When a user connects through OAuth protocol, from the service S1, he goes to his identity provider IDP1 (e.g. google), enter his credentials, and S1 gets an access token like:
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"MTQ0NjJkZmQ5OTM2NDE1ZTZjNGZmZjI3",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"IwOGYzYTlmM2YxOTQ5MGE3YmNmMDFkNTVk",
"scope":"create",
"state":"12345678"
}
The service S1 get a Thing'In Access Token by sending the Authorization Server (AS) Id (e.g. google) and this access token id. The Thing'in could validate the given token by contacting the AS. For Google Oauth2 Token, the validation requests is:
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=1/fFBGRNJru1FQd44AzqT3Zg
Response:
{
"audience":"8819981768.apps.googleusercontent.com",
"user_id":"g123456789",
"scope":"https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
"expires_in":436
}
Once validated, Thing'in answers by a Thing'in JWT (TiTok). the non encoded JWT shall conatains a payload:
{
"jti": "9876543210",
"sub" : "235964564",
"externalid" : "g123456789",
"iat": epochtime,
"kid": key5879,
"exp": epochtime,
"scope" : ["role1", "role2"],
"domains": ["/orange", "/labs"]
}
To use the Thing'in API, S1 shall present this TiTok.
to summerize :
Refering the thing'in API, the concerned endpoint is get auth/ with a authorization header set as a bearerAuth, the value should be the access token. The parameter idp should be passed with the the good reference, thing'in should use this value to connect to the idp and validate the access token.