Professional Documents
Culture Documents
2
2
2
3
12
14
14
15
16
16
21
25
27
27
27
29
30
33
34
34
34
35
36
38
41
43
44
Integration Guide
Refer to the following chapters for integration:
Granting temporary access to public server for SCP
OAuth 2.0 Clients
OAuth 2.0 Integration
OAuth 2.0 Integration Endpoints, Sample Requests, and Sample Responses
PingFederate: SAML Vs OpenToken
PingFederate and CloudHSM Integration
PingFederate OAuth Vs OpenAM OAuth
PingFederate TimeOut Values
SocialIDM User Instructions
User Profile Integration
Disable Access
1. To Disable ncr1 user to use scp, remove the above line, or change it to :
a. user=ncr1:011:00000:
Connection Information
Name
IP Address
54.84.22.12
Intranet IP
10.0.0.171
Clients Configured
Following are the clients configured in PingFederate:
Client Id
Component
Pl0QC2Y1fAxX57V5K2uFcarVjDbflN
SocialIDM
pingfederate
PingFederate
axway_rs
AxWay
urn:pingidentity.com:oauth2:grant_type:validate_bearer
lS9qHlAEZwY4pSC4fIucAkzdemcaF8
authorization_code
6BE789472A038F0292AE1BD022434A
urn:pingidentity.com:oauth2:grant_type:validate_bearer
MobileAppV1
authorization_code
W6K5MVJSpEIsiIxmdO7KrtZKZXtgch
Glossary
Term
Definition
Resource server
(API server)
The server that hosts the protected resources, capable of accepting and responding to the protected resource requests
by using the access tokens.
Client/Application
An application that makes the protected resource requests on behalf of the end user. The term "client" does not imply
any particular implementation characteristics, for example, whether the application executes on a server, a desktop, or
other devices.
Authorization
server
The server that issues access tokens to the client after successfully authenticating the resource owner and obtaining
authorization.
Authorization
Code/Authorization
Token
The authorization code is obtained by using an authorization server as an intermediary between the client and the end
user. It is used to authenticate the client and grant the transmission of the access token. This is the token that
authorization server issues to the clients that can be swapped for an access token. It has a very short lifetime since the
swap must be performed immediately after users provide their authorization.
Access Token
A token required to access the resources protected by OAuth 2.0. The access token has an expiry time and is active for
12 minutes.
Refresh Token
A token that the authorization server issues to clients and can be swapped for a brand new access token, without
repeating the authorization process. The refresh token has an expiry time and is active for 30 days.
References
Reference Documentation
OAuth 2.0 Specification
Refer to this location http://tools.ietf.org/html/rfc6749 for the final version of the specification.
Location
https://chrome.google.com/webstore/detail/advanced-rest-client/hgmloofddffdnphfgcellkdfbfbjeloo?hl=en-US
https://addons.mozilla.org/en-US/firefox/addon/restclient/
Standards in Solution
OAuth 2.0
OAuth 2.0 is the Authorization standard used in this proposed solution. As per RFC, OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the
resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. In simple terms, OAuth
provides an API based security solution that does not require customers to pass on their user name and password to the resource server.
Integration
Refer to Figure 1 that depicts the integration process.
Registration
All applications that can access a Chick-fil-A APIs must be registered. The registration is currently an offline process. The result of this registration
process is a client ID, and client secret shared between Chick-fil-A and integrating application. The set of variable values is based on the type of
application that you are building. For example, a JavaScript application does not require a secret, but a web server application requires.
Environment
Specific End-Point URLs
Environment
End-point URL's
Dev
https://login.dev.crndev.chick-fil-a.com
Stage
https://login.qa.crndev.chick-fil-a.com
Prod
https://login.chick-fil-a.com
Note: Use a dynamic configuration file to access these URLs. The service URLs may change as part of the service upgrade.
End-point
Description
Authorization
code
/as/authorization.oauth2
Used by the OAuth AS to interact directly with the resource owners, authenticate them, and obtain
authorization.
