Typescript (SDK)

import { Authlete } from "@authlete/typescript-sdk";

const authlete = new Authlete({
  bearer: process.env["AUTHLETE_BEARER"] ?? "",
});

async function run() {
  const result = await authlete.nativeSso.process({
    serviceId: "715948317",
    nativeSsoRequest: {
      accessToken: "_kh1aygxZ5NKLYKCJRM8M_AYvDg2wCWoprQDjfO87ZWq",
      refreshToken: "kHUGSt_d3LSgiCQzH7wa5TpwIHWgjAZGw14zZV7hRqw",
      claims: "{\"given_name\":\"John\",\"family_name\":\"Brown\",\"email\":\"test@example.com\"}",
      deviceSecret: "my-ds",
    },
  });

  console.log(result);
}

run();

{
  "resultCode": "A501001",
  "resultMessage": "[A501001] A Native SSO-compliant ID token and a token response were generated successfully.",
  "action": "OK",
  "responseContent": "{\\\"access_token\\\":\\\"_kh1aygxZ5NKLYKCJRM8M_AYvDg2wCWoprQDjfO87ZWq\\\",\\\"token_type\\\":\\\"Bearer\\\",\\\"expires_in\\\":86400,\\\"scope\\\":\\\"openid device_sso\\\",\\\"refresh_token\\\":\\\"kHUGSt_d3LSgiCQzH7wa5TpwIHWgjAZGw14zZV7hRqw\\\",\\\"id_token\\\":\\\"eyJraWQiOiItc1RSWDc5YnEyOEhyYkxBV0w2N3k4T1VJdXdrTms2ZFFkbzItSExZMkxvIiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczovL2F1dGhsZXRlLmNvbSIsInN1YiI6ImpvaG4iLCJhdWQiOlsibmF0aXZlX2FwcF8xIl0sImV4cCI6MTc1NjcxNzY3MywiaWF0IjoxNzU2NzE3MzczLCJkc19oYXNoIjoic0luWlNhY1luRkR1Y1dwckRqZmtYeENRZl9mWGhsVDY1ZDduS0VYNzc2OCIsInNpZCI6Im15LXNpZCIsImdpdmVuX25hbWUiOiJKb2huIiwiZmFtaWx5X25hbWUiOiJCcm93biIsImVtYWlsIjoidGVzdEBleGFtcGxlLmNvbSJ9.RASuwd4KYPe8b3vNNwIYJgoXzUadDFFHO1wYWD70Z3EsZd8qcxxkPmJKs3dRitvYTX8DDqf5zvAm1jlIeEuvRQ\\\",\\\"device_secret\\\":\\\"my-ds\\\"}",
  "idToken": "eyJraWQiOiItc1RSWDc5YnEyOEhyYkxBV0w2N3k4T1VJdXdrTms2ZFFkbzItSExZMkxvIiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczovL2F1dGhsZXRlLmNvbSIsInN1YiI6ImpvaG4iLCJhdWQiOlsibmF0aXZlX2FwcF8xIl0sImV4cCI6MTc1NjcxNzY3MywiaWF0IjoxNzU2NzE3MzczLCJkc19oYXNoIjoic0luWlNhY1luRkR1Y1dwckRqZmtYeENRZl9mWGhsVDY1ZDduS0VYNzc2OCIsInNpZCI6Im15LXNpZCIsImdpdmVuX25hbWUiOiJKb2huIiwiZmFtaWx5X25hbWUiOiJCcm93biIsImVtYWlsIjoidGVzdEBleGFtcGxlLmNvbSJ9.RASuwd4KYPe8b3vNNwIYJgoXzUadDFFHO1wYWD70Z3EsZd8qcxxkPmJKs3dRitvYTX8DDqf5zvAm1jlIeEuvRQ"
}

Native SSO

Native SSO Processing

This API should be called by the implementation of a token endpoint to generate the ID token and token response that comply with OpenID Connect Native SSO for Mobile Apps 1.0 (Native SSO) when Authlete’s /auth/token response indicates action = NATIVE_SSO (after you validate the session id and verify or generate the device secret as required by the flow). The token endpoint implementation should retrieve the value of action from the response and take the following steps according to the value.

