OneWelcome APIs Overview
Domain/ API: Client Registration
Used to register OAuth and OIDC client applications.
| OperationDescription | Logical Endpoint Name [1] | Method | Endpoint Path |
|---|---|---|---|
| Create an OAuth/OIDC client | registration_endpoint | POST | /auth/oauth2.0/v1/connect/register |
| Obtain details for an OAuth/OIDC client | registration_endpoint | GET | /auth/oauth2.0/v1/connect/register |
| Unregister an OAuth/OIDC client | registration_endpoint | DELETE | /auth/oauth2.0/v1/connect/register/{client_id} |
| Proprietary administration endpoint to unregister an OAuth/OIDC client | clients_endpoint | DELETE | /auth/oauth2.0/v1/connect/clients/{client_id} |
Domain/ API: Consent
Manages consents given by user on documents & processing purposes.
| Operation Description | Logical Endpoint Name [1] | Method | Endpoint Path |
|---|---|---|---|
| Retrieve documents | documents_endpoints | GET | /consent/v1/documents |
| View document consent per user | document_consents endpoint | GET | /consent/v1/document-consents |
| Give document consent per user | document_consents_ endpoint | POST | /consent/v1/document-consents |
| Revoke document consent per user | document_consents_ endpoint | DELETE | /consent/v1/document-consents |
| Retrieve processing purposes | processing_purposes_ endpoint | GET | /consent/v1/processing-purposes |
| View attribute consent per user | attribute_consents_ endpoint | GET | /consent/v1/attribute-consents |
| Give attribute consent per user | attribute_consents_ endpoint | POST | /consent/v1/attribute-consents |
| Revoke attribute consent per user | attribute_consents_ endpoint | DELETE | /consent/v1/attribute-consents |
Domain/ API: Session Management
Controls session servers for an account (but for session creation done via authentication API, SSO).
| Operation Description | Logical Endpoint Name [1] | Method | Endpoint Path |
|---|---|---|---|
| Terminate session (logout) | terminate_session endpoint | GET | /login/terminate_session |
Domain/ API: OAuth/OIDC
Allows applications to delegate authentication & authorisation towards OneWelcome and get SSO (as per OAuth/OIDC specs).
| Operation Description | Logical Endpoint Name [1] | Method | Endpoint Path |
|---|---|---|---|
| Obtain OAuth authorization/OIDC authentication | authorize_endpoint | GET | /auth/oauth2.0/v1/authorize |
| Obtain OAuth access token | token_endpoint | POST | /auth/oauth2.0/v1/token |
| Device authorization request | device_authorization endpoint | POST | /auth/oauth2.0/v1/device/code |
| Device authorization decision endpoint | device_authorization decision_endpoint | POST | /auth/oauth2.0/v1/device/user |
| Endpoint to determine the active state and meta-information of an OAuth token | introspection_endpoint | POST | /auth/oauth2.0/v1/introspect |
| Endpoint to obtain claims about the authenticated end-user | userinfo_endpoint | GET | /auth/oauth2.0/v1/userinfo |
| Deprecated endpoint to obtain information about and OAuth token and the authenticated End-User | token_info_ endpoint | GET | /auth/oauth2.0/v1/token-info |
Domain/ API: Event
Used to access events generated by__OneWelcome__.
| Operation Description | Logical Endpoint Name [1] | Method | Endpoint Path |
|---|---|---|---|
| Obtain events | events_endpoint | GET | /event-api/v2/events |
| Submit events | events_endpoint | POST | /event-api/v2/events |
Domain/ API: Notification
Notifies external systems of changes in users' consents
| Operation Description | Logical Endpoint Name [1] | Method | Endpoint Path |
|---|---|---|---|
| Subscribe to notifications for a single resource type | notification_subscription endpoint | POST | /notification/v1/subscriptions |
| Get the details of a subscription | notification_subscription endpoint | GET | /notification/v1/subscriptions/{id} |
| Unsubscribe from notifications | notification_subscription endpoint | DELETE | /notification/v1/subscriptions/{id} |
| Retrieve a set of notifications of a subscription with a subscription_id | notification_endpoint | GET | /notification/v1/subscriptions/{id}/notifications |
Domain/ API: Credential
Manages user's credentials (e.g. password, email, phone number).