Access
token
/as/token.oauth2
Used by the client to obtain an access token and possibly a refresh token by presenting its
authorization grant/refresh token. This endpoint accepts only the HTTP POST method.
Token
Validation
/as/token.oauth2
Token Info
/oauth2/tokeninfo
OAuth Grants
There are four different types of OAuth 2.0 grants, they are:
1.
2.
3.
4.
The OAuth Grant, which is used in this solution, is an Authorization code grant. The scenarios explained below are based on Authorization code
grant.
//TODO
//TODO
Name
Value
Header Name
Authorization
Header Value
Example
The authorization code is sent through HTTP 302 on the redirect URL specified at the beginning: https://<<REDIRECT_URL>>?code=<<
oauth_authorization_code>>
The code oauth_authorization_code is reused at the next step to trade it for the access token and refresh token.
The success response also provides the client_id. This client_id refers to the client used to obtain the access token.
In case of Error:
HTTP status code: 400
Response body:
Process
SAML
OpenToken
Step Up
Authentication
Passive Login
support
Yes
No
Security
Symmetric Encryption
OAuth 2.0
Authentication
Level based
support
Yes
No
Is it countable
as a connection
Yes
No
Programmatic
Login
Serial #
Label
156664020
qa-crnidm-mgmt
3. Copy CloudHSM client's JSP lib directory content to JAVA_HOME\jre\lib\ext if the following files libLunaAPI.so and LunaProvider.jar do
not exist.
4. Make sure that all users have execution permission on the file libLunaAPI. If required, run the following command to provide permission
to all the users:
chmod o+x
$JAVA_HOME\jre\lib\extlibLunaAPI.so
5. Add the following line to Java security providers by editing the following file $JAVA_HOME/jre/lib/security/java.security:
security.provider.10=com.safenetinc.luna.provider.LunaProvider
6. Go to the directory PF_HOME/server/default/data/ and delete JKS files if there are any.
cd /apps/pingfederate/pingfederate_latest/pingfederate/server/default/data/
rm -f *.jks
10. Once all the above steps are completed, restart the PingFederate server. Repeat the same for all the nodes present in cluster. Make sure
that all the nodes belong to the same CloudHSM partition.
/oauth2/authorize?realm=/external
Example: (HTTP POST)
https://dev.accounts.chick-fil-a.com/amserver/oauth2/authorize?realm=/external&client_id=MobileAppV1&response_type=code&scope=/sess
<<REDIRECT_URL>>
Access
token from
authorization
code
/oauth2/access_token?realm=/external
Example: (HTTP POST)
https://dev.accounts.chick-fil-a.com/amserver/oauth2/access_token?realm=/external&code=<<authorization_code>>&grant_type=authorizatio
bileAppV1&redirect_uri=<<REDIRECT_URL>>
Json payload
returned
from AS for a
uthorization
code grant
type
{
"expires_in": 719,
"token_type": "Bearer",
"refresh_token": "12af4ae9-7e07-4df3-97d3-779e8c2c8f47",
"access_token": "a26d8690-24e7-4f96-baf2-0921fd997374"
}
Access
token from
refresh token
/oauth2/access_token?realm=/external
Example: (HTTP POST)
https://dev.accounts.chick-fil-a.com/amserver/oauth2/access_token?realm=/external&grant_type=refresh_token&refresh_token=<<REFRESH
Json payload
returned
from AS for
getting
access token
in exchange
of a refresh
token
Token
validation
{
"scope": "/confirmtxns /giftcard/me /sessionid/me /user/profile",
"expires_in": 719,
"token_type": "Bearer",
"access_token": "b8984cab-b8bd-4622-b15d-f0708b73de3b"
}
/oauth2/tokeninfo
Example: HTTP GET
https://dev.accounts.chick-fil-a.com/amserver/oauth2/tokeninfo?access_token=<<Access-Token>>
Json payload
for token
validation
{
"scope": [ "/confirmtxns", "/sessionid/me", "/giftcard/me", "/user/profile" ],
"token_type": "Bearer",
"expires_in": 693,
"uid": "CFAID-BEWT6DAVE8",
"mail": "test.user1@demo.com",
"cn": "Test User1",
"realm": "/external",