POST

api

{serviceId}

nativesso

Typescript (SDK)

import { Authlete } from "@authlete/typescript-sdk";

const authlete = new Authlete({
  bearer: process.env["AUTHLETE_BEARER"] ?? "",
});

async function run() {
  const result = await authlete.nativeSso.process({
    serviceId: "715948317",
    nativeSsoRequest: {
      accessToken: "_kh1aygxZ5NKLYKCJRM8M_AYvDg2wCWoprQDjfO87ZWq",
      refreshToken: "kHUGSt_d3LSgiCQzH7wa5TpwIHWgjAZGw14zZV7hRqw",
      claims: "{\"given_name\":\"John\",\"family_name\":\"Brown\",\"email\":\"test@example.com\"}",
      deviceSecret: "my-ds",
    },
  });

  console.log(result);
}

run();

{
  "resultCode": "A501001",
  "resultMessage": "[A501001] A Native SSO-compliant ID token and a token response were generated successfully.",
  "action": "OK",
  "responseContent": "{\\\"access_token\\\":\\\"_kh1aygxZ5NKLYKCJRM8M_AYvDg2wCWoprQDjfO87ZWq\\\",\\\"token_type\\\":\\\"Bearer\\\",\\\"expires_in\\\":86400,\\\"scope\\\":\\\"openid device_sso\\\",\\\"refresh_token\\\":\\\"kHUGSt_d3LSgiCQzH7wa5TpwIHWgjAZGw14zZV7hRqw\\\",\\\"id_token\\\":\\\"eyJraWQiOiItc1RSWDc5YnEyOEhyYkxBV0w2N3k4T1VJdXdrTms2ZFFkbzItSExZMkxvIiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczovL2F1dGhsZXRlLmNvbSIsInN1YiI6ImpvaG4iLCJhdWQiOlsibmF0aXZlX2FwcF8xIl0sImV4cCI6MTc1NjcxNzY3MywiaWF0IjoxNzU2NzE3MzczLCJkc19oYXNoIjoic0luWlNhY1luRkR1Y1dwckRqZmtYeENRZl9mWGhsVDY1ZDduS0VYNzc2OCIsInNpZCI6Im15LXNpZCIsImdpdmVuX25hbWUiOiJKb2huIiwiZmFtaWx5X25hbWUiOiJCcm93biIsImVtYWlsIjoidGVzdEBleGFtcGxlLmNvbSJ9.RASuwd4KYPe8b3vNNwIYJgoXzUadDFFHO1wYWD70Z3EsZd8qcxxkPmJKs3dRitvYTX8DDqf5zvAm1jlIeEuvRQ\\\",\\\"device_secret\\\":\\\"my-ds\\\"}",
  "idToken": "eyJraWQiOiItc1RSWDc5YnEyOEhyYkxBV0w2N3k4T1VJdXdrTms2ZFFkbzItSExZMkxvIiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczovL2F1dGhsZXRlLmNvbSIsInN1YiI6ImpvaG4iLCJhdWQiOlsibmF0aXZlX2FwcF8xIl0sImV4cCI6MTc1NjcxNzY3MywiaWF0IjoxNzU2NzE3MzczLCJkc19oYXNoIjoic0luWlNhY1luRkR1Y1dwckRqZmtYeENRZl9mWGhsVDY1ZDduS0VYNzc2OCIsInNpZCI6Im15LXNpZCIsImdpdmVuX25hbWUiOiJKb2huIiwiZmFtaWx5X25hbWUiOiJCcm93biIsImVtYWlsIjoidGVzdEBleGFtcGxlLmNvbSJ9.RASuwd4KYPe8b3vNNwIYJgoXzUadDFFHO1wYWD70Z3EsZd8qcxxkPmJKs3dRitvYTX8DDqf5zvAm1jlIeEuvRQ"
}

Full description

OK

When the action is OK, it indicates that the /nativesso API processing has successfully completed. In this case, the token endpoint implementation should return a successful response (200 OK) to the client. The value of the responseContent property in the /nativesso API response can be used directly as the message body of the token response. Therefore, the success response can be constructed as follows:

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store

(Embed the value of responseContent here.)

