The following documentation is applicable to Free, Developer, and Developer Pro plans. For documentation related to the enterprise plan, please click here.

OpenID Connect

Refer this document to get API Key and Secret.

Access Token by OpenID code

This API allows you to exchange your OpenID code for a LoginRadius access_token.

Endpoint

POST https://cloud-api.loginradius.com/sso/oidc/v2/{oidcappname}/token

Template Params

NameDefaultDescription
oidcappnameStringThe name for the ODIC App you have configured in the LoginRadius Admin Console. [REQUIRED]

Body Attributes

AttributeDescription
grant_typeThis is the grant type to be used, you should provide ‘authorization_code’ [REQUIRED]
client_idYour LoginRadius API Key. [REQUIRED]
client_secretLoginRadius API Secret [REQUIRED]
redirect_uriRedirection URI to be used.
response_typeIf used, needs to be ‘token’
codeThe authorization_code obtained during the Authorization process. [REQUIRED]

API Error Codes

Find common API error codes and their description.

Try Me Out

Click the button below to enter parameters, send a request and see the response.

This is sample API code:

  • Ruby
require 'uri'
require 'net/http'
url = URI('https://cloud-api.loginradius.com/sso/oidc/v2/{oidcappname}/token')
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = false
request = Net::HTTP::Post.new(url)
request.body = "{ "grant_type" : "<grant_type>","client_id" : "<client_id>","client_secret":"<client_secret>","response_type":"<response_type>","code":"<code>"}"
request['content-Type'] = 'application/json'
response = http.request(request)
puts response.read_body
  • Python
import requests

url = "https://cloud-api.loginradius.com/sso/oidc/v2/{oidcappname}/token"

querystring = {}
payload = "{ "grant_type" : "<grant_type>","client_id" : "<client_id>","client_secret" : "<client_secret>","response_type" : "<response_type>","code" : "<code>"  }"
headers = {
    'content-Type': 'application/json',
    
}
response = requests.request("POST", url, data=payload, headers=headers, params=querystring)
print(response.text)
  • Shell
curl -X POST \
 'https://cloud-api.loginradius.com/sso/oidc/v2/{oidcappname}/token' \
 -H 'Cache-Control: no-cache' \
 -H 'content-Type: application/json' \
 -d  "{ "grant_type" : "<grant_type>","client_id" : "<client_id>","client_secret" : "<client_secret>","response_type" : "<response_type>","code" : "<code>"  }"
  • Javascript
var settings = {
    "async": true,
    "crossDomain": true,
    "url": "https://cloud-api.loginradius.com/sso/oidc/v2/{oidcappname}/token",
    "method": "POST",
    "headers": {
    "content-Type" : "application/json",
  },
  "data": "{ "grant_type" : "<grant_type>","client_id" : "<client_id>","client_secret" : "<client_secret>","response_type" : "<response_type>","code" : "<code>"  }"
}
$.ajax(settings).done(function (response) {
    console.log(response);
});

The following displays the sample response code:

{
  "access_token": "********-****-****-*****************",
  "token_type": "access_token",
  "expires_in": 394,
  "refresh_token": "********-****-****-*****************",
  "id_token": "eyJhbG**********4NiIsInR5cCI*****VCJ9.eyJpc3**********czy****udGVybmFsL"
}

Refresh Access Token

This API allows you to refresh an access_token, use access tokens to ensure a user has access to the appropriate resources, and these access tokens typically have a limited lifetime. This is done for various security reasons: for one, limiting the lifetime of the access token limits the amount of time an attacker can use a stolen token. In addition, the information contained in or referenced by the access token could become stale. When access tokens expire or become invalid but the application still needs to access a protected resource, the application faces the problem of getting a new access token without forcing the user to once again grant permission. To solve this problem, OAuth 2.0 introduced an artifact called a refresh token. A refresh token allows an application to obtain a new access token without prompting the user.