"access_token": "08857e6c-69ac-4e5d-957d-e1eb04f78d23"
}
Value
Local Login
60 minutes
Remember Me cookie
30 days
60 seconds
12 minutes
30 days
End Points
Environment
URL
Dev
https://my.dev.crndev.chick-fil-a.com
QA
https://my.qa.crndev.chick-fil-a.com
Production
TBD
Target URL
Name
Dev
Registration
https://my.dev.crndev.chick-fil-a.com/socialidm-web/registration
Profile
Management
https://my.dev.crndev.chick-fil-a.com/socialidm-web/profile
Change
Password
https://my.dev.crndev.chick-fil-a.com/socialidm-web/profile
Forgot
Password
https://my.dev.crndev.chick-fil-a.com/socialidm-web/pwdreset?goto=https://my.dev.crndev.chick-fil-a.com/socialidm-web/profile/me
Deactivate
User
Account
https://my.dev.crndev.chick-fil-a.com/socialidm-web/profile/deactivate
Note: These user instructions are not standard and would change as per the features added to SocialIDM.
The following modules are implemented in SocialIDM:
1.
2.
3.
4.
Registration
Profile Management
Change Password
Deactivate User Account
Registration
Go to https://my.dev.crndev.chick-fil-a.com/socialidm-web/registration to register/create a user profile. Once the user is registered, it
automatically redirects you to the Profile Management page showing two tabs, viz. View Profile and Change Password as shown below.
Click View Profile to view your profile, and click Change Password to change your profile password.
Once you click any of the tabs, you are redirected to the authentication page. Enter your credentials to log on. After successful logon, it
takes you back to the SocialIDM requested operational page. Now, you can update your profile and change password.
2.
Profile Management
On profile management page, you can view and update your profile, if required.
Go to https://my.dev.crndev.chick-fil-a.com/socialidm-web/profile to access your profile, and is next redirected to the logon page. Enter your
credentials to view and update your profile.
3.
Change Password
Go to https://my.dev.crndev.chick-fil-a.com/socialidm-web/profile to change your password. You are again redirected to the logon page after
accessing the profile management link. Logon takes you back to Profile management page. The Change password page appears.
Enter the current password, new password, and confirm password in the respective fields. Any mismatch of character in the New
Password and Confirm Password fields does not allow you to change your password.
4.
Reset Password
A user can reset the password in two ways:
By using OTP
By answering the challenge questions and answers
Note: Only the registered and active users with a valid email can reset the password.
Go to https://my.dev.crndev.chick-fil-a.com/socialidm-web/pwdreset?goto=https://my.dev.crndev.chick-fil-a.com/socialidm-web/profile/me, the Res
et Password page opens as shown below.
1..Enter your registered email address in the Email text box, and click Search.
2. On successful verification of the email address, you are redirected to the Choose Reset Password Mode page. Click By One Time Passcode
if you want to reset your password using the OTP, or click By Answering Questions if you want to reset your password by answering the
challenge questions and answers.
3. If you click By One Time Passcode, an OTP is sent to your mail address. The following page appears. Enter the one time passcode, account
password, and confirm the password. Click Change Password. You are redirected to the logon page with the message "Password Updated".
Figure: OTP
4. If you click By Answering Questions, the following page appears. Enter the challenge question and answer, account password, and confirm
the password. Click Change Password. You are redirected to the logon page with the message "Password Updated".
You can log on with the reset password on the logon page.
