performed.\n\n```json\n{\n \"applicationId\": \"1111111-111111-111111-11111111\",\n \"userId\": \"jsmith\",\n \"authRequestKey\": \"QoOuQ3JyccbHqVJxUwHInxSPdn37nSJTgOMn6UE3Yi9c=\"\n}\n```\n\n### Complete authentication challenge\n\nThe next step is to complete the authentication process. The response for the requested authentication must be included \nin the last API call. For example, a POST request for OTP would be sent to:\n\n```\nhttps://customer.region.trustedauth.com/api/web/v1/authentication/users/authenticate/OTP/complete\n```\n\nThe request must include the end user’s response to the authentication challenge. For example, the OTP received by the \nuser must be included in the request to complete an OTP challenge. The URL must contain the selected authenticator (for \nexample, OTP). An Authorization header field must be added in the header section of this request. The Authorization \nheader stores the value received as \"token\" in the last request. The Authorization header can be sent with or without a \ntype value of \"Bearer\". For example:\n\n```\nAuthorization: Bearer \n```\nor\n```\nAuthorization: \n```\n\nThe body of this request should contain the Application ID and authenticator response. If the authorization jwt \nendpoint included request parameters such as acr_values or max_age, the body of this request must contain a JSON \nobject with the authRequestKey obtained from Authorization JWT endpoint response in order for the \nappropriate authentication to be performed. If transaction details exist in the request, and the OAuth2 JWT access \ntoken needs to contain the `transaction_details` claim, the authRequestKey obtained from the authorization jwt endpoint \nis required. For example:\n\n```json\n{\n \"applicationId\": \"1111111-111111-111111-11111111\",\n \"response\": \"123454665\",\n \"authRequestKey\": \"QoOuQ3JyccbHqVJxUwHInxSPdn37nSJTgOMn6UE3Yi9c=\"\n}\n```\n\nAn API response is received after entering the request. For example:\n\n```json\n{\n \"status\": null,\n \"firstName\": \"John\",\n \"lastName\": \"Smith\",\n \"authenticationCompleted\": true,\n \"machineAuthenticator\": null,\n \"userMachineSettings\": null,\n \"kbaChallenge\": null,\n \"token\": \"GNVGALEyZRj9xQnp4+cRoQ3DrMViO+wdXMyeBdG4+63V0O1+B5eBl83HVbOW7daHMf4xPzuJ/TD5j3w5zrIKE6RObuzIfyELpEWlr+JAzuXHCQocmFa1eNz2B2VshyZl3tbes9P3P6pniXZgpG0MdbEALfDm9PydJ4hcqcqDM1XsTcxSBnv+LFWV1HFKzL018Af17iJpnz8VBzOi/x5N8enkZ5g+XO/uXNCiBqDdfMkxkDzkreDXOoiGo7KPEzsuXFQLIigwnYLC2BufWaOnP2KLYGjjH7A2O+tyKsepVREKRTMDcdkcfqJsyJKm3xWl/HW1SCg2Ql2naQ6V4fK6IjrCQqZbPSQV4GL75NB1wqTf3e6ijCJwBJH9JXIov9E8Tw66sKy7dQAlODuLQ9LwhNv6BF+Ndy6HJlCDQjD0Oket4Sp8t0HDe0mTU5FnMc/ch3zuFtVHdGarjPtnt6PIZdUFn1A585q4GeY8nJwyMFu8MpRJyM81sdDe5/nEarDtPPXp3NbY+0kl4fIozogosyHzNstPcZV4rza3XQXB6047lKqs0uUeigwo2TkbKVPHxwleIxcs9d+wpQAZHhfP3IDTwa2Qq7J9PYMEfQsnz3dIFOZdNbDnusYHvp+5LppVWvky4vX5QV5ldAc2B4t+RCvtSvIABVCR+nftzLUcSm02fKU=\",\n \"otpdeliveryType\": null,\n \"expires\": 1520968457173,\n \"time\": 1520967582294\n}\n```\n\nIn the example above, **authenticationCompleted** is marked as true because the response sent in the post request was \nvalid. The last step is to send a request to the token endpoint. \nSee [Token Endpoint JWT IDaaS Grant Type](#jwt-idaas-grant-type).\n\n## OIDC/OAuth Device Code Endpoint\n\nThe OIDC/OAuth device code endpoint `https://customer.region.trustedauth.com/api/oidc/devicecode` can be used to \ninitiate both OIDC authentication and OAuth authorization tokens requests using the device code flow.\nThe OIDC/OAuth device endpoint `https://customer.region.trustedauth.com/api/oidc/device`, returned in the device code \nendpoint response, can then be used to initiate user authentication using the device code flow.\n\n### OIDC Authentication\n\nOIDC authentication is initiated by a device using the device code endpoint. This initiates the process of obtaining id\ntokens, access tokens to acquire userinfo data, and refresh tokens by including the following standard OIDC/OAuth\nparameters:\n\n- `client_id` = `dba4e3c6-f1f3-4d23-9088-fb452064c73f`\n- `scope` = `openid profile offline_access`\n\nThe client_id parameter must be included and is used to identify the client application.\n\nThe scope parameter must include the OIDC scope openid.\n\nThe scope parameter should include the OIDC scope values (e.g., profile) to specify which userinfo data to include.\n\nThe scope parameter can also include offline_access in order to obtain a refresh token.\n\nOptional standard OIDC parameters, including acr_values and max_age, can also be used.\n\nUser authentication must then be initiated by the user using the device endpoint specified in the device code endpoint \nresponse verification_uri along with the user_code. An example device code endpoint response:\n\n\"user_code\": \"DW-BVVB-LT\",\n\"device_code\": \"D8pDxpJtZoiTkJDjdwLAv0UHdS4tBF_OM5ejdn6PmJL4=\",\n\"interval\": 5,\n\"verification_uri_complete\": \"https://customer.region.trustedauth.com/api/oidc/device?user_code=DW-BVVB-LT\",\n\"verification_uri\": \"https://customer.region.trustedauth.com/api/oidc/device\",\n\"expires_in\": 300\n}\n\nThe OAuth consent page displayed to the user will include the userid and the application name that will be\nassociated with the generated tokens. It will also include a configurable application specific message indicating that\nthe consent is for a device.\n\n### OAuth2 Authorization\n\nOAuth authorization, optionally with OIDC authentication, is initiated by a device using the device code endpoint. This \ninitiates the process of obtaining id tokens, access tokens to acquire userinfo data, and refresh tokens by including \nthe following standard OIDC/OAuth parameters:\n\n- `scope` = `openid profile offline_access`\n\nOAuth authorization with OIDC authentication is initiated by a device using the device code endpoint. This initiates the\nprocess of obtaining id tokens, access tokens to be used with resource servers, and refresh tokens by including the\nfollowing standard OIDC/OAuth parameters:\n\n- `client_id` = `dba4e3c6-f1f3-4d23-9088-fb452064c73f`\n- `resource` = `https://example.com/apis/calendar`\n- `scope` = `openid profile offline_access view:calendar edit:calendar`\n\nor\n\n- `client_id` = `dba4e3c6-f1f3-4d23-9088-fb452064c73f`\n- `resource` = `https://example.com/apis/calendar`\n- `scope` = `openid profile offline_access all_scopes`\n\nThe client_id parameter must be included and is used to identify the client application.\n\nThe resource parameter is used to identify the resource server API for which an OAuth2 JWT access token is being\nrequested by a client application on behalf of a user. This value can be set using the resource parameter or\nalternatively by using the audience parameter.\n\nThe scope parameter should include openid in order to obtain an id token.\n\nThe scope parameter should include the resource server scope values to specify which scopes are being requested for the\nidentified resource server API. As opposed to specifying specific resource server scope values, the scope parameter can\nalso include all_scopes in order to specify that all scopes are being requested for the identified resource server API.\n\nThe scope parameter can also include offline_access in order to obtain a refresh token.\n\nAs with OIDC authentication, the use of the OIDC scope parameter openid is required to obtain an id token and the\nothers are optional (e.g., profile).\n\nOptional standard OIDC parameters, including acr_values and max_age, can also be used.\n\nUser authentication must then be initiated by the user using the device endpoint specified in the device code endpoint\nresponse verification_uri along with the user_code. An example device code endpoint response:\n\n\"user_code\": \"DW-BVVB-LT\",\n\"device_code\": \"D8pDxpJtZoiTkJDjdwLAv0UHdS4tBF_OM5ejdn6PmJL4=\",\n\"interval\": 5,\n\"verification_uri_complete\": \"https://customer.region.trustedauth.com/api/oidc/device?user_code=DW-BVVB-LT\",\n\"verification_uri\": \"https://customer.region.trustedauth.com/api/oidc/device\",\n\"expires_in\": 300\n}\n\nThe OAuth consent page displayed to the user will include the userid, the application name, the resource server API\nname, and the resource server scope names that will be associated with the generated tokens. It will also include a\nconfigurable application specific message indicating that the consent is for a device.\n\n## OIDC/OAuth Token Endpoint\n\nThe OIDC/OAuth token endpoint `https://customer.region.trustedauth.com/api/oidc/token` can be used for both OIDC\nauthentication and OAuth authorization tokens.\n\n**Note:** The token code flow now supports PKCE (Proof Key for Code Exchange).