Endpoint

POST https://cloud-api.loginradius.com/sso/oidc/v2/{oidcappname}/token

Template Params

NameDefaultDescription
oidcappnameStringThe name for the ODIC App you have configured in the LoginRadius Admin Console. [REQUIRED]

Body Attributes

AttributeDescription
grant_typeThis is the grant type to be used, you should provide ‘refresh_token’ [REQUIRED]
client_idYour LoginRadius API Key. [REQUIRED]
client_secretLoginRadius API Secret [REQUIRED]
response_typeIf used, needs to be ‘token’
refresh_tokenthis is the refresh_token you received when you used the ‘Access Token by OpenID Connect code’ API call [REQUIRED]
scopeThe scope for the Open ID profile, use ‘openid profile’. [REQUIRED]

API Error Codes

Find common API error codes and their description.

Try Me Out

Click the button below to enter parameters, send a request and see the response.

This is sample API code:

  • Ruby
require 'uri'
require 'net/http'
url = URI('https://cloud-api.loginradius.com/sso/oidc/v2/{oidcappname}/token')
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = false
request = Net::HTTP::Post.new(url)
request.body = "{ "grant_type" : "<grant_type>","client_id" : "<client_id>","client_secret":"<client_secret>","response_type":"<response_type>","refresh_token" : "<refresh_token>","scope" : "<scope>"}"
request['content-Type'] = 'application/json'
response = http.request(request)
puts response.read_body
  • Python
import requests

url = "https://cloud-api.loginradius.com/sso/oidc/v2/{oidcappname}/token"

querystring = {}
payload = "{ "grant_type" : "<grant_type>","client_id" : "<client_id>","client_secret" : "<client_secret>","response_type" : "<response_type>","refresh_token" : "<refresh_token>","scope" : "<scope>"  }"
headers = {
    'content-Type': 'application/json',
    
}
response = requests.request("POST", url, data=payload, headers=headers, params=querystring)
print(response.text)
  • Shell
curl -X POST \
 'https://cloud-api.loginradius.com/sso/oidc/v2/{oidcappname}/token' \
 -H 'Cache-Control: no-cache' \
 -H 'content-Type: application/json' \
 -d  "{ "grant_type" : "<grant_type>","client_id" : "<client_id>","client_secret" : "<client_secret>","response_type" : "<response_type>","refresh_token" : "<refresh_token>","scope" : "<scope>"  }"
  • Javascript
var settings = {
    "async": true,
    "crossDomain": true,
    "url": "https://cloud-api.loginradius.com/sso/oidc/v2/{oidcappname}/token",
    "method": "POST",
    "headers": {
    "content-Type" : "application/json",
  },
  "data": "{ "grant_type" : "<grant_type>","client_id" : "<client_id>","client_secret" : "<client_secret>","response_type" : "<response_type>","refresh_token" : "<refresh_token>","refresh_token" : "<refresh_token>","scope" : "<scope>"  }"
}
$.ajax(settings).done(function (response) {
    console.log(response);
});

The following displays the sample request body code:

{
  "access_token": "********-****-****-*****************",
  "token_type": "access_token",
  "expires_in": 394,
  "refresh_token": "********-****-****-*****************",
  "Id_token": "eyJhbG**********4NiIsInR5cCI*****VCJ9.eyJpc3**********czy****udGVybmFsL***********WIubG9n"
}

Revoke Refresh Token

This API allows you to expire a refresh_token

Endpoint

POST https://cloud-api.loginradius.com/sso/oidc/v2/{oidcappname}/token/revoke

Template Params

NameDefaultDescription
oidcappnameStringThe name for the ODIC App you have configured in the LoginRadius Admin Console. [REQUIRED]

Body Attributes

AttributeDescription
client_idYour LoginRadius API Key. [REQUIRED]
client_secretLoginRadius API Secret [REQUIRED]
tokenThis is the refresh_token you received when you used the Access Token by OpenID code API call. [REQUIRED]

API Error Codes

Find common API error codes and their description.

Try Me Out

Click the button below to enter parameters, send a request and see the response.