End Points
Environment
URL
Dev
https://profile.api.dev.crndev.chick-fil-a.com
QA
https://profile.api.qa.crndev.chick-fil-a.com
Production
TBD
Resource
Method
Add a user
/users/2.0
POST
/users/2.0/search
POST
/users/2.0/{user_id}
GET
/users/2.0/{user_id}
PATCH
/users/2.0/me
GET
/users/2.0/me
PATCH
/users/2.0/deactivate/me
POST
/users/2.0/deactivate/{user_id}
POST
/users/<<version>>/sociallink/me
PATCH
/users/<<version>>/sociallink/{user_id}
PATCH
/users/<<version>>/socialunlink/me
PATCH
/users/<<version>>/socialunlink/{user_id}
PATCH
Credential Management
In phase -1 release, there are two types of credentials stored for a user. The first is the user's password and the other is the reset password and
challenge question-answers.
Usage
Resource
Method
Change Credentials
/credentials/1.0/{user_id}
POST
/credentials/1.0/me
POST
/credentials/1.0/{user_id}
GET
/credentials/1.0/challengeqa/{user_id}
PATCH
/credentials/1.0/challengeqa/{user_id}
POST
/credentials/1.0/challengeqa/{user_id}
DELETE
/credentials/1.0/otp/{user_id}
GET
Request Payload
Refer to JSON Schema for payload.
Error Codes
The following error codes and messages are used in the integration process.
General Exception
This section describes the status codes that are shared among all the services.
Status
Code
HTTP
Code
Error Message
Comments
000
200
Successful
Call is successful.
401
401
Unauthorized
401
401
Unauthorized
400
400
Unrecognized Request
900
500
Datastore communication
error
901
500
Datastore authentication
error
902
500
Datastore authorization
error
The server is unable to perform the requested operation, because the service account
credential does not have sufficient privilege against the datastore.
903
500
System Error
904
500
Authorization Server
communication error
905
500
Add User
Status Code
HTTP Code
Error Message
Comments
110
500
111
500
114
500
Malformed Birthdate
115
500
Duplicate Addresses
116
500
Duplicate phoneNumbers
119
500
150
500
190
500
Insufficient privilege
The user doesn't not have sufficient privilege to perform the operation.
199
200
HTTP Code
Error Message
Comments
200
500
Invalid CFA-UID
290
500
Insufficient privilege
The user does not not have the required privileges to perform the operation.
299
200
Status Code
HTTP Code
Error Message
Comments
600
500
Invalid CFA-UID
610
500
611
500
614
500
Malformed Birthdate
619
500
650
500
690
500
Insufficient privilege
The user does not not have the required privileges to perform the operation.
699
200
HTTP Code
Error Message
Comments
300
200
302
500
Missing Operand1
Operand1 is missing.
303
500
Invalid Operand1
Invalid Operand1.
304
500
Missing Operand2
Operand2 is missing.
305
500
Invalid Operand1
Invalid Operand1.
306
500
Invalid Operator
Invalid Operator.
390
500
Insufficient privilege
The user does not not have the required privileges to perform the operation.
399
200
HTTP Code
Error Message
Comments
800
500
Invalid CFA-UID
890
500
Insufficient privilege
The user does not not have the required privileges to perform the operation.
HTTP Code
Error Message
Comments
900
500
Invalid CFA-UID
901
500
Invalid Identifier
990
500
Insufficient privilege
The user does not not have the required privileges to perform the operation.
Change Credentials
Status
Code
HTTP Cod
e
Error Message
Comments
3000
500
Invalid CFA-UID
3001
500
The current password in the payload does not match the password in the
datastore.
3002
500
3003
500
Invalid challenge QA
credentials
3004
500
3005
500
3090
500
Insufficient privilege
The user does not have required privileges to update the credential.
HTTP Code
Error Message
Comments
5000
500
Invalid CFA-UID
5001
200
No credentials set
5090
500
Insufficient privilege
The user does not not have the required privileges to perform the operation.
