Domino OIDC provider HTTP endpoints
The endpoints supported by the Domino OIDC provider are listed and described in the following sections.
/auth/protocol/oidc/.well-known/openid-configuration
This endpoint is defined by OpenID.Core and OpenID.Discovery and responds to a GET request from an OIDC Relying Party with the location of the other endpoints as well as some related metadata.
/auth/protocol/oidc/keys
This endpoint responds to a GET request with the OIDC provider's public signing keys in the standard jwks_uri format. OIDC Relying Parties can use these keys to verify signatures on the signed JWT access tokens and ID tokens.
This same endpoint is also used to return the public keys used for private_key_jwt authentication by Domino's Web Login with OIDC functionality starting in 14.0 GA.
If both Domino Web Login with OIDC and the Domino OIDC provider are enabled for a single Internet Site, then both sets of public keys will be returned.
/auth/protocol/oidc/auth
The authorization endpoint as defined by OpenID.Core and the OAuth 2.0 RFCs only accepts GET requests.
Parameter Name | Required? | Description |
---|---|---|
response_type | Required | Must be "code" for the Authorization Code flow with PKCE |
client_id | Required | Must match the client_id value for a registered client |
redirect_uri | Required | Must correspond to a configured redirect_uri value for this registered client |
scope | Required | Must be a subset of the configured scopes for this registered client |
state | Recommended | This value will be returned in the response from this endpoint |
code_challenge_method | Recommended | Unless the client is configured with optional PKCE, this must be "S256" |
code_challenge | Recommended | PKCE code_challenge value |
nonce | Optional | If present, this value will be in the Nonce claim of the resulting id_token |
resource | Optional | If present, must match a configured audience for this registered client |
- An id_token will be returned from the token endpoint only if the "openid" scope is present.
- If the resource parameter is not present, the first configured audience for this registered client will be used.
- Current security best practices strongly recommend against generating access tokens with multiple audiences. Accordingly, in 14.5 EAP Drop 1, the Domino OIDC provider will generate only single-audience access tokens.
/auth/protocol/oidc/token
The token endpoint as defined by OpenID.Core and the OAuth 2.0 RFCs only accepts POST requests. The "bearer token" JSON response will include an id_token if and only if the "openid" scope was both configured for the authenticated client and was included in the requested scopes sent to the authorization endpoint.
The Authorization Code grant type takes an authorization code acquired from the authorization endpoint and returns a bearer token JSON response. Note that authorization codes are single-use only.
Parameter Name | Required? | Description |
---|---|---|
grant_type | Required | Must be "authorization_code" |
code | Required | The "code" value returned from the authorization endpoint |
redirect_uri | Required | Must match the redirect_uri provided to the authorization endpoint |
client_id | Optional | Optional for client_secret_basic auth; if present must match Authorization: Basic header |
code_verifier | Recommended | PKCE code_verifier value |
The Refresh Token grant type takes the most recent refresh token acquired from the token endpoint and returns a bearer token JSON response. Note that refresh tokens are single-use only, and that new refresh tokens will be issued by every successful request to the token endpoint.
Parameter Name | Required? | Description |
---|---|---|
grant_type | Required | Must be "refresh_token" |
refresh_token | Required | Required refresh_token value received from a previous call to the token endpoint |
client_id | Optional | Optional for client_secret_basic auth; if present must match Authorization: Basic header |
Note that some OAuth Authorization Servers require an "offline_access" scope to return a refresh token. Domino 14.5 EAP Drop 1 will always return a refresh token. This behavior may change before GA based on feedback.
/auth/protocol/oidc/revoke
The OAuth revocation endpoint as defined by RFC 7009 only accepts POST requests. Can only be used to revoke refresh tokens; per current security best practices we recommend using very short lived access tokens; the default access token lifetime is 300 seconds. The "token" parameter must contain the refresh token to be revoked. This endpoint requires client authorization, so public clients cannot access this endpoint.
/auth/protocol/oidc/introspect
The OAuth Introspection endpoint as defined by RFC 7662 only accepts POST requests. This endpoint was designed for use by consumers that do not directly support OIDC or validating signed JWT access tokens, such as the nginx web proxy. This endpoint will only return either {"active":true} or {"active":false} when called correctly; relying parties who need access to the contents of the access token should just parse the signed JWT access token directly. This endpoint requires authentication per RFC 7662, so public clients cannot access this endpoint. The access token to be validated must be passed via the "token" POST parameter. Clients that are configured as "Introspection Only" can only access this endpoint and cannot acquire tokens of their own; this setting is intended for use by authenticating proxies and similar applications.
/auth/protocol/oidc/logout
The OIDC logout endpoint as defined by OpenID.RPInitiated is present but not fully functional in 14.5 EAP Drop 1. Back-channel logout is also not supported as of 14.5 EAP Drop 1.
/auth/idvault/bearer
This endpoint can be used to exchange an access token for the ID file belonging to that user. The access token must be provided via the Authorization: Bearer <access_token> header. By default, the JSON-encoded response will include the user's Notes DN (user_dn) and the size of their ID file in bytes (idfile_size). If the "id_cache=true" query parameter is set then the ID file will be added to the Verse ID file cache and the "idfile_cache" key will be added to the JSON response with a value of either "present" (already in the cache), "added", or "error". If the "id_download=true" query parameter is set then the B64-encoded ID file will be added to the JSON response under the "idfile_b64" key.
Configuration of bearer authentication to the Notes ID vault is covered in a separate topic.