  • Ruby
require 'uri'
require 'net/http'
url = URI('https://cloud-api.loginradius.com/sso/oidc/v2/{oidcappname}/token/revoke')
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = false
request = Net::HTTP::Post.new(url)
request.body = "{ "client_id" : "<client_id>","client_secret" : "<client_secret>","token " : "<token >"  }"
request['content-Type'] = 'application/json'
response = http.request(request)
puts response.read_body
  • Python
import requests

url = "https://cloud-api.loginradius.com/sso/oidc/v2/{oidcappname}/token/revoke"

querystring = {}
payload = "{ "client_id" : "<client_id>","client_secret" : "<client_secret>","token " : "<token >"  }"
headers = {
    'content-Type': 'application/json',
    
}
response = requests.request("POST", url, data=payload, headers=headers, params=querystring)
print(response.text)
  • Shell
curl -X POST \
 'https://cloud-api.loginradius.com/sso/oidc/v2/{oidcappname}/token/revoke' \
 -H 'Cache-Control: no-cache' \
 -H 'content-Type: application/json' \
 -d  "{ "client_id" : "<client_id>","client_secret" : "<client_secret>","token " : "<token >"  }"
  • Javascript
var settings = {
    "async": true,
    "crossDomain": true,
    "url": "https://cloud-api.loginradius.com/sso/oidc/v2/{oidcappname}/token/revoke",
    "method": "POST",
    "headers": {
    "content-Type" : "application/json",
  },
  "data": "{ "client_id" : "<client_id>","client_secret" : "<client_secret>","token " : "<token >"  }"
}
$.ajax(settings).done(function (response) {
    console.log(response);
});

The following displays the sample request body code:

{}

UserInfo by Access Token

Use this Endpoint to obtain the claims for a given user. a client makes a request to the UserInfo endpoint by using an access token as the credential. The access token must be one that was obtained through OpenID Connect authentication. The claims for the user who is represented by the access token are returned as a JSON object that contains a collection of name-value pairs for the claims. The UserInfo endpoint is an OAuth 2.0 protected resource, which means that the credential required to access the endpoint is the access token. Note: This Endpoint may also be called via the POST HTTP method, if the access_token is passed as Bearer token in the POST request, then the Content-Type header must be application/x-wwww-form-urlencoded.

Endpoint

GET https://cloud-api.loginradius.com/sso/oidc/v2/{sitename}/{oidcappname}/userinfo

Template Params

NameDefaultDescription
oidcappnameStringThe name for the ODIC App you have configured in the LoginRadius Admin Console. [REQUIRED]
sitenameStringThe name of your LoginRadius SiteName / Environment. [REQUIRED]

Headers Parameters

AttributeDescription
AuthorizationBearer <ACCESS_TOKEN> (customer’s access token) [REQUIRED]

API Error Codes

Find common API error codes and their description.

Try Me Out

Click the button below to enter parameters, send a request and see the response.

This is sample API code

  • Ruby
require 'uri'
require 'net/http'
url = URI('https://cloud-api.loginradius.com/sso/oidc/v2/{sitename}/{oidcappname}/userinfo')
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = false
request = Net::HTTP::Get.new(url)
request.body = 
request['content-Type'] = 'application/json'
request['Authorization'] = 'Bearer '
response = http.request(request)
puts response.read_body
  • Python
import requests

url = "https://cloud-api.loginradius.com/sso/oidc/v2/{sitename}/{oidcappname}/userinfo"

querystring = {}
payload = "{}"
headers = {
    'content-Type': 'application/json',
    'Authorization': 'Bearer ',
}
response = requests.request("GET", url, data=payload, headers=headers, params=querystring)
print(response.text)
  • Shell
curl -X GET \
 'https://cloud-api.loginradius.com/sso/oidc/v2/{sitename}/{oidcappname}/userinfo' \
 -H 'Cache-Control: no-cache' \
 -H 'content-Type: application/json' \
 -H 'Authorization: Bearer ' \
  • Javascript
var settings = {
    "async": true,
    "crossDomain": true,
    "url": "https://cloud-api.loginradius.com/sso/oidc/v2/{sitename}/{oidcappname}/userinfo",
    "method": "GET",
    "headers": {
    "content-Type" : "application/json",
    Authorization: "Bearer ",
},
}
$.ajax(settings).done(function (response) {
    console.log(response);
});

The following displays the sample request body code:

