Authentication by OpenID Connect¶
Accounts allows to integrate your service using OpenID Connect Authorization Code Flow.
In official documentation you can find great explanation how this flow works.
Important
Difference between this section and OAuth2 Authorization code flow is that in OpenID Connect flow you will also receive ID Token after exchanging code for access_token, which can be used to identify user.
The authorization code flow is used to obtain access tokens and is optimized for confidential clients. Since this is a redirection-based flow, the client must be capable of interacting with the resource owner’s user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server.
OpenID Connect interfaces¶
GET https://konto.onet.pl/openid/oauth2/authorize?client_id=YOUR_CLIENT_ID - the request for user’s authentication in Onet Konto
POST https://konto.onet.pl/openid/oauth2/token - the request for exchanging a temporary code for client access token
GET https://konto.onet.pl/openid/oauth2/resources/userinfo?client_id=YOUR_CLIENT_ID - the request for getting user’s basic information
GET https://konto.onet.pl/openid/oauth2/external/profile?client_id=YOUR_CLIENT_ID - the request for getting user’s extended information
POST https://konto.onet.pl/openid/oauth2/revoke - the request for removing client access token
User’s authentication¶
The fist step of user’s authentication in the client service is checking his logging in status in Ring Accounts. This step is important, because here you can decide if you want to receive open_id token in the response. Parameter scope is responsible for that.
client_id - client identifier defined for the service during purchasing process
redirect_uri - the URI address to which the client will be redirected after successful logging in
response_type - value must be set to code
state - used to remember client information through all the OAuth redirects
scope - value must be set to openid if you want to receive open_id token
nonce - security parameter, used to associate client session with open_id token, if specified it will be returned back in open_id token
GET /oauth2/authorize?client_id=xample.front.onetapi.pl&
redirect_uri=https//test.example.pl/callback&
state=hello&response_type=code&scope=email&nonce=veryhardtoguess
HTTP/1.1
Host: https://konto.onet.pl/openid
Exchanging temporary code for access token¶
The second step of user authentication is exchanging temporary code from Ring Accounts for access token.
$ curl --location --request POST 'https://konto.onet.pl/openid/oauth2/token' \
--header 'Authorization: Basic cmluZy1leGFtcGxlLmZyb250Lm9uZXRhcGkucGw6ZzlhbHNzZGUwZmx0cDA1ZHM3ZW0' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'code=11fcb623bd60dc516693e44c9da9efc6ffb2debc0add36ec6d510d9f7522b506cs' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'redirect_uri=https//test.example.pl/callback'
Parameters:
code- value you received from authorization endpoint
Headers:
Content-Type- should be set to application/x-www-form-urlencoded and parameters should be send in this formatAuthorization- authorization header should be provided in Basic auth scheme
For building this Authorization header you will have to use client_id and client_secret received when registering client.
import base64
client_id = 'example.front.onetapi.pl'
client_secret = 'g9alssde0fltp05ds7em'
token = base64.b64encode((client_id + ':' + client_secret).encode()).decode()
headers['Authorization'] = 'Basic ' + token
Getting information about user¶
After successful authentication you will receive access_token and ID token. Information in ID token will contain user email and user sub, which is unique user identifier.
If you do not use flow with ID token (scope=openid in authorize request), you can exchange access_token for basic user info, you will receive same information about user that is contained in ID token.
$ curl --location --request GET 'https://konto.onet.pl/openid/resources/userinfo?client_id=example.front.onetapi.pl' \
--header 'Authorization: Bearer 047b0a8339c7fb9f623d3e2e8ae69c2z3eh5r4df1501pa34cba8439f7d0c2c1fcs' \
Parameters:
client_id- value you received after registering your service
Headers:
Authorization- Authorization header should be provided in Bearer token scheme.
Note
For Authorization header value use access_token received from token endpoint.
{
"sub": "de456acd-d858-4a7e-a868-f16f6ad655db",
"email": "user@example.com"
}
<table border=”1” class=”docutils”> <thead> <tr> <th></th> </tr> </thead> <tbody> <tr> <td></td> </tr> </tbody> </table>
If you need more user information you need to query following endpoint:
client_id - client identifier defined for the service during purchasing process
$ curl --location --request GET 'https://konto.onet.pl/openid/external/profile?client_id=example.front.onetapi.pl' \
--header 'Authorization: Bearer 047b0a8339c7fb9f623d3e2e8ae69c2z3eh5r4df1501pa34cba8439f7d0c2c1fcs' \
Parameters:
client_id- value you received after registering your service
Headers:
Authorization- authorization header should be provided in Bearer token scheme.
Note
For header value use access_token received from token endpoint.
{
"sub": "de456acd-d858-4a7e-a868-f16f6ad655db",
"email": "user@example.com",
"name": "Bob",
"surname": "Kowalsky",
"date_of_birth": "1990-07-06",
"gender": "male"
}
Removing access token¶
If you don’t need access token anymore you can delete it.
$ curl --location --request GET 'https://konto.onet.pl/openid/oauth2/revoke?client_id=example.front.onetapi.pl' \
--header 'Authorization: Bearer 047b0a8339c7fb9f623d3e2e8ae69c2z3eh5r4df1501pa34cba8439f7d0c2c1fcs' \
Parameters:
client_id- value you received after registering your service
Headers:
Authorization- authorization header should be provided in Bearer token scheme. For header value use access_token received from token endpoint.