\n\n### Authorization Code Grant Type\n\nOIDC/OAuth authorization code grant is used to obtain various id tokens, access tokens, and refresh tokens by including\nstandard OIDC/OAuth parameters, including these:\n\n- `grant_type` = `authorization_code`\n- `code` = `CWdEdNomrMcCQ9oMjXTMS7XxWiHMsrX9-mXIHwqEXC4U=`\n\n### Device Code Grant Type\n\nOIDC/OAuth device code grant is used to obtain various id tokens, access tokens, and refresh tokens by including\nstandard OIDC/OAuth parameters, including these:\n\n- `grant_type` = `urn:ietf:params:oauth:grant-type:device_code`\n- `device_code` = `Dcatvq6_iclfJa_Y7NCcNLkh0NN1IIFV4btgAoXmoKN0=`\n\n### Refresh Token Grant Type\n\nOIDC/OAuth refresh token grant is used to obtain new (updated expiry dates) access tokens and refresh tokens by\nincluding standard OIDC/OAuth parameters, including these:\n\n- `grant_type` = `refresh_token`\n- `refresh_token` = `R-5f474e42-92ef-4ae4-bab7-b5ab2c052161-9arzeOJKHWhtvKQOJw4MXXgLpE99bLEBjTu2q4KsC7s=`\n\n### Client Credentials Grant Type\n\nOAuth client credentials grant is used to obtain server-based (i.e., non-user-based) access tokens by including standard\nOIDC/OAuth parameters, including these:\n\n- `grant_type` = `client_credentials`\n- `resource` = `http://localhost:3010/stuff/calendar`\n- `scope` = `view:calendar add:calendar`\n\nThe resource parameter is used to identify the resource server API for which an access token is being requested by a\nclient application (no user in this case). This value must be set using the resource parameter.\n\nThe scope parameter should include the resource server scope values to specify which scopes are being requested for the\nidentified resource server API.\n\n### JWT IDaaS Grant Type\n\nOIDC/OAuth JWT IDaaS grant is used to obtain various id tokens, access tokens, and refresh tokens by including\nstandard OIDC/OAuth parameters, including these:\n\n- `grant_type` = `jwt_idaas`\n- `jwt` = `GHLITi0s+hZecyZo...MFa6Gzf+kk=`\n- `code` = `QoOuQ3JyccbHqVJxUwHInxSPdn37nSJTgOMn6UE3Yi9c=`\n\nThe jwt parameter is the token obtained from Complete Authentication Challenge response. The code parameter is the \nauthRequestKey obtained from authorization jwt endpoint response.\n\nOptionally, the org_id parameter can be used to return the org_id claim with a value set to the uuid of one of the \norganizations the user is associated with.\n\n## OIDC Userinfo Endpoint\n\nThe OIDC userinfo endpoint `https://customer.region.trustedauth.com/api/oidc/userinfo` can be used to obtain userinfo\ndata with an OIDC access tokens.\n\nA previously obtained OIDC access token is used as the Bearer Authorization header to obtain userinfo data.\n\n## OIDC/OAuth Revocation Endpoint\n\nThe OIDC/OAuth revocation endpoint `https://customer.region.trustedauth.com/api/oidc/revoke` can be used for revoking\nboth OIDC authentication and OAuth authorization access tokens.\n\nOIDC/OAuth revoke token is used to revoke (i.e., delete) existing OIDC access tokens and OAuth access tokens with\nrefresh tokens by including standard OIDC/OAuth parameters, including these:\n\n- `token` = `R-5f474e42-92ef-4ae4-bab7-b5ab2c052161-9arzeOJKHWhtvKQOJw4MXXgLpE99bLEBjTu2q4KsC7s=`\n\nThe token parameter must include the access token or refresh token that is being revoked.\n\n## OIDC/OAuth Logout Endpoint\n\nThe OIDC/OAuth logout (end session) endpoint `https://customer.region.trustedauth.com/api/oidc/endsession` can be used\nfor to logout out Identity as a Service sessions.\n\nThe endpoint may be called without any parameters which will result in the user remaining at the Identity as a Service\nportal.\nOptionally, the following parameters can be used to redirect the user back to the calling client application:\n\n- `post_logout_redirect_uri` = `https://www.example.com`\n- `redirect_uri` = `https://www.example.com`\n- `client_id` = `dba4e3c6-f1f3-4d23-9088-fb452064c73f`\n- `id_token_hint` = `eyJ4...weRA`\n\nThe post_logout_redirect_uri parameter (or optionally the redirect_uri parameter) must be included and is used as the\nredirect uri. This value must be configured as a Logout Redirect URI for the OIDC/OAuth client application. Only one of\nthese parameters is required.\n\nThe client_id parameter (or optionally the id_token aud claim value) must be included and is used to identify the client\napplication. Only one of these parameters is required.\n\n## OIDC/OAuth Token Examples\n\nThe following is the resulting token payload data for various types of tokens. These have been parsed and simplified for\ndisplay purposes. Items, such as signatures, have been removed.\n\n### OIDC ID Token\n\n```json\n{\n \"sub\": \"user1\",\n \"aud\": \"acd612d3-79e6-4702-ba9d-90575125394f\",\n \"acr\": \"urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken\",\n \"nbf\": 1616425220,\n \"auth_time\": 1616425012,\n \"iss\": \"https://customer.region.trustedauth.com/api/oidc\",\n \"exp\": 1616425940,\n \"iat\": 1616425220,\n \"nonce\": \"abcd\",\n \"jti\": \"3f4e7ed0-e916-4140-9c3e-93ad7a4aabd2\"\n}\n```\n\n### OIDC Access Token (for Userinfo data)\n\n```\nU-720039ce-5a55-433a-85a2-3a4ee720d9d6-QJ1N4r3jEFOjPBeNfXQw0wbJHzErgG3uS3MJAZI5bSk=\n```\n\nThe corresponding Userinfo data that is obtained based on the access token\n\n```json\n{\n \"sub\": \"user1\",\n \"aud\": \"acd612d3-79e6-4702-ba9d-90575125394f\",\n \"name\": \"User One\",\n \"iss\": \"https://customer.region.trustedauth.com/api/oidc\",\n \"given_name\": \"User\",\n \"family_name\": \"One\",\n \"email\": \"user1@example.com\",\n \"iat\": 1616423220\n}\n```\n\n### OAuth Access Token (used with Resource Server APIs)\n\n```json\n{\n \"app\": \"Sample Client Application\",\n \"sub\": \"user1\",\n \"iss\": \"https://customer.region.trustedauth.com/api/oidc\",\n \"given_name\": \"User\",\n \"aud\": \"https://example.com/apis/calendar\",\n \"nbf\": 1616425220,\n \"scope\": \"view:calendar edit:calendar\",\n \"name\": \"User One\",\n \"exp\": 1616428820,\n \"iat\": 1616425220,\n \"family_name\": \"One\",\n \"jti\": \"5f474e42-92ef-4ae4-bab7-b5ab2c052161\",\n \"cid\": \"acd612d3-79e6-4702-ba9d-90575125394f\"\n}\n```\n\n### Refresh Token\n\n```\nR-5f474e42-92ef-4ae4-bab7-b5ab2c052161-9arzeOJKHWhtvKQOJw4MXXgLpE99bLEBjTu2q4KsC7s=\n```\n", "contact": { "name": "Entrust Identity as a Service", "url": "https://www.entrust.com/", "email": "support@entrust.com" }, "version": "5.45" }, "servers": [ { "url": "https://customer.region.trustedauth.com" } ], "tags": [ { "name": "Authentication", "description": "Authentication controllers" }, { "name": "Authentication Self Admin", "description": "Authentication Self Admin Controllers" } ], "paths": { "/api/web/v1/authentication/logout": { "post": { "tags": [ "Authentication" ], "summary": "Remove User Session", "operationId": "logoutUsingPOST", "parameters": [ { "name": "Authorization", "in": "header", "schema": { "type": "string" } } ], "responses": { "200": { "description": "Successful" }, "400": { "description": "Bad Request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "409": { "description": "Conflict", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } } } }, "/api/web/v1/authentication/users/authenticate/{authenticator}/complete": { "post": { "tags": [ "Authentication" ], "summary": "Authenticate User Challenge", "operationId": "userAuthenticateUsingPOST", "parameters": [ { "name": "authenticator", "in": "path", "required": true, "schema": { "type": "string", "enum": [ "MACHINE", "PASSWORD", "EXTERNAL", "KBA", "TEMP_ACCESS_CODE", "OTP", "GRID", "TOKEN", "TOKENCR", "TOKENPUSH", "FIDO", "SMARTCREDENTIALPUSH", "PASSWORD_AND_SECONDFACTOR", "SMART_LOGIN", "IDP", "PASSKEY", "IDP_AND_SECONDFACTOR", "USER_CERTIFICATE", "FACE", "PASSTHROUGH", "MAGICLINK" ] } }, { "name": "Authorization", "in": "header", "required": false, "schema": { "type": "string" } } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UserAuthenticateParameters" } } }, "required": true }, "responses": { "200": { "description": "Authenticators retrieved successfully", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AuthenticatedResponse" } } } }, "400": { "description": "Bad request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } } } }, "/api/web/v1/self/fidotokens": { "get": { "tags": [ "Authentication Self Admin" ], "summary": "Start FIDO token registration for the current user.", "operationId": "startFIDORegisterUsingGET", "responses": { "200": { "description": "Successful", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/FIDORegisterChallenge" } } } }, "400": { "description": "Bad Request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "409": { "description": "Conflict", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } }, "security": [ { "AdminAPIAuthentication": [] } ] }, "post": { "tags": [ "Authentication Self Admin" ], "summary": "Complete FIDO token registration for the current user.", "operationId": "completeFIDORegisterUsingPOST", "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/FIDORegisterResponse" } } }, "required": true }, "responses": { "200": { "description": "Successful", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/FIDOToken" } } } }, "400": { "description": "Bad Request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "409": { "description": "Conflict", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } }, "security": [ { "AdminAPIAuthentication": [] } ] } }, "/api/web/v1/self/fidotokens/{fidoid}": { "get": { "tags": [ "Authentication Self Admin" ], "summary": "Get a FIDO token for the current user.", "operationId": "getSelfFIDOTokenUsingGET", "parameters": [ { "name": "fidoid", "in": "path", "required": true, "schema": { "type": "string" } } ], "responses": { "200": { "description": "Successful", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/FIDOToken" } } } }, "400": { "description": "Bad Request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "409": { "description": "Conflict", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } }, "security": [ { "AdminAPIAuthentication": [] } ] }, "put": { "tags": [ "Authentication Self Admin" ], "summary": "Update a FIDO token from the current user.", "operationId": "updateSelfFIDOTokenUsingPUT", "parameters": [ { "name": "fidoid", "in": "path", "required": true, "schema": { "type": "string" } } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/FIDOTokenParms" } } }, "required": true }, "responses": { "200": { "description": "Successful" }, "400": { "description": "Bad Request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "409": { "description": "Conflict", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } }, "security": [ { "AdminAPIAuthentication": [] } ] }, "delete": { "tags": [ "Authentication Self Admin" ], "summary": "Delete a FIDO token from the current user.", "operationId": "deleteSelfFIDOTokenUsingDELETE", "parameters": [ { "name": "fidoid", "in": "path", "required": true, "schema": { "type": "string" } } ], "responses": { "200": { "description": "Successful" }, "400": { "description": "Bad Request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "409": { "description": "Conflict", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } }, "security": [ { "AdminAPIAuthentication": [] } ] } }, "/api/web/v1/self/tokens/offline": { "post": { "tags": [ "Authentication Self Admin" ], "summary": "Get Offline Token Responses", "operationId": "getOfflineTokenResponsesUsingPOST", "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/GetOfflineTokenAuthenticateParms" } } }, "required": true }, "responses": { "200": { "description": "Successful", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/OfflineTokenAuthenticateResponse" } } } }, "400": { "description": "Bad Request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "409": { "description": "Conflict", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } } } }, "/api/web/v1/self/values": { "get": { "tags": [ "Authentication Self Admin" ], "summary": "Get User Values", "operationId": "selfGetUserValuesUsingGET", "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/UserClientValue" } } } } }, "400": { "description": "Bad request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "401": { "description": "Authorization information is missing or invalid", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } }, "security": [ { "AdminAPIAuthentication": [] } ] }, "put": { "tags": [ "Authentication Self Admin" ], "summary": "Update to delete User Values", "operationId": "selfDeleteUserValuesUsingPUT", "requestBody": { "content": { "application/json": { "schema": { "type": "array", "description": "An array of string names for the user name value pairs which is to be deleted. When the array is empty, the user values field will be reset to empty", "items": { "type": "string" } } } }, "required": true }, "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/UserClientValue" } } } } }, "400": { "description": "Bad request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "401": { "description": "Authorization information is missing or invalid", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } }, "security": [ { "AdminAPIAuthentication": [] } ] }, "post": { "tags": [ "Authentication Self Admin" ], "summary": "Set or update User Values", "operationId": "selfSetUserValuesUsingPOST", "requestBody": { "content": { "application/json": { "schema": { "type": "array", "description": "An array of user client value objects which is to be added or updated.", "items": { "$ref": "#/components/schemas/UserClientValue" } } } }, "required": true }, "responses": { "200": { "description": "OK" }, "400": { "description": "Bad request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } }, "401": { "description": "Authorization information is missing or invalid", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Error" } } } } }, "security": [ { "AdminAPIAuthentication": [] } ] } }, "/api/web/v2/authentication/users": { "post": { "tags": [ "Authentication" ], "summary": "Query User Authenticators", "operationId": "userAuthenticatorQueryUsingPOST", "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UserAuthenticateQueryParameters" } } }, "required": true }, "responses": { "200": { "description": "Authenticators retrieved successfully", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UserAuthenticateQueryResponse" } } } }, "400": { "description": "Bad request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } } } }, "/api/web/v2/authentication/users/authenticate/{authenticator}": { "post": { "tags": [ "Authentication" ], "summary": "Request User Challenge", "operationId": "userChallengeUsingPOST", "parameters": [ { "name": "authenticator", "in": "path", "required": true, "schema": { "type": "string", "enum": [ "MACHINE", "PASSWORD", "EXTERNAL", "KBA", "TEMP_ACCESS_CODE", "OTP", "GRID", "TOKEN", "TOKENCR", "TOKENPUSH", "FIDO", "SMARTCREDENTIALPUSH", "PASSWORD_AND_SECONDFACTOR", "SMART_LOGIN", "IDP", "PASSKEY", "IDP_AND_SECONDFACTOR", "USER_CERTIFICATE", "FACE", "PASSTHROUGH", "MAGICLINK" ] } } ], "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UserChallengeParameters" } } }, "required": true }, "responses": { "200": { "description": "Authenticators retrieved successfully", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AuthenticatedResponse" } } } }, "400": { "description": "Bad request", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "401": { "description": "Access denied", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "403": { "description": "Forbidden", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } }, "404": { "description": "Not Found", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ErrorInfo" } } } } } } } }, "components": { "schemas": { "AuthenticatedResponse": { "type": "object", "properties": { "authenticationCompleted": { "type": "boolean", "description": "Flag to indicate if authentication has successfully completed." }, "authenticatorResponse": { "type": "string", "description": "The authenticator response for MSCHAPv2", "format": "byte" }, "deviceCertAuthDesired": { "type": "boolean", "description": "Flag to indicate if the user has to attempt device certificate authentication." }, "expires": { "type": "integer", "description": "Expiry time of token.", "format": "int64" }, "faceChallenge": { "$ref": "#/components/schemas/FaceChallenge" }, "fidoChallenge": { "$ref": "#/components/schemas/FIDOChallenge" }, "firstName": { "type": "string", "description": "First Name." }, "gridChallenge": { "$ref": "#/components/schemas/GridChallenge" }, "kbaChallenge": { "$ref": "#/components/schemas/KbaChallenge" }, "lastName": { "type": "string", "description": "Last Name." }, "machineAuthenticator": { "$ref": "#/components/schemas/MachineAuthenticator" }, "magicLinkType": { "type": "string", "description": "The type of Magic Link being used." }, "offlineTokenResponses": { "$ref": "#/components/schemas/OfflineTokenAuthenticateResponse" }, "organizations": { "type": "array", "description": "A list of the user organizations.", "items": { "$ref": "#/components/schemas/Organization" } }, "otpdeliveryType": { "type": "string", "description": "The OTP delivery type used.", "enum": [ "EMAIL", "SMS", "VOICE", "WECHAT", "WHATSAPP" ] }, "passthroughAuthenticationResponse": { "$ref": "#/components/schemas/PassthroughAuthenticationResponse" }, "passwordChallenge": { "$ref": "#/components/schemas/PasswordChallenge" }, "pushMutualChallenge": { "type": "string", "description": "Push authentication mutual challenge." }, "redirectUrl": { "type": "string", "description": "The redirect URL when using a Magic Link." }, "smartLoginChallenge": { "type": "string", "description": "For a SMART_LOGIN authenticator challenge, provides the challenge." }, "status": { "type": "string", "description": "Status of authenticator. This is not a required API field if Mobile Smart Credential or Token Push authentication is being used.", "enum": [ "CONFIRM", "CONCERN", "CANCEL", "NO_RESPONSE" ] }, "stepUpAuthExpiry": { "type": "integer", "description": "The timeout for step-up authentication", "format": "int64" }, "tempAccessCodeChallenge": { "$ref": "#/components/schemas/TempAccessCodeChallenge" }, "time": { "type": "integer", "format": "int64" }, "token": { "type": "string", "description": "Authenticated/unauthenticated authorization token." }, "tokenChallenge": { "$ref": "#/components/schemas/TokenChallenge" }, "tokenDetails": { "type": "array", "description": "For a token or token push authenticator challenge, provides a list of serial numbers of the tokens that can be used to authenticate.", "items": { "type": "string", "description": "For a token or token push authenticator challenge, provides a list of serial numbers of the tokens that can be used to authenticate." } }, "tokenPushMutualChallenge": { "type": "string", "description": "The token push authentication mutual challenge.", "deprecated": true }, "transactionReceipt": { "$ref": "#/components/schemas/TransactionReceipt" }, "userCertificateChallenge": { "$ref": "#/components/schemas/UserCertificateChallenge" }, "userId": { "type": "string", "description": "The User ID of the Identity as a Service user that completed