Skip to Content

8.8.3. Additional interface for use by external resources

<< Prev   Next >>

The OpenID provider implemented by 1C:Enterprise can be accessed using the standard OpenID 2.0 protocol considering some features:

  • In requests for interactive and non-interactive authentication (the openid.mode parameter is equal to checkid_immediate or checkid_setup), the openid.claimed_id and openid.identity parameters must be set to https://specs.openid.net/auth/2.0/identifier_select. Setting this value means that the user ID is determined by the provider.
  • Requests for non-interactive authentication with other values of the openid.claimed_id and openid.identity parameters result in a request for interactive authentication. During this authentication, the provider determines the openid.claimed_id and openid.identity values.

The OpenID provider implements a form for entering a username and password for interactive authentication.

The application also provides a number of commands that simplify the use of an OpenID provider by third-party systems, which are described below. When describing commands, the following abbreviations are used:

  • ProviderIB. An infobase of an OpenID provider.
  • RPID. An infobase of an OpenID Relying Party.

Request parameters are transmitted in UTF-8 encoding.

Request for OpenID Provider XRDS Document

Description:

Gets an XRDS document describing the properties of an OpenID provider.

Syntax:

https://example.com/ProviderIB/e1cib/oid2op

Return value:

XRDS document describing the properties of an OpenID provider.

Request for XRDS Document of OpenID Relying Party

Description:

Gets an XRDS document describing the properties of an OpenID relying party.

Syntax:

https://example.com/RPIB/e1cib/oid2rp

Return value:

XRDS document describing the properties of an OpenID relying party.

Authentication request

Description:

Performs authentication request.

Syntax:

https://example.com/ProviderIB/e1cib/oid2op?cmd=auth

Parameters:

openid.auth.user required

Username as specified in the OpenID provider database.

openid.auth.pwd required

User password.

openid.auth.2FCode optional

Second authentication factor code

opeind.auth.short optional

If the parameter is set to true, the authentication is performed within the session of the web browser, but not more than the lifetime parameter value of the default.vrd file, which describes the publication of the OpenID provider infobase.

openid.auth.check optional

Response to this request must be checked (the parameter is set to true). It makes sense only if the openid.return_to parameter is specified.

openid.return_to optional

Contains the target URL that is opened after processing the request.

Return value:

If the openid.return_to parameter is not specified, an empty document with the HTTP status code is returned:

  • 200 . Authentication is successful.
  • 400. Authentication is not completed.
  • 402. Authentication by username and password is completed successfully. The second factor code is required. The response should have a header named 2FAType, which can contain one of the following values:
    • secretCode. A secret code must be entered for authentication.
    • external. The second factor is executed at the provider side.

      At the time of receipt of such a response code, a request to execute the second authentication factor has already been sent by the OpenID provider to the provider of the second authentication factor.

      It is understood that the OpenID provider will check the username and the password, but will not create a user session when it detects the need to execute the second authentication factor. The session will be created at the next access, checking the username, the password, and the second factor again.

      After receiving the response 402, do the following:

    • In case of authentication using a code (secretCode), add the secret code as an additional parameter to the request.
    • In case of authentication on the provider side (external), add nothing. The server sends the request for authentication check and checks the second factor.

If the openid.return_to parameter is specified, the user is redirected to the address specified in the parameter. If authentication is successful, the following parameters are added to the URL:

  • openid.auth.user with username as a value.
  • openid.auth.uid with a one-time ID as a value to validate this response. This parameter is specified if the openid.auth.check parameter is specified in the authentication request.

In case of unsuccessful authentication, go to the specified URL without adding any parameters.

OpenID provider request for authentication check

Description:

Executes authentication request.

Syntax:

https://example.com/ProviderIB/e1cib/oid2op/2FACheck?user=xxx

Parameters:

user required

The username (xxx) whose authentication should be checked.

Return value:

An empty document with an HTTP status code is returned:

  • 200. Authentication is successful, the user is authenticated using the second factor.
  • 400. Authentication is not completed for one of the following reasons:
    • The user parameter is not specified.
    • There was no regular authentication request before this request.
    • Authentication failure.
    • Authentication timed out.

OpenID provider request to verify the active authentication

Description:

Authentication check is performed.

Syntax:

https://example.com/ProviderIB/e1cib/oid2op?cmd=lookup

Parameters:

openid.return_to required

Contains the target URL that is opened after processing the request.

openid.auth.check optional

Response to this request must be checked (the parameter is set to true). It makes sense only if the openid.return_to parameter is specified.

Return value:

Redirecting to the URL specified in the openid.return_to parameter. If authentication is successful, the following parameters are added to the URL:

  • openid.auth.user with username as a value.
  • openid.auth.uid with a one-time ID as a value to validate this response. This parameter is specified if the openid.auth.check parameter is specified in the authentication request.

In case of unsuccessful authentication, go to the specified URL without adding any parameters.

Check an OpenID provider response

Description:

Checks an OpenID Provider response for cmd=auth and cmd=lookup requests if the openid.auth.check parameter is set to true in the request.

Syntax:

https://example.com/ProviderIB/e1cib/oid2op?cmd=check

Parameters:

openid.auth.user required

The username that is got from the request parameter of the same name.

openid.auth.uid required

The value of the one-time OpenID provider response ID obtained from the request parameter of the same name.

Return value:

A document of text/plain type with the following contents is returned:

  • is_valid:true. The response is indeed generated by the OpenID provider used. In this case, the HTTP status code is 200.
  • is_valid:false. The used OpenID provider did not generate the response being checked. In this case, the HTTP status code is 400.

Request to cancel authentication for a relying party

Description:

Cancels authentication if the OpenID provider URL is unknown. Finishes the current session, cancels authentication on the OpenID provider, and restarts the web client. The web client completes the authentication cancellation request for the OpenID provider.

Syntax:

https://example.com/RPIB/e1cib/oid2op?cmd=logout

Request to cancel authentication for an OpenID provider

Description:

Cancels authentication on the specified OpenID provider.

Syntax:

https://example.com/ProviderIB/e1cib/oid2op?cmd=logout

Parameters:

openid.return_to optional

Contains the target URL that is opened after processing the request.

Return value:

If the openid.return_to parameter is specified, the user is redirected to the specified URL, otherwise an empty response is returned with the HTTP status code equal to 200.

<< Prev   Next >>

Icon/Social/001 Icon/Social/006 Icon/Social/005 Icon/Social/004 Icon/Social/002