"eyJhbGciOiJSUzI1NiIsImtpZCI6IjIwMSIsInR5cCI6IkpXVCJ9.eyJVaWQiOiI3MjNiMDVmODBjNjQ0NjcyYjM0OTZhMjFiN2NmMzNkYyIsImFkZHJlc3MiOnsiY291bnRyeSI6bnVsbCwibG9jYWxpdHkiOm51bGwsInBvc3RhbF9jb2RlIjpudWxsLCJyZWdpb24iOm51bGwsInN0cmVldF9hZGRyZXNzIjpudWxsfSwiYXNkYXMiOlt7IlR5cGUiOiJQcmltYXJ5IiwiVmFsdWUiOiJhc2Rhc0BtYWlsNy5pbyJ9XSwiYXVkIjoiOTRjMzk1YjEtZDU3OS00NGNlLThiY2QtNDMwY2U0NjIwMzc1IiwiYmlydGhkYXRlIjpudWxsLCJlbWFpbCI6ImFzZGFzQG1haWw3LmlvIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJleHAiOjE2MDE0Njc0NzIsImZhbWlseV9uYW1lIjpudWxsLCJnZW5kZXIiOm51bGwsImdpdmVuX25hbWUiOm51bGwsImlhdCI6MTYwMTQ2Njg3MiwiaXNzIjoiaHR0cHM6Ly9jbG91ZC1hcGkubG9naW5yYWRpdXMuY29tL3Nzby9vaWRjL3YyL2ludGVybmFsLWFwZWtzaGEvdGVzdCIsImp0aSI6ImYzMTk3YjQwLTJkY2QtNDQyMi04NzY1LWM0MDg0NmY2MGZiNCIsImxvY2FsZSI6bnVsbCwibWlkZGxlX25hbWUiOm51bGwsIm5hbWUiOm51bGwsIm5iZiI6MTYwMTQ2Njg3Miwibmlja25hbWUiOm51bGwsIm5vbmNlIjoidGVzdG1vdW5jZSIsInBob25lX251bWJlciI6bnVsbCwicGhvbmVfbnVtYmVyX3ZlcmlmaWVkIjpmYWxzZSwicGljdHVyZSI6bnVsbCwicHJlZmVycmVkX3VzZXJuYW1lIjpudWxsLCJwcm9maWxlIjpudWxsLCJzdWIiOiI3MjNiMDVmODBjNjQ0NjcyYjM0OTZhMjFiN2NmMzNkYyIsInVwZGF0ZWRfYXQiOjE2MDAyODg5NDYsIndlYnNpdGUiOm51bGwsInpvbmVpbmZvIjpudWxsfQ.SvMXwBqsVUt1P5qHXIfTh90UW6__Gte6sBqHaRGG52xQYSQQvvL66yzBY9Hwfui_I6s4-9W10cQJiaY1voV48rE1S9Fo_IMw_khwPxzPbWIg6EXrSReFd-jg4l-1NJ1YxnervOOkxrG5vvReU9uL3cAYcB7YpeO_ybQnUMj-TZyWFbI7L3sagrv239iXJc2zGuMxw4Kp1H8pjiu7L7-cx8ZsfVkgk6ZCO2Z8Ze46NBlXwGvsTPHh0qdoafi5ISB8DKnCiyU-CTZPYr91_1gJMG-1x98UDjiKy6vV4290W0HQXlrN2Y4Rxhnwlmyzs-5t38wgohvEyxvCy6Zvmxws-Q" 

JSON Web Key Set

At the most basic level, the JSON Web Key Set (JWKS) is a set of keys containing the public keys that should be used to verify any JSON Web Token (JWT) issued by the authorization server.

Endpoint

GET https://cloud-api.loginradius.com/sso/oidc/v2/{sitename}/{oidcappname}/jwks

Template Params

NameDefaultDescription
oidcappnameStringThe name for the ODIC App you have configured in the LoginRadius Admin Console. [REQUIRED]
sitenameStringThe name of your LoginRadius SiteName / Environment. [REQUIRED]

Headers Parameters

AttributeDescription
AuthorizationBearer <ACCESS_TOKEN> (customer’s access token) [REQUIRED]

API Error Codes

Find common API error codes and their description.

Try Me Out

Click the button below to enter parameters, send a request and see the response.