authentication." }, "userMachineSettings": { "$ref": "#/components/schemas/UserMachineSettings" }, "userRegistrationRequired": { "type": "boolean", "description": "Whether the user still requires registration." }, "userVerificationRequired": { "type": "boolean", "description": "Whether the user still requires verification." } }, "description": "Response associated with an authentication request." }, "CHAPResponse": { "type": "object" }, "Error": { "required": [ "code", "message" ], "type": "object", "properties": { "code": { "type": "string", "description": "The server error code" }, "message": { "type": "string", "description": "A human-readable representation of the error" }, "target": { "type": "string", "description": "The target of the error" } } }, "ErrorInfo": { "type": "object", "properties": { "errorCode": { "type": "string", "description": "Error Codes specific to cause of failure.", "example": "invalid_user_response" }, "errorMessage": { "type": "string", "description": "Additional Error Message describing the error.", "example": "Application id cannot be null" }, "parameters": { "type": "array", "description": "Optional additional error information.", "items": { "type": "object", "description": "Optional additional error information." } } }, "description": "Object containing information about errors reported by services." }, "FIDOChallenge": { "required": [ "challenge", "timeout", "timeoutMillis" ], "type": "object", "properties": { "allowCredentials": { "type": "array", "description": "The list of IDs of the FIDO tokens registered for the user. Each value is base-64 encoded.", "items": { "type": "string", "description": "The list of IDs of the FIDO tokens registered for the user. Each value is base-64 encoded." } }, "challenge": { "type": "string", "description": "A random challenge. It is a base-64 encoded value." }, "timeout": { "type": "integer", "description": "The number of seconds that the client will wait for the FIDO token to respond. This field is deprecated, use 'timeoutMillis' instead.", "format": "int32", "deprecated": true }, "timeoutMillis": { "type": "integer", "description": "The number of milliseconds that the client will wait for the FIDO token to respond.", "format": "int32" } }, "description": "If the authentication challenge is of type FIDO, the FIDOChallenge will contain the FIDO challenge parameters that must be passed to the FIDO token to complete authentication." }, "FIDORegisterChallenge": { "type": "object", "properties": { "challenge": { "type": "string", "description": "The registration challenge generated by Identity as a Service. This is a base-64 encoded value." }, "registeredCredentials": { "type": "array", "description": "The IDs of FIDO tokens already registered to this user. These values are base-64 encoded.", "items": { "type": "string", "description": "The IDs of FIDO tokens already registered to this user. These values are base-64 encoded." } }, "registeredCredentialsNames": { "type": "array", "description": "The names of FIDO tokens already registered to this user.", "items": { "type": "string", "description": "The names of FIDO tokens already registered to this user." } }, "registrationAuthenticatorAttachment": { "type": "string", "description": "Should the token be embedded on the device or stored externally?", "enum": [ "EITHER", "PLATFORM", "CROSS_PLATFORM" ] }, "registrationRequireResidentKey": { "type": "string", "description": "Should the User ID be stored on the Passkey/FIDO2 token?", "enum": [ "DISCOURAGED", "PREFERRED", "REQUIRED" ] }, "registrationUserVerification": { "type": "string", "description": "Should the token perform user verification?", "enum": [ "DISCOURAGED", "PREFERRED", "REQUIRED" ] }, "rpName": { "type": "string", "description": "The name of this relying party. This is the name of the Identity as a Service account." }, "timeout": { "type": "integer", "description": "The number of seconds that the client will wait for the FIDO token to respond. This field is deprecated, use 'timeoutMillis' instead.", "format": "int32", "deprecated": true }, "timeoutMillis": { "type": "integer", "description": "The time in milliseconds that the client will wait for the FIDO token to respond.", "format": "int32" }, "userDisplayName": { "type": "string", "description": "The display name of this user. It will be 'firstname lastname' of the user" }, "userId": { "type": "string", "description": "The id of this user. It will be UUID of the user base-64 encoded." }, "userName": { "type": "string", "description": "The name of this user. It will be the userId of the user." } }, "description": "A FIDORegisterChallenge defines the information returned when a user starts to register a FIDO token." }, "FIDORegisterResponse": { "type": "object", "properties": { "attestationObject": { "type": "string", "description": "The FIDO attestationObject data returned from the FIDO token. This is a base-64 encoded value." }, "clientDataJSON": { "type": "string", "description": "The FIDO clientData returned from the FIDO token. This is a base-64 encoded value." }, "name": { "type": "string", "description": "The name for the new FIDO token." }, "userIdStored": { "type": "boolean", "description": "Flag indicating if the userId was stored on the registered FIDO2 token. Defaults to false if not set.", "deprecated": true } }, "description": "FIDORegisterResponse defines the information returned from a FIDO token to complete registration." }, "FIDOResponse": { "required": [ "authenticatorData", "clientDataJSON", "credentialId", "signature" ], "type": "object", "properties": { "authenticatorData": { "type": "string", "description": "Authenticator Data returned from the token." }, "clientDataJSON": { "type": "string", "description": "Data about the token used to authenticate." }, "credentialId": { "type": "string", "description": "The ID of the token used to authenticate." }, "signature": { "type": "string", "description": "The authentication signature generated by the token." }, "userHandle": { "type": "string", "description": "The UUID of the user logging in." } }, "description": "The values returned from a FIDO token when performing an authentication." }, "FIDOToken": { "type": "object", "properties": { "allowedActions": { "type": "array", "description": "Administration actions that can be performed on this FIDO token.", "items": { "type": "string", "description": "Administration actions that can be performed on this FIDO token.", "enum": [ "DELETE", "ENABLE", "DISABLE", "RENAME" ] } }, "createDate": { "type": "string", "description": "The date on which the FIDO token was created.", "format": "date-time", "example": "2019-02-19T13:15:27Z" }, "id": { "type": "string", "description": "The unique UUID assigned to the fido token when it is registered." }, "lastUsedDate": { "type": "string", "description": "The date on which this FIDO token was last used for authentication. This value will be null if the FIDO token has never been used.", "format": "date-time", "example": "2019-02-21T11:37:27Z" }, "name": { "type": "string", "description": "The name of this FIDO token." }, "origin": { "type": "string", "description": "The origin of where the FIDO token was generated." }, "relyingPartyId": { "type": "string", "description": "The relying party ID of where the FIDO token was generated." }, "state": { "type": "string", "description": "The state of this FIDO token. Only FIDO tokens in the ACTIVE state can be used for authentication.", "enum": [ "ACTIVE", "INACTIVE" ] }, "userId": { "type": "string", "description": "The user Id of the user who owns this FIDO token." }, "userIdStored": { "type": "boolean", "description": "Indicates if the userId was stored on the FIDO token." }, "userUUID": { "type": "string", "description": "The UUID of the user who owns this FIDO token." } }, "description": "A FIDOToken defines the information returned about a FIDO Token." }, "FIDOTokenParms": { "type": "object", "properties": { "name": { "type": "string", "description": "The name of this FIDO token." }, "state": { "type": "string", "description": "The state of this FIDO token. Only FIDO tokens in the ACTIVE state can be used for authentication.", "enum": [ "ACTIVE", "INACTIVE" ] } }, "description": "The parameters specifying what is to be changed." }, "FaceChallenge": { "type": "object", "properties": { "device": { "type": "string", "description": "Which device to use for registration and authentication.", "enum": [ "WEB", "MOBILE" ] }, "id": { "type": "string", "description": "The ID of the Face Biometric to get." }, "qrCode": { "type": "string", "description": "QR Code to use to launch the mobile flow." }, "sdkToken": { "type": "string", "description": "The SDK token generated for the user." }, "workflowRunId": { "type": "string", "description": "Workflow run ID to use for the user." } }, "description": "Parameters returned to initialize a Face Biometric authenticator." }, "GetOfflineTokenAuthenticateParms": { "required": [ "applicationId", "tokenProtectedOfflineParms", "tokenSerialNumber" ], "type": "object", "properties": { "applicationId": { "type": "string" }, "tokenProtectedOfflineParms": { "$ref": "#/components/schemas/TokenProtectedOfflineParms" }, "tokenSerialNumber": { "type": "string" } }, "description": "Information used to get offline responses for a token assigned to a user." }, "GridChallenge": { "required": [ "challenge", "gridInfo", "numCharsPerCell" ], "type": "object", "properties": { "challenge": { "type": "array", "description": "The grid challenge specifies a list of grid cells that the user must answer in their challenge.", "items": { "$ref": "#/components/schemas/GridChallengeCell" } }, "gridInfo": { "type": "array", "description": "The grid details.", "items": { "$ref": "#/components/schemas/GridInfo" } }, "numCharsPerCell": { "type": "integer", "description": "The numCharsPerCell value specifies the number of characters expected in the response for each cell as defined by current settings.", "format": "int32" } }, "description": "If the authentication challenge is of type grid, the GridChallenge object will contain the grid challenge that the end user must answer." }, "GridChallengeCell": { "required": [ "column", "row" ], "type": "object", "properties": { "column": { "type": "integer", "description": "The column within the grid starting at 0.", "format": "int32" }, "row": { "type": "integer", "description": "The row within the grid starting at 0.", "format": "int32" } }, "description": "A GridChallengeCell specifies one cell in a grid by its row and column coordinates. Normally a grid challenge cell is displayed using letters for the column and numbers for the row. For example, a cell with the value 0,0 will be displayed as A1." }, "GridInfo": { "required": [ "serialNumber" ], "type": "object", "properties": { "expiryDate": { "type": "string", "description": "The expiry date of the grid. Null value indicates the grid will never expire.", "format": "date-time", "example": "2019-02-19T13:15:27Z" }, "serialNumber": { "type": "string", "description": "The serial number of the grid that can be used to answer this challenge." } }, "description": "Details about the grid." }, "KbaChallenge": { "required": [ "userQuestions" ], "type": "object", "properties": { "id": { "type": "string" }, "userQuestions": { "type": "array", "items": { "$ref": "#/components/schemas/UserQuestion" } } }, "description": "Knowledge-based authenticator required for authentication to Identity as a Service" }, "MSCHAPv1Response": { "required": [ "challenge", "response" ], "type": "object", "properties": { "challenge": { "type": "string", "description": "The MSCHAPv1 challenge.", "format": "byte" }, "response": { "type": "string", "description": "The MSCHAPv1 response.", "format": "byte" } }, "description": "A MSCHAPv1Response specifies the values included in an MSCHAPv1 encoded authentication response." }, "MSCHAPv2Response": { "required": [ "challenge", "identifier", "peerChallenge", "response", "userId" ], "type": "object", "properties": { "challenge": { "type": "string", "description": "The MSCHAPv2 challenge.", "format": "byte" }, "identifier": { "type": "integer", "description": "The MSCHAPv2 identifier.", "format": "int32" }, "peerChallenge": { "type": "string", "description": "The MSCHAPv2 peer challenge.", "format": "byte" }, "response": { "type": "string", "description": "The MSCHAPv2 response.", "format": "byte" }, "userId": { "type": "string", "description": "The MSCHAPv2 userId. This must be the exact same value used to calculate the MSCHAPv2 response. It will normally be the same as the userId value passed to the authentication method but allows for differences between the two values. For example, an alias may have been passed to the authentication method but the actual userid was used to calculate the MSCHAPv2 response." } }, "description": "A MSCHAPv2Response specifies the values included in an MSCHAPv2 encoded authentication response." }, "MachineAuthenticator": { "type": "object", "properties": { "fingerprint": { "type": "string", "description": "The device fingerprint if it's required during Machine authentication. It will always be null when returned from IDaaS as part of the response body.", "example": "{\"platform\":\"web\",\"version\":\"2.0.0\",\"attributes\":{\"osName\":\"Mac OS\"}}" }, "machineNonce": { "type": "string", "description": "machineNonce", "example": "07ZeToA3YfoATTxoU6h2x==" }, "sequenceNonce": { "type": "string", "description": "sequenceNonce", "example": "03ReToA37851tyVU8f3y==" } }, "description": "Machine authenticator required to complete authentication challenge" }, "MachineAuthenticatorRegistration": { "required": [ "label" ], "type": "object", "properties": { "fingerprint": { "type": "string", "description": "The device fingerprint. It must be a valid fingerprint as produced by Entrust SDK.", "example": "{\"platform\":\"web\",\"version\":\"2.0.0\",\"attributes\":{\"osName\":\"Mac OS\"}}" }, "label": { "type": "string", "description": "Identifies the device/machine from the end-user point of view.", "example": "MachineAuthenticatorLabel" } }, "description": "Register a machine authenticator for authentication to Identity as a Service" }, "OTPContactValue": { "type": "object", "properties": { "name": { "type": "string", "description": "Name of the attribute.", "example": "alternativeEmail" }, "type": { "type": "string", "description": "Type of the OTP delivery attribute.", "example": "EMAIL", "enum": [ "EMAIL", "SMS", "VOICE", "WECHAT", "WHATSAPP" ] }, "value": { "type": "string", "description": "Masked attribute value.", "example": "*******@mycompany.com" } }, "description": "OTPContactValue" }, "OTPDetails": { "type": "object", "properties": { "availableOTPDelivery": { "type": "array", "description": "The available delivery types.", "items": { "type": "string", "description": "The available delivery types.", "enum": [ "EMAIL", "SMS", "VOICE", "WECHAT", "WHATSAPP" ] } }, "otpContactValues": { "type": "array", "description": "The available OTP contact values types.", "items": { "$ref": "#/components/schemas/OTPContactValue" } }, "otpDefaultDelivery": { "type": "string", "description": "The default delivery type.", "enum": [ "EMAIL", "SMS", "VOICE", "WECHAT", "WHATSAPP" ] }, "otpDeliveryAttribute": { "type": "string", "description": "The name of default OTP delivery attribute.", "example": "Alternative Email" } }, "description": "OTPDetails" }, "OfflineTokenAuthenticateResponse": { "type": "object", "properties": { "firstMovingFactor": { "type": "integer", "description": "This is the moving factor index for the first hashed OTP returned. In the case of time-based tokens, it represents time step, otherwise it represents the value of the counter.", "format": "int64" }, "iterations": { "type": "integer", "description": "The number of iterations of the hash function to be performed.", "format": "int32" }, "maxSizeInUnits": { "type": "integer", "description": "This is the policy-configured maximum number (hours or counters)", "format": "int32" }, "maxTimeSteps": { "type": "integer", "description": "This is the max number of time steps used to validate a token.", "format": "int32" }, "minorSizeInUnits": { "type": "integer", "description": "This is the policy-configured recommended number (hours or counters)", "format": "int32" }, "otps": { "type": "string", "description": "An array of all of the OTPs returned in the batch, each with its public component of the salt." }, "privateSaltLength": { "type": "integer", "description": "The number of digits in the private part of the salt that the client must guess.", "format": "int32" }, "resultOptimized": { "type": "boolean", "description": "Flag indicating if the set of OTP hashes returned was optimized so that OTPs which have already been downloaded in prior requests, but that have no yet expired, are not sent again." }, "timeDrift": { "type": "integer", "description": "This is the token time drift in seconds. This applies only to time-based tokens.", "format": "int32" }, "timeInterval": { "type": "integer", "description": "If this contains a positive value then this batch is for time-based tokens, otherwise it is for event based tokens.", "format": "int32" }, "tokenSerialNumber": { "type": "string", "description": "The serial number of the token for which offline tokens are generated." }, "useSecret": { "type": "string", "description": "The secret the client should use when requesting the next batch of protected offline OTPs.", "format": "byte" } }, "description": "Used to return batches of protected OTPs for a given token" }, "Organization": { "required": [ "displayName", "id", "name" ], "type": "object", "properties": { "description": { "type": "string", "description": "The description of the organization." }, "displayName": { "type": "string", "description": "The display name of the organization." }, "id": { "type": "string", "description": "The unique UUID assigned to the organization when it is created." }, "logoUri": { "type": "string", "description": "The URI of the logo to display when showing organizations.", "example": "https://account.mycompany.com/images/logo.png" }, "name": { "type": "string", "description": "The name of the organization." } }, "description": "Organization defines the attributes of an organization used in B2B scenarios." }, "PassthroughAuthenticationResponse": { "type": "object", "properties": { "passthroughAuthenticationResultItems": { "type": "array", "description": "Passthrough authentication result items.", "items": { "$ref": "#/components/schemas/PassthroughAuthenticationResultItems" } } }, "description": "Passthrough authenticator