| Operation Description | Logical Endpoint Name [1] | Method | Endpoint Path |
|---|---|---|---|
| Request to make an email address the user's primary email | primary_email request_endpoint | POST | /credential/v1/primary-email-request |
| Endpoint to confirm a user's email address | primary_email confirmation_endpoint | POST | /credential/v1/primary-email-confirmation |
| Unprotected endpoint to confirm a user's email address without authenticating the end user | public_primary email_confirmation_endpoint | POST | /credential/v1/public/primary-email-confirmation |
| Request to make a phone number primary | primary_phone number_request_endpoint | POST | /credential/v1/primary-phone-number-request |
| Change & confirm a user's phone number | primary_phone number_confirmation_endpoint | POST | /credential/v1/primary-phone-number-confirmation |
| Obtain information about the user's password | metadata_endpoint | GET | /credential/v1/users/{user_id}/password/metadata |
| Change password for provided userID | password_endpoint | PUT | /credential/v1/users/{user_id}/password |
Domain/ API: SAML
Allows applications to delegate authentication to__OneWelcome__and get SSO.
| Operation Description | Logical Endpoint Name [1] | Method | Endpoint Path |
|---|---|---|---|
| Web SSO redirect | sso_httpredirect endpoint | GET | /auth/saml2.0/v1/SSORedirect/metaAlias/<Brand> |
| Web SSO post | sso_httppost endpoint | POST | /auth/saml2.0/v1/SSOPOST/metaAlias/<Brand> |
| Web IDP SLO redirect | slo_httpredirect endpoint | GET | /auth/saml2.0/v1/IDPSloRedirect/metaAlias/<Brand> |
| Web IDP SLO post | slo_httppost endpoint | POST | /auth/saml2.0/v1/IDPSloPOST/metaAlias/<Brand> |
Domain/ API: SCIM
Provisions users to__OneWelcome__from a source user repository (users can be created as active or inactive).
| Operation Description | Logical Endpoint Name [1] | Method | Endpoint Path |
|---|---|---|---|
| Create a user | SCIM_users endpoint | POST | /scim/Users /scim/v1/Users |
| Full update of a user | SCIM_users endpoint | PUT | /scim/Users/{userId} /scim/v1/Users/{userId} |
| Partial update of a user | SCIM_users endpoint | PATCH | /scim/Users/{userId} /scim/v1/Users/{userId} |
| Retrieve a known user | SCIM_users endpoint | GET | /scim/Users/{userId} /scim/v1/Users/{userId} |
| Query users | SCIM_users endpoint | GET | /scim/Users /scim/v1/Users |
| Delete a user | SCIM_users endpoint | DELETE | /scim/Users/{userId} /scim/v1/Users/{userId} |
| Create a user in employee segment | SCIM_employees endpoint | POST | /employees/scim/v1/Users |
| Full update of a user in employee segment | SCIM_employees endpoint | PUT | /employees/scim/v1/Users/{userId} |
| Partial update of a user in employee segment | SCIM_employees endpoint | PATCH | /employees/scim/v1/Users/{userId} |
| Retrieve a known user in employee segment | SCIM_employees endpoint | GET | /employees/scim/v1/Users/{userId} |
| Query users in employee segment | SCIM_employees endpoint | GET | /employees/scim/v1/Users |
| Delete a user in employee segment | SCIM_employees endpoint | DELETE | /employees/scim/v1/Users/{userId} |
Domain/ API: Reverse Look-Up
Used to look-up user(s) at an external look-up service (the URL for this endpoint is configurable in__OneWelcome__).
| Operation Description | Logical Endpoint Name [1] | Method | Endpoint Path |
|---|---|---|---|
| OneWelcome request to user look-up service | user_look up_endpoint | POST | endpoint not hosted by OneWelcome |
[1] Logical endpoint name as defined for endpoint discovery.
Convention: "xxx_endpoint" indicates it's a web-api