HTTP Code
Error Message
Comments
6000
500
Invalid CFA-UID
6090
500
Insufficient privilege
The user does not not have the required privileges to perform the operation.
HTTP Cod
e
Error Message
Comments
7000
500
Invalid CFA-UID
7001
500
The provided answers do not match the answers stored in the datastore.
7090
500
Insufficient privilege
The user does not not have the required privileges to perform the
operation.
HTTP Cod
e
Error Message
Comments
8000
500
Invalid CFA-UID
8001
500
8090
500
Insufficient privilege
The user does not not have the required privileges to perform the
operation.
HTTP Code
Error Message
Comments
9000
500
Invalid CFA-UID
9090
500
Insufficient privilege
The user does not not have the required privileges to perform the operation.
API
Version=v3
User Management
Usage
Resource
Method
Scope
Add a user
/users/<<version>>
POST
/users
/users/<<version>>/search
POST
/users
/users/<<version>>/{user_id}
GET
/users
/users/<<version>>/{user_id}
PATCH
/users
/users/<<version>>/{user_id}/groups
GET
/users
/users/<<version>>/me
GET
/users/me, /users
/users/<<version>>/me/groups
GET
/users/me, /users
/users/<<version>>/me
PATCH
/users/me, /users
/users/<<version>>/deactivate/{user_id}
POST
/users
/users/<<version>>/deactivate/me
POST
/users/me, /users
/users/<<version>>/sociallink/me
PATCH
/users/me, /users
/users/<<version>>/sociallink/{user_id}
PATCH
/users
/users/<<version>>/socialunlink/me
PATCH
/users/me, /users
/users/<<version>>/socialunlink/{user_id}
PATCH
/users
Group Management
Usage
Resource
Method
Add a group
/groups/<<version>>
POST
/groups/<<version>>
GET
/groups/<<version>>/{group_id}
GET
/groups/<<version>>/{group_id}
PATCH
/groups/<<version>>/?{group_id}?/users
GET
/groups/<<version>>/?{group_id}?/users/?{user_id}?
PUT
/groups/<<version>>/?{group_id}?/users/?{user_id}?
DELETE
/groups/<<version>>/?{group_id}?/users/?{user_id}?
HEAD
Credential Management
In phase -1 release, there are two types of credentials stored for a use. First being user's password and other being password reset challenge
question answers.
Usage
Resource
Method
Scope
Change Credentials
/credentials/<<version>>/{user_id}
POST
/credentials
/credentials/<<version>>/me
POST
/credentials/me
/credentials/<<version>>/{user_id}
GET
/credentials
/credentials/<<version>>/challengeqa
PATCH
/credentials
/credentials/<<version>>/challengeqa
POST
/credentials
/credentials/<<version>>/challengeqa
DELETE
/credentials
/credentials/<<version>>/otp/{user_id}
GET
/credentials
/credentials/<<version>>/challengeqa/{lang}
GET
/credentials
Resource
Method
Add a user
/users/<<version>>
POST
Response
{
"statusCode": "000",
"statusMessage": "success",
"uid": "CFAID-Z3FTVS5CS7FL6309"
}
Resource
Method
/users/<<version>>/{user_id}
GET
/users/<<version>>/me
GET
Response
{
"statusCode": "000",
"statusMessage": "success",
"userProfile":
{
"uid": "CFAID-Z3FTVS5CS7FL6309",
"socialConnections":
[
{
"idp": "google",
"identifier": "sample.user"
},
{
"idp": "facebook",
"identifier": "sample.user"
}
],
"name":
{
"familyName": "Sample",
"givenName": "User",
"displayName": "Sample User"
},
"phoneNumbers":
[
{
"value": "+1 98989898989",
"type": "Mobile"
},
{
"value": "+1 6767676767",
"type": "Home"
}
