CSP Authentication Operations Index
All available CSP Authentication Operations
The end-point is for exchanging organization scoped API-tokens only, that are obtained from the CSP web console.
1. Including the api_token parameter using the application/x-www-form-urlencoded format in the HTTP request body.
2. DEPRECATED: Passing the refresh_token param name, need to use api_token
3. DEPRECATED: Passing the refresh_token via query param
Access Policy
| Role | User Accounts | Service Accounts (Client Credentials Applications) |
|---|---|---|
| Anonymous | ✔️ | ✔️ |
Get details of an unexpired org scoped API-token that was previously obtained via CSP web console.
Access Policy
| Role | User Accounts | Service Accounts (Client Credentials Applications) |
|---|---|---|
| Anonymous | ✔️ | ✔️ |
The call is protected by HTTP Basic authentication with client_id and client_secret. Note: when using Public OAuth clients, Authorization is required using the format 'Basic Base64_Encode(client_id:)' with empty client_secret. This endpoint follows the token introspection specifications defined in https://tools.ietf.org/html/rfc7662. Only introspection of refresh tokens is supported. Include the parameter using application/x-www-form-urlencoded format in the HTTP request body.
Access Policy
| Role | User Accounts | Service Accounts (Client Credentials Applications) |
|---|---|---|
| Anonymous | ✔️ | ✔️ |
Defines the public keys used to verify the authenticity of the JWT token.
Access Policy
| Role | User Accounts | Service Accounts (Client Credentials Applications) |
|---|---|---|
| Anonymous | ✔️ | ✔️ |
This end-point returns the identity provider logout url as a redirect url. In order to logout, an explicit redirect to this url is needed
Access Policy
| Role | User Accounts | Service Accounts (Client Credentials Applications) |
|---|---|---|
| Anonymous | ✔️ | ✔️ |
Only refresh tokens are supported at this time.
- Include the parameters using application/x-www-form-urlencoded format in the HTTP request body.
- Include Basic Base64_Encode(client_id:client_secret) value in the HTTP authorization header. Note: when using Public OAuth clients, Authorization is required using the format 'Basic Base64_Encode(client_id:)' with empty client_secret.
Access Policy
| Role | User Accounts | Service Accounts (Client Credentials Applications) |
|---|---|---|
| Anonymous | ✔️ | ✔️ |
This end-point exchanges one of the following grants: authorization_code, refresh_token, client_credentials, client_delegate, context_switch or client_exchange for access token
- Include the parameters using application/x-www-form-urlencoded format in the HTTP request body.
- Include Basic Base64_Encode(client_id:client_secret) value in the HTTP authorization header. Note: when using Public OAuth clients, Authorization is required using the format 'Basic Base64_Encode(client_id:)' with empty client_secret. Organization ID parameter notes: when organization id is missing from the request the default organization will be used.
- Upon password grant type, user default organization will be set if available.
- Upon client_credentials grant type, the organization who own the client will be set if available.
Access Policy
| Role | User Accounts | Service Accounts (Client Credentials Applications) |
|---|---|---|
| Anonymous | ✔️ | ✔️ |
Returns a list of public keys in jwks format. You should use this keys in your application to validate that the access-token is valid. The KID fields in the access-token is the ID of the public key. The PEM format is deprecated as it returns only the current active public key
Access Policy
| Role | User Accounts | Service Accounts (Client Credentials Applications) |
|---|---|---|
| Anonymous | ✔️ | ✔️ |
This end-point returns the identity provider logout url as a redirect url. In order to logout, an explicit redirect to this url is needed
Access Policy
| Role | User Accounts | Service Accounts (Client Credentials Applications) |
|---|---|---|
| Anonymous | ✔️ | ✔️ |
This endpoint is used with browser redirection only. Trying to access it via GET HTTP call will fail. It discovers the user's Identity Provider (IdP) and sends the user to the IdP login page.
This is the starting point of the OAuth 2.0 flow to authenticate end users from your application. This authorization endpoint must be used by clients to authenticate users and obtain an authorization code. To use this endpoint, your application must be registered as an OAuth 2.0 client with CSP and have the 'authorization_code' grant type enabled.
Access Policy
| Role | User Accounts | Service Accounts (Client Credentials Applications) |
|---|---|---|
| Anonymous | ✔️ | ✔️ |
Get discovery endpoint meta data as described in https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata. OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
Access Policy
| Role | User Accounts | Service Accounts (Client Credentials Applications) |
|---|---|---|
| Anonymous | ✔️ | ✔️ |