Skip to main content

Client validation

azuma mimoto provides client validation capabilities, which are especially relevant for organisation with multiple DiGAs.

Preparation

Create a Validation Application

The client validation API can only be accessed with a valid client_credentials token. For that, please create a new "Validation Application" in your Relying Party. This client will work for all of your Relying Parties.

Request Validation Token

Tokens can be requested as follows

curl --location 'http://*mimoto-url*//connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=*your client id*' \
--data-urlencode 'client_secret=*your client secret*' \
--data-urlencode 'scope=ept:extension:validation'

Example Result:

{
    "access_token": "....",
    "token_type": "Bearer",
    "expires_in": 599
}

Validation API

URL: mimoto-url/api/v1/applications/validate

For mimoto-url please use the "Main Url" in Infrastructural Environments Approach

Request Parameters (Json-Body)

{
  "validationType": "Default, Extended or Simulation ",
  "clientId": "your client ID",
  "relayingPartyId": "your relying party ID"
}

The validation type modes are as follows:

  • Simulation: Meant to validate a client that is added to a Simulation Relying Party
  • Default and Extended: Meant to validate a client that is added to a Live Relying Party

and include the following checks:

  • Simulation:
    • Is Application known?
    • Is Relying Party correct?
    • Is Application enabled?
    • is Relying Party in Simulation-Mode?
  • Default:
    • Is Application known?
    • Is Relying Party correct?
    • Is Application enabled?
    • is Relying Party in Live-Mode?
  • Extended: in addition to Default
    • Are Application Scopes of Application available in Federation Master registration of Relying Party?
    • Are Redirect URLs of Application available in Federation Master registration of Relying Party?

If an authenticatin/authorization error occurs, either 401 (token issue) or 403 (can not access Application / Relying Party) is returned.

Response Format

{
  "result": "Success|Failure",
  "errors": [
    {
      "error": "see swagger documentation for possible error types",
      "message": "string"
    }
  ]
}

Example

Request:

curl --location '**mimoto-url**/api/v1/applications/validate' \
--header 'Authorization: Bearer *token*' \
--header 'Content-Type: application/json' \
--data '{
    "validationType": "Extended",
    "clientId": "ce1e9a18-de22-4467-b779-97893ba074d2",
    "relayingPartyId": "5d48edcd-8111-4162-a1a8-d09fd8de348c"
}'

Response:

{
    "result": "Failure",
    "errors": [
        {
            "error": "ApplicationRedirectUrisMissing",
            "message": "Redirect URIs of the Application with the given client_id are not present in Federation Master registration."
        }
    ]
}