response." }, "PassthroughAuthenticationResultItems": { "type": "object", "properties": { "name": { "type": "string", "description": "The name of the result item." }, "value": { "type": "string", "description": "The value of the result item." } }, "description": "Passthrough authentication result items." }, "PassthroughAuthenticatorParms": { "type": "object", "properties": { "passthroughAuthenticatorPlaceholders": { "type": "array", "description": "The list of placeholders.", "items": { "$ref": "#/components/schemas/PassthroughAuthenticatorPlaceholder" } } }, "description": "Passthrough authenticator parameters" }, "PassthroughAuthenticatorPlaceholder": { "required": [ "name", "value" ], "type": "object", "properties": { "name": { "type": "string", "description": "The placeholder name." }, "value": { "type": "string", "description": "The placeholder value." } }, "description": "Passthrough authenticator placeholder" }, "PasswordChallenge": { "type": "object", "properties": { "name": { "type": "string" }, "namedPasswordId": { "type": "string" } } }, "RequestDetail": { "type": "object", "properties": { "browser": { "type": "string", "description": "The browser associated with the request.", "example": "Chrome 67.0.3396.99" }, "os": { "type": "string", "description": "The OS associated with the request.", "example": "Windows 8.1" } }, "description": "Request detail items." }, "TempAccessCodeChallenge": { "type": "object", "properties": { "adminContact": { "type": "string", "description": "An optional admin contact value (like an admin email address or phone number) to be displayed in the admin contact message." }, "enableAdminContact": { "type": "boolean", "description": "Indicates if the admin contact message should be displayed for this challenge." } }, "description": "Information about the temporary access code settings." }, "TokenChallenge": { "required": [ "token" ], "type": "object", "properties": { "challenge": { "type": "string", "description": "For TOKENCR authentication, the challenge that must be entered into the token. Will be null for TOKEN and TOKENPUSH authentication." }, "token": { "type": "array", "description": "The token challenge contains a list of TokenInfo objects for each of the tokens that can be used to authenticate. In the case of an offline QR code challenge, a TokenInfo object includes the QR code.", "items": { "$ref": "#/components/schemas/TokenInfo" } } }, "description": "If the authentication challenge is of offline token, the TokenChallenge object will contain the QR codes can be scanned by the mobile app." }, "TokenInfo": { "type": "object", "properties": { "label": { "type": "string", "description": "Optional label to identify an assigned token: a String up to 100 characters.", "example": "PENDING" }, "qrCode": { "type": "string", "description": "The base-64 encoded QR code. This QR code can be scanned by the Entrust Identity mobile application to perform activation in the case of an offline QR code challenge." }, "qrCodeUrl": { "type": "string", "description": "The URL based QR code string. In the case of an offline QR code challenge, this string can be used to generated the base-64 encoded QR code." }, "serialNumber": { "type": "string", "description": "The serial number of the token." } }, "description": "A TokenInfo specifies one token that can be used to authenticate with a token serial number, a base-64 QR code string and a url based QR code string." }, "TokenProtectedOfflineParms": { "type": "object", "properties": { "tokenProtectedOfflineOTPClientName": { "type": "string", "description": "The name sent by the client." }, "tokenProtectedOfflineOTPClientSecret": { "type": "string", "description": "One or several secrets sent by the client concatenated to a single array.", "format": "byte" }, "tokenProtectedOfflineOTPDoNotOptimize": { "type": "boolean", "description": "Flag indicating whether the number of OTPs being returned need to be optimized." }, "tokenProtectedOfflineOTPGet": { "type": "string", "description": "The different levels of protection for offline tokens.", "enum": [ "NONE", "MINOR", "MAJOR", "CUSTOM" ] }, "tokenProtectedOfflineOTPSize": { "type": "integer", "description": "Request size (Units of hour or count).", "format": "int32" } }, "description": "The model used to generate the offline token." }, "TransactionDetail": { "type": "object", "properties": { "detail": { "type": "string", "description": "The transaction detail name.", "example": "Amount" }, "usage": { "type": "array", "items": { "type": "string", "description": "The transaction detail usage. If not provided, the attribute supports all usages. RBA indicates that the detail is used for risk-based authentication; TVS indicates that the detail is used for transaction verification.", "example": "RBA", "enum": [ "RBA", "TVS" ] } }, "value": { "type": "string", "description": "The transaction detail value.", "example": "$10,001" } }, "description": "Transaction detail item and its value used with push authenticators and with offline transaction verification." }, "TransactionReceipt": { "type": "object", "properties": { "authenticationType": { "type": "string", "description": "The transaction authentication type.", "example": "OTP", "enum": [ "OTP", "TOKEN" ] }, "date": { "type": "string", "description": "The transaction date.", "format": "date-time", "example": "2020-02-01T12:13:24Z" }, "details": { "type": "array", "description": "The transaction details.", "items": { "$ref": "#/components/schemas/TransactionDetail" } }, "id": { "type": "string", "description": "The transaction id.", "example": "Qwpfsc6AmWU6GHkvRzIhew==" }, "securityLevel": { "type": "string", "description": "The transaction authentication security level.", "example": "MEDIUM", "enum": [ "LOW", "MEDIUM", "HIGH" ] }, "userid": { "type": "string", "description": "The transaction user.", "example": "user1" } }, "description": "Transaction Receipt item and its value used with push authenticators and with offline transaction verification." }, "UserAuthenticateParameters": { "type": "object", "properties": { "applicationId": { "type": "string", "description": "Unique identifier of Identity as a Service Authentication API application.", "example": "6781549d-433c-44ea-a42f-4705c26f3245." }, "applicationInfo": { "type": "string", "description": "Client provided information about the application that will be included in the authentication audits if provided." }, "authRequestKey": { "type": "string", "description": "Unique identifier of the client authentication request in the OIDC application's JWT IDaaS grant type use case." }, "cancel": { "type": "boolean", "description": "Cancel Identity as a Service authentication to the application", "example": false }, "certificate": { "type": "string", "description": "The certificate with public key to verify signature." }, "chapResponse": { "$ref": "#/components/schemas/CHAPResponse" }, "clientIp": { "type": "string", "description": "Provided client IP address." }, "enableWebSession": { "type": "boolean", "description": "If set to true, enhanced session protection is enabled for the auth token. An HTTP cookie named INTELLITRUST_SESSION_ID is returned with the response and must be returned in all subsequent requests using the auth token.", "example": false }, "faceResponse": { "type": "string", "description": "For Face Biometric authentication, the workflow run id to check.", "deprecated": true }, "fidoResponse": { "$ref": "#/components/schemas/FIDOResponse" }, "ignoreIPAddressForRBA": { "type": "boolean", "description": "Setting defines if IP Address is ignored for RBA or not. Default value is false and will not ignore IP Address for RBA.", "example": false }, "kbaChallenge": { "$ref": "#/components/schemas/KbaChallenge" }, "locale": { "type": "string", "description": "The locale of this user. If not set, the default account locale will be used.", "example": "en" }, "machineAuthenticator": { "$ref": "#/components/schemas/MachineAuthenticator" }, "machineAuthenticatorRegistration": { "$ref": "#/components/schemas/MachineAuthenticatorRegistration" }, "mschapV1Response": { "$ref": "#/components/schemas/MSCHAPv1Response" }, "mschapV2Response": { "$ref": "#/components/schemas/MSCHAPv2Response" }, "newPassword": { "type": "string", "description": "New password if change requested." }, "offlineTVS": { "type": "boolean", "description": "A flag indicating if the offline QR code token verification is used ", "example": true }, "origin": { "type": "string", "description": "The origin of the client. This field is deprecated, use rpId instead.", "example": "https://mycompany.example.com:443", "deprecated": true }, "passthroughAuthenticatorParms": { "$ref": "#/components/schemas/PassthroughAuthenticatorParms" }, "requestAcrs": { "type": "string", "description": "The request acrs." }, "response": { "type": "string", "description": "API response based on Authenticator type. This is not a required field if Mobile Smart Credential, KBA, Token Push, Smart Login or Face Biometric authentication is being used.", "example": "7569582." }, "rpId": { "type": "string", "description": "Specifies the domain name (relying party ID) of your application and the passkey is registered with. Provide the domain only (e.g., example.com), without protocol (https://). Required if using a custom domain