INTERNAL_SERVER_ERROR

When the action is INTERNAL_SERVER_ERROR, it indicates that something has gone wrong on the Authlete side. For example, an issue such as a database error might have occurred when retrieving the access token specified by the accessToken parameter from the database.In such cases, the token endpoint implementation should return an error response to the client. The simplest implementation would be to return a 500 Internal Server Error.

HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Cache-Control: no-store

(Embed the value of responseContent here.)

However, in a production environment, it may be better to return a more abstract error (one that does not directly describe the nature of the issue), rather than a 500 error.

CALLER_ERROR

When the action is CALLER_ERROR, it indicates that the issue lies with the caller of the API (i.e., the implementation of the OpenID Provider). For example, this could be due to missing a required parameter such as accessToken.If CALLER_ERROR is returned, please review the implementation of your OpenID Provider.

Authorizations

Authorization

string

header

required

Authenticate every request with a Service Access Token or Organization Token. Set the token value in the Authorization: Bearer <token> header.

Service Access Token: Scoped to a single service. Use when automating service-level configuration or runtime flows.

Organization Token: Scoped to the organization; inherits permissions across services. Use for org-wide automation or when managing multiple services programmatically.

Both token types are issued by the Authlete console or provisioning APIs.

Path Parameters

serviceId

string

required

A service ID.

Body

application/json

accessToken

string

required

The value of this parameter should be: (a) the value of the jwtAccessToken parameter in a response from the /auth/token API when the value is available, or (b) the value of the accessToken parameter in the response from the /auth/token API when the jwtAccessToken parameter is not available.

deviceSecret

string

required

The device secret. The value of this parameter should be the value of the deviceSecret parameter in the response from the /auth/token API, if the parameter is present. Otherwise, the authorization server should generate a new device secret and specify it as the value of this parameter.

refreshToken

string

The value of this parameter should be the value of the refreshToken parameter in a response from the /auth/token API.

sub

string

The value that should be used as the value of the sub claim of the ID token. This parameter is optional. When omitted, the value of the subject associated with the access token is used.

claims

string

Additional claims that should be embedded in the payload part of the ID token. The format is a JSON object. This parameter is optional.

idtHeaderParams

string

Additional parameters that should be embedded in the JWS header of the ID token. The format is a JSON object. This parameter is optional.

idTokenAudType

string

The type of the aud claim of the ID token being issued. Valid values of this parameter are as follows:

deviceSecretHash

string

The device secret hash. The specified device secret hash is included as the value of the ds_hash claim in the ID token generated by the /nativesso API. If the deviceSecretHash request parameter is omitted, the value of the deviceSecret request parameter is used to compute the hash.

Response

Native SSO processing completed successfully

resultCode

string

The code which represents the result of the API call.

resultMessage

string

A short message which explains the result of the API call.

action

enum<string>

The next action that the implementation of the token endpoint should take.

Available options:

OK,

INTERNAL_SERVER_ERROR,

CALLER_ERROR

responseContent

string

The response content that can be used as the message body of the token response that should be returned from the token endpoint.

idToken

string

The issued ID token.

Health Check Native SSO Logout Processing

Authlete

​OK

​INTERNAL_SERVER_ERROR

​CALLER_ERROR

Authorizations

Path Parameters

Body

Response

OK

INTERNAL_SERVER_ERROR

CALLER_ERROR