1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
## IPC-API
Alternatively an application can directly communicate with the oidc-agent through UNIX domain sockets. The socket
address can be obtained from the environment variable which is set by the agent (`OIDC_SOCK`). The request has to be
sent json encoded. We use a UNIX domain socket of type `SOCK_STREAM`.
All Clients should ignore additional fields returned in a response from oidc-agent, if the client does not understand
these fields. Vice versa oidc-agent ignores fields that it does not understand.
The following fields and values have to be present for the different calls:
### Access Token:
#### Request
| field | value | Requirement Level |
|------------------|----------------------------------------|-------------------|
| request | access_token | REQUIRED |
| account | <account_shortname> | REQUIRED if 'issuer' not used |
| issuer | <issuer_url> | REQUIRED if 'account' not used |
| min_valid_period | <min_valid_period> [s] | RECOMMENDED |
| application_hint | <application_name> | RECOMMENDED |
| scope | <space delimited list of scopes> | OPTIONAL |
| audience | <audience for the token> | OPTIONAL |
Note that one of the fields `account` and `issuer` has to be present. Use `account` to request an access token for a
specific account configuration and `issuer` when you do not know which account configuration should be used but you do
know the issuer for which you want to obtain an access token. Do not provide both of these options in the same request.
##### Examples
The application `example_application` requests an access token for the account configuration `iam`. The token should be
valid for at least 60 seconds and have the scopes `openid profile phone` and the audiences `foo` and `bar`.
```
{"request":"access_token", "account":"iam", "min_valid_period":60,
"application_hint":"example_application", "scope":"openid profile phone",
"audience": "foo bar"}
```
The application `example_application` requests an access token for the provider `https://example.com/`. There are no
guarantees that the token will be valid longer than 0 seconds and it will have all scopes that are available for the
used account configuration.
```
{"request":"access_token", "issuer":"https://example.com/", "application_hint":"example_application"}
```
#### Response
| field | value |
|--------------|----------------|
| status | success |
| access_token | <access_token> |
| issuer | <issuer_url> |
| expires_at | <expiration time> |
example:
```
{"status":"success", "access_token":"token1234", "issuer":"https:example.com/",
"expires_at":1541517118}
```
#### Error Response
| field | value |
|--------|---------------------|
| status | failure |
| error | <error_description> |
| info | <help_message> |
The help message in the `info` key is optionally and therefore might be omitted.
example:
```
{"status":"failure", "error":"Account not loaded"}
```
### List of Accounts:
#### Request
| field | value | Requirement Level |
|------------------|----------------------------------------|-------------------|
| request | loaded_accounts | REQUIRED |
##### Examples
```
{"request":"loaded_accounts"}
```
#### Response
| field | value |
|--------------|----------------|
| status | success |
| info | <list of loaded accounts> |
example:
```
{"status":"success", "info":["kit", "google", "iam"]}
```
#### Error Response
| field | value |
|--------|---------------------|
| status | failure |
| error | <error_description> |
example:
```
{"status":"failure", "error":"Internal error"}
```
|