different from your IDaaS tenant’s hostname.", "example": "mycompany.example.com" }, "secondFactorAuthenticator": { "type": "string", "description": "Authenticator type selected for second factor (if enabled).", "example": "OTP.", "enum": [ "MACHINE", "PASSWORD", "EXTERNAL", "KBA", "TEMP_ACCESS_CODE", "OTP", "GRID", "TOKEN", "TOKENCR", "TOKENPUSH", "FIDO", "SMARTCREDENTIALPUSH", "PASSWORD_AND_SECONDFACTOR", "SMART_LOGIN", "IDP", "PASSKEY", "IDP_AND_SECONDFACTOR", "USER_CERTIFICATE", "FACE", "PASSTHROUGH", "MAGICLINK" ] }, "tokenProtectedOfflineParms": { "$ref": "#/components/schemas/TokenProtectedOfflineParms" }, "transactionDetails": { "type": "array", "description": "Transaction Details.", "items": { "$ref": "#/components/schemas/TransactionDetail" } }, "userCertificateResponse": { "$ref": "#/components/schemas/UserCertificateResponse" }, "userId": { "type": "string", "description": "User ID (containing the user ID or a user alias) of the Identity as a Service user completing the authentication challenge.", "example": "admin" } }, "description": "Request parameters for completing authentication process." }, "UserAuthenticateQueryParameters": { "required": [ "applicationId", "userId" ], "type": "object", "properties": { "applicationId": { "type": "string", "description": "Unique identifier of the Identity as a Service Authentication API application", "example": "6781549d-433c-44ea-a42f-4705c26f3245" }, "authRequestKey": { "type": "string", "description": "Unique identifier of the client authentication request in the OIDC application's JWT IDaaS grant type use case." }, "authToken": { "type": "string", "description": "Authentication token." }, "clientIp": { "type": "string", "description": "Provided client IP address." }, "ignoreIPAddressForRBA": { "type": "boolean", "description": "Setting defines if IP Address is ignored for RBA or not. Default value is false and will not ignore IP Address for RBA.", "example": false }, "machineAuthenticator": { "$ref": "#/components/schemas/MachineAuthenticator" }, "maxAge": { "type": "integer", "description": "Maximum Authentication Age. If an authentication token is supplied, the maximum authentication age used to determine whether authentication is required or not is based on the current system time or a supplied request time.", "format": "int32" }, "offlineTVS": { "type": "boolean", "description": "A flag indicating if the offline QR code token verification is used. Used only if a challenge is required for authentication when returnDefaultChallenge is true.", "example": true }, "origin": { "type": "string", "description": "The origin of the client. This field is deprecated, use rpId instead.", "example": "https://mycompany.example.com:443", "deprecated": true }, "priority": { "type": "integer", "description": "The priority for push transactions where queuing is enabled. Default is 0 and allowed values are 0-9. Used only if a challenge is required for authentication when returnDefaultChallenge is true.", "format": "int32" }, "pushMessageIdentifier": { "type": "string", "description": "Defines an identifier to retrieve customized SDK push message configuration. Used only if a challenge is required for authentication when returnDefaultChallenge is true.", "example": "generic" }, "pushMutualChallengeEnabled": { "type": "boolean", "description": "A flag indicating if push mutual authentication is supported for tokens or Face Biometric. Used only if a challenge is required for authentication when returnDefaultChallenge is true.", "example": true }, "requestAcrs": { "type": "string", "description": "The request acrs." }, "requestDetail": { "$ref": "#/components/schemas/RequestDetail" }, "requestTime": { "type": "integer", "description": "The request start time in milliseconds. If an authentication token and a maximum authentication age are supplied, determining whether authentication is required or not is based on the current system time if this value is not provided.", "format": "int64" }, "returnDefaultChallenge": { "type": "boolean", "description": "Flag indicating whether the service should include in the response the default challenge.", "example": true }, "rpId": { "type": "string", "description": "The Relying Party ID associated with the passkey. This identifies the domain or origin for which the passkey is registered. This field is mandatory if domain is outside of the IDaaS hostname.", "example": "mycompany.example.com" }, "summary": { "type": "string", "description": "The push authentication challenge that appears in the user's mobile application. Used only if a challenge is required for authentication when returnDefaultChallenge is true.", "example": "You have requested to authenticate for a SAML Service Provider." }, "supportChoosingOtpDelivery": { "type": "boolean", "description": "Deprecated : Clients who support choosing OTP delivery can still work without having to supply this flag.Flag indicating whether client supports choosing OTP delivery contact attribute.If the client doesn't support it and default OTP delivery is set to NONE, OTP won't be available as an authenticator.", "example": true, "deprecated": true }, "tokenPushMutualChallengeEnabled": { "type": "boolean", "description": "A flag indicating if the token push mutual authentication is supported. Used only if a challenge is required for authentication when returnDefaultChallenge is true.", "example": true, "deprecated": true }, "transactionDetails": { "type": "array", "description": "Transaction Details.", "items": { "$ref": "#/components/schemas/TransactionDetail" } }, "userId": { "type": "string", "description": "User ID (containing the user ID or a user alias) of the Identity as a Service user completing the authentication challenge.", "example": "user" } }, "description": "Request parameters for starting user authentication process." }, "UserAuthenticateQueryResponse": { "type": "object", "properties": { "authenticationCompleted": { "type": "boolean", "description": "Flag to indicate if access to the application is allowed with the current JWT." }, "authenticationTypes": { "type": "array", "description": "List of authenticator types available for the user.", "items": { "type": "string", "description": "List of authenticator types available for the user.", "enum": [ "MACHINE", "PASSWORD", "EXTERNAL", "KBA", "TEMP_ACCESS_CODE", "OTP", "GRID", "TOKEN", "TOKENCR", "TOKENPUSH", "FIDO", "SMARTCREDENTIALPUSH", "PASSWORD_AND_SECONDFACTOR", "SMART_LOGIN", "IDP", "PASSKEY", "IDP_AND_SECONDFACTOR", "USER_CERTIFICATE", "FACE", "PASSTHROUGH", "MAGICLINK" ] } }, "authenticatorLockoutStatus": { "type": "array", "description": "A list of all authenticators that the user has with their lockout status.", "items": { "$ref": "#/components/schemas/UserAuthenticatorLockoutStatus" } }, "availableSecondFactor": { "type": "array", "description": "Lists authenticator types available to complete second factor challenge (if enabled).", "items": { "type": "string", "description": "Lists authenticator types available to complete second factor challenge (if enabled).", "enum": [ "MACHINE", "PASSWORD", "EXTERNAL", "KBA", "TEMP_ACCESS_CODE", "OTP", "GRID", "TOKEN", "TOKENCR", "TOKENPUSH", "FIDO", "SMARTCREDENTIALPUSH", "PASSWORD_AND_SECONDFACTOR", "SMART_LOGIN", "IDP", "PASSKEY", "IDP_AND_SECONDFACTOR", "USER_CERTIFICATE", "FACE", "PASSTHROUGH", "MAGICLINK" ] } }, "deviceCertAuthDesired": { "type": "boolean", "description": "Flag to indicate if the user has to attempt device certificate authentication." }, "expires": { "type": "integer", "format": "int64" }, "fidoChallenge": { "$ref": "#/components/schemas/FIDOChallenge" }, "gridChallenge": { "$ref": "#/components/schemas/GridChallenge" }, "kbaChallenge": { "$ref": "#/components/schemas/KbaChallenge" }, "machineAuthenticator": { "$ref": "#/components/schemas/MachineAuthenticator" }, "organizations": { "type": "array", "description": "A list of the user organizations.", "items": { "$ref": "#/components/schemas/Organization" } }, "otpDeliveryInfo": { "$ref": "#/components/schemas/OTPDetails" }, "otpDeliveryType": { "type": "string", "description": "The OTP delivery type used.", "enum": [ "EMAIL", "SMS", "VOICE", "WECHAT", "WHATSAPP" ] }, "passwordChallenge": { "$ref": "#/components/schemas/PasswordChallenge" }, "passwordResetAllowed": { "type": "boolean", "description": "Flag to indicate if the user can initiate a password reset flow." }, "pushMutualChallenge": { "type": "string", "description": "Push authentication mutual challenge for token or Face Biometric." }, "registrationRequired": { "type": "boolean", "description": "Flag to indicate if the user has to register authenticators." }, "supportsSignature": { "type": "boolean", "description": "Flag to indicate if the user has a token that supports signature." }, "tempAccessCodeChallenge": { "$ref": "#/components/schemas/TempAccessCodeChallenge" }, "time": { "type": "integer", "format": "int64" }, "token": { "type": "string" }, "tokenChallenge": { "$ref": "#/components/schemas/TokenChallenge" }, "tokenDetails": { "type": "array", "description": "For a token or token push authenticator challenge, provides a list of serial numbers of the tokens that can be used to authenticate.", "items": { "type": "string", "description": "For a token or token push authenticator