This is sample API code

  • Ruby
require 'uri'
require 'net/http'
url = URI('https://cloud-api.loginradius.com/sso/oidc/v2/{sitename}/{oidcappname}/jwks')
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = false
request = Net::HTTP::Get.new(url)
request.body = 
request['content-Type'] = 'application/json'
response = http.request(request)
puts response.read_body
  • Python
import requests

url = "https://cloud-api.loginradius.com/sso/oidc/v2/{sitename}/{oidcappname}/jwks"

querystring = {}
payload = "{}"
headers = {
    'content-Type': 'application/json',
    
}
response = requests.request("GET", url, data=payload, headers=headers, params=querystring)
print(response.text)
  • Shell
curl -X GET \
 'https://cloud-api.loginradius.com/sso/oidc/v2/{sitename}/{oidcappname}/jwks' \
 -H 'Cache-Control: no-cache' \
 -H 'content-Type: application/json' \
 
  • Javascript
var settings = {
    "async": true,
    "crossDomain": true,
    "url": "https://cloud-api.loginradius.com/sso/oidc/v2/{sitename}/{oidcappname}/jwks",
    "method": "GET",
    "headers": {
    "content-Type" : "application/json",
    
},
}
$.ajax(settings).done(function (response) {
    console.log(response);
});

The following displays the sample response body code:

{
  "keys": [
    {
      "kty": "RSA",
      "use": "sig",
      "alg": "RS256",
      "kid": "206",
      "n": "nvJHvAs6aEq9w6Cb793lk9-METOxd9mEDY4a5YKj74lg5EuNy0j1FP...",
      "e": "AQAB"
    }
  ]
}

OIDC Discovery Endpoint

The OpenID Connect Discovery endpoint provides a client with configuration details about the OpenID Connect metadata of the Loginradius App.

Endpoint

GET https://cloud-api.loginradius.com/sso/oidc/v2/{sitename}/{oidcappname}/.well-known/openid-configuration

Template Params

NameDefaultDescription
oidcappnameStringThe name for the ODIC App you have configured in the LoginRadius Admin Console. [REQUIRED]
sitenameStringThe name of your LoginRadius SiteName / Environment. [REQUIRED]

API Error Codes

Find common API error codes and their description.

Try Me Out

Click the button below to enter parameters, send a request and see the response.

This is sample API code

  • Ruby
require 'uri'
require 'net/http'
url = URI('https://cloud-api.loginradius.com/sso/oidc/v2/{sitename}/{oidcappname}/.well-known/openid-configuration')
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = false
request = Net::HTTP::Get.new(url)
request.body = 
request['content-Type'] = 'application/json'
response = http.request(request)
puts response.read_body
  • Python
import requests

url = "https://cloud-api.loginradius.com/sso/oidc/v2/{sitename}/{oidcappname}/.well-known/openid-configuration"

querystring = {}
payload = "{}"
headers = {
    'content-Type': 'application/json',
    
}
response = requests.request("GET", url, data=payload, headers=headers, params=querystring)
print(response.text)
  • Shell
curl -X GET \
 'https://cloud-api.loginradius.com/sso/oidc/v2/{sitename}/{oidcappname}/.well-known/openid-configuration' \
 -H 'Cache-Control: no-cache' \
 -H 'content-Type: application/json' \
 
  • Javascript
var settings = {
    "async": true,
    "crossDomain": true,
    "url": "https://cloud-api.loginradius.com/sso/oidc/v2/{sitename}/{oidcappname}/.well-known/openid-configuration",
    "method": "GET",
    "headers": {
    "content-Type" : "application/json",
    
},
}
$.ajax(settings).done(function (response) {
    console.log(response);
});

The following displays the sample response body code:

{
  "issuer": "https://cloud-api.loginradius.com/sso/oidc/v2/{site-name}/{oidcappname}",
  "authorization_endpoint": "https://cloud-api.loginradius.com/sso/oidc/authorize",
  "token_endpoint": "https://cloud-api.loginradius.com/sso/oidc/token",
  "revocation_endpoint": "https://cloud-api.loginradius.com/sso/oidc/revoke",
  "userinfo_endpoint": "https://cloud-api.loginradius.com/sso/oidc/userinfo",
  "jwks_uri": "https://cloud-api.loginradius.com/sso/oidc/app-name/app-name/jwks",
  "scopes_supported": [
    "openid"
  ],
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "code token",
    "code id_token",
    "token id_token",
    "code token id_token"
  ],
  "response_modes_supported": [
    "query",
    "form_post"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "claims_supported": [
    "Email",
    "FirstName",
    "LastName",
    "UserName",
    "Country",
    "Favicon"
  ]
}

Go Back to Home Page


Was this article helpful?

Have more questions? Submit a request