challenge, provides a list of serial numbers of the tokens that can be used to authenticate." } }, "tokenPushMutualChallenge": { "type": "string", "description": "The token push authentication mutual challenge.", "deprecated": true }, "userMachineSettings": { "$ref": "#/components/schemas/UserMachineSettings" }, "verificationRequired": { "type": "boolean", "description": "Flag to indicate if the user has to verify." } }, "description": "Response associated with user authentication query." }, "UserAuthenticatorLockoutStatus": { "type": "object", "properties": { "lockoutDate": { "type": "string", "description": "The date the user was locked. Null means the user is not locked.", "format": "date-time", "example": "2019-02-19T13:15:27Z" }, "lockoutExpiryDate": { "type": "string", "description": "if remainingAuthenticationAttempts is 0 then a lockoutExpiryDate of null means the lockout never expires. Otherwise a value of null means the user isn't locked out.", "format": "date-time", "example": "2019-02-20T13:15:27Z" }, "name": { "type": "string", "description": "The users named password authentication that is locked out." }, "remainingAuthenticationAttempts": { "type": "integer", "description": "The number of authentication attempts remaining before the user is locked out.", "format": "int32" }, "type": { "type": "string", "description": "The type of the authenticator.", "example": "OTP", "enum": [ "MACHINE", "PASSWORD", "EXTERNAL", "KBA", "TEMP_ACCESS_CODE", "OTP", "GRID", "TOKEN", "TOKENCR", "TOKENPUSH", "FIDO", "SMARTCREDENTIALPUSH", "PASSWORD_AND_SECONDFACTOR", "SMART_LOGIN", "IDP", "PASSKEY", "IDP_AND_SECONDFACTOR", "USER_CERTIFICATE", "FACE", "PASSTHROUGH", "MAGICLINK" ] } }, "description": "Detailed lockout information for each authenticator for a particular user." }, "UserCertificateChallenge": { "required": [ "challenge" ], "type": "object", "properties": { "challenge": { "type": "string" } }, "description": "For a user certificate authenticator challenge, provides the challenge." }, "UserCertificateResponse": { "type": "object", "properties": { "code": { "type": "string" }, "verifier": { "type": "string" } }, "description": "For user certificate login" }, "UserChallengeParameters": { "required": [ "applicationId" ], "type": "object", "properties": { "applicationId": { "type": "string", "description": "Unique identifier of the Identity as a Service Authentication API application", "example": "6781549d-433c-44ea-a42f-4705c26f3245" }, "authRequestKey": { "type": "string", "description": "Unique identifier of the client authentication request in the OIDC application's JWT IDaaS grant type use case." }, "authToken": { "type": "string", "description": "Authentication token (Required if the call to userQuery returned an authenticated token)." }, "clientIp": { "type": "string", "description": "Provided client IP address." }, "ignoreIPAddressForRBA": { "type": "boolean", "description": "Setting defines if IP Address is ignored for RBA or not. Default value is false and will not ignore IP Address for RBA.", "example": false }, "locale": { "type": "string", "description": "The locale of this user. If not set, the default account locale will be used.", "example": "en" }, "machineAuthenticator": { "$ref": "#/components/schemas/MachineAuthenticator" }, "offlineTVS": { "type": "boolean", "description": "A flag indicating if the offline QR code token verification is used ", "example": true }, "origin": { "type": "string", "description": "The origin of the client. This field is deprecated, use rpId instead.", "example": "https://mycompany.example.com:443", "deprecated": true }, "otpDeliveryAttribute": { "type": "string", "description": "OTP delivery attribute name.", "example": "Alternative Email" }, "otpDeliveryType": { "type": "string", "description": "Defines how a user receives their one-time passcode (Email, Text message (SMS), or Voice message (VOICE))", "example": "EMAIL/SMS/VOICE", "enum": [ "EMAIL", "SMS", "VOICE", "WECHAT", "WHATSAPP" ] }, "passthroughAuthenticatorParms": { "$ref": "#/components/schemas/PassthroughAuthenticatorParms" }, "priority": { "type": "integer", "description": "The priority for push transactions where queuing is enabled. Default is 0 and allowed values are 0-9", "format": "int32" }, "pushMessageIdentifier": { "type": "string", "description": "Defines an identifier to retrieve customized SDK push message configuration", "example": "generic" }, "pushMutualChallengeEnabled": { "type": "boolean", "description": "A flag indicating if push mutual authentication is supported for tokens or Face Biometric", "example": true }, "requestAcrs": { "type": "string", "description": "The request acrs." }, "requestDetail": { "$ref": "#/components/schemas/RequestDetail" }, "rpId": { "type": "string", "description": "Specifies the domain name (relying party ID) of your application and the passkey is registered with. Provide the domain only (e.g., example.com), without protocol (https://). Required if using a custom domain different from your IDaaS tenant’s hostname.", "example": "mycompany.example.com" }, "secondFactorAuthenticator": { "type": "string", "description": "Authenticator type selected for second factor (if enabled).", "example": "OTP", "enum": [ "MACHINE", "PASSWORD", "EXTERNAL", "KBA", "TEMP_ACCESS_CODE", "OTP", "GRID", "TOKEN", "TOKENCR", "TOKENPUSH", "FIDO", "SMARTCREDENTIALPUSH", "PASSWORD_AND_SECONDFACTOR", "SMART_LOGIN", "IDP", "PASSKEY", "IDP_AND_SECONDFACTOR", "USER_CERTIFICATE", "FACE", "PASSTHROUGH", "MAGICLINK" ] }, "summary": { "type": "string", "description": "The push authentication challenge that appears in the user's mobile application.", "example": "You have requested to authenticate for a SAML Service Provider." }, "tokenPushMutualChallengeEnabled": { "type": "boolean", "description": "A flag indicating if the token push mutual authentication is supported", "example": true, "deprecated": true }, "transactionDetails": { "type": "array", "description": "Defines transaction details to be included in the challenge", "items": { "$ref": "#/components/schemas/TransactionDetail" } }, "userId": { "type": "string", "description": "User ID (containing the user ID or a user alias) of the Identity as a Service user completing the authentication challenge. The userid is required for non-passwordless authenticators.", "example": "admin" } }, "description": "Request parameters for obtaining a challenge." }, "UserClientValue": { "type": "object", "properties": { "name": { "type": "string", "description": "The name of the user value which will be added or updated, when corresponding self admin action completes, it will also be the response body which is the name of the user values the user currently has or the remaining after deletion." }, "value": { "type": "string", "description": "The value of the user value which will be added or updated, when corresponding self admin action completes, it will also be response body which is the value of the user values the user currently has or the remaining after deletion." } }, "description": "The information of user client values" }, "UserMachineAuthenticator": { "required": [ "id", "label", "registrationTime" ], "type": "object", "properties": { "expiryTime": { "type": "string", "description": "When this machine secret expires in UTC time", "format": "date-time", "example": "2019-02-19T13:15:27Z" }, "id": { "type": "string", "description": "Identifies the device/machine" }, "label": { "type": "string", "description": "Identifies the device/machine from the end-user point of view" }, "lastUsedTime": { "type": "string", "description": "When this machine secret was last used", "format": "date-time", "example": "2019-02-19T13:15:27Z" }, "registrationTime": { "type": "string", "description": "When this machine secret was created in UTC time", "format": "date-time", "example": "2019-02-19T13:15:27Z" } }, "description": "UserMachineAuthenticator" }, "UserMachineSettings": { "type": "object", "properties": { "attributeExclusions": { "type": "array", "description": "List of device fingerprinting attributes that should not be collected when a device fingerprint is captured.", "items": { "type": "string", "description": "List of device fingerprinting attributes that should not be collected when a device fingerprint is captured." } }, "deviceFingerprintRequired": { "type": "boolean", "description": "Indicates whether a device fingerprint should be captured during machine registration or authentication" }, "machineAuthenticatorEnabled": { "type": "boolean", "description": "machineAuthenticatorEnabled" }, "userMachineAuthenticators": { "type": "array", "description": "List of Machine Authenticators that the user currently has--used to prevent duplicated labels.", "items": { "$ref": "#/components/schemas/UserMachineAuthenticator" } } }, "description": "UserMachineSettings" }, "UserQuestion": { "type": "object", "properties": { "answer": { "type": "string", "description": "The question's answer." }, "id": { "type": "string", "description": "The UUID of the KBA question/answer." }, "question": { "type": "string", "description": "The question." } }, "description": "A KBA question/answer stored for a user." } }, "securitySchemes": { "AdminAPIAuthentication": { "type": "apiKey", "name": "Authorization", "in": "header" } } } }