],
"emails":
[
{
"primary": true,
"value": "sample.user@gmail.com"
},
{
"primary": false,
"value": "sample.user@yahoo.com"
}
],
"systemAttributes": [],
"extendedAttributes":
[
{"termsOfUse": "true"},
{"ageRange": "25-30"}
],
"addresses": []
}
}
Response
{
"statusCode": "000",
"statusMessage": "success",
"userProfile":
{
"uid": "CFAID-Z3FTVS5CS7FL6309",
"socialConnections":
[
{
"idp": "google",
"identifier": "sample.user"
},
{
"idp": "facebook",
"identifier": "sample.user"
}
],
"name":
{
"familyName": "Sample",
"givenName": "User",
"displayName": "Sample User"
},
"phoneNumbers":
[
{
"value": "+1 98989898989",
"type": "Mobile"
},
{
"value": "+1 6767676767",
"type": "Home"
}
],
"emails":
[
{
"primary": true,
"value": "sample.user@gmail.com"
},
{
"primary": false,
"value": "sample.user@yahoo.com"
}
],
"systemAttributes": [],
"extendedAttributes":
[
{"termsOfUse": "true"},
{"ageRange": "25-30"}
],
"addresses": []
}
}
Usage
Resource
Method
Update a user
/users/<<version>>/{user_id}
PATCH
/users/<<version>>/me
PATCH
Response
{
"statusCode": "000",
"statusMessage": "success"
}
Response
{
"statusCode": "000",
"statusMessage": "success"
}
Search Users
This section defines the APIs available for search users.
Resource
Method
Search users
/users/<<version>>/search
POST
Description
AND
OR
NOT
Supported Operator
Operator Syntax
Description
EQ
GE
LE
APPROX
Request
POST:/users/2.0/search
{
"logicalOperator":"AND",
"operands":[
{
"operator":"EQ",
"operand1":"givenName",
"operand2":"TK"
},
{
"operator":"EQ",
"operand1":"displayName",
"operand2":"TK*"
}
]
}
Response
{
"statusCode":
[
"000",
"success"
],
"searchResultSize": 12,
"searchResult":
[
{
"uid": "CFAID-TKTesting1",
"socialConnections": [],
"name":
{
"familyName": "CHIN",
"givenName": "TK",
"displayName": "TK Chin"
},
"phoneNumbers": [],
"emails": [],
"systemAttributes": [],
"extendedAttributes": [],
"addresses": []
},
{
"uid": "CFAID-TKTesting2",
......
},
{
"uid": "CFAID-TKTesting3",
......
},
......
]
}
Request
POST:/users/2.0/search
{
"logicalOperator":"OR",
"operands":[
{
"operator":"EQ",
"operand1":"givenName",
"operand2":"TK"
},
{
"operator":"EQ",
"operand1":"email",
"operand2":"than-khar.chin@quberasolutions.com"
}
]
}
Response
{
"statusCode":
[
"000",
"success"
],
"searchResultSize": 2,
"searchResult":
[
{
"uid": "CFAID-TKTesting1",
"socialConnections": [],
"name":
{
"familyName": "CHIN",
"givenName": "TK",
"displayName": "TK Chin"
},
"phoneNumbers": [],
"emails": [],
"systemAttributes": [],
"extendedAttributes": [],
"addresses": []
},
{
"uid": "CFAID-TKTesting2",
......
},
{
"uid": "CFAID-TKTesting3",
......
},
......
]
}
Deactivate an account
This section defines the APIs available for deactivating a user.
Resource
Method
/users/<<version>>/deactivate/{user_id}
POST
/users/<<version>>/deactivate/me
POST
Response
{
"statusCode": "000",
"statusMessage": "success"
}
Response
{
"statusCode": "000",
"statusMessage": "success"
}
Link/Unlink Account
Resource
Method
Change Credentials
/credentials/<<version>>/{user_id}
POST
Request
POST:/credentials/1.0/{user_id}
{
"type": "Password",
"fields": [{
"fieldName":"password",
"fieldValue":"SecretPassword"
}]
}
Response
{
"statusCode":"000",
"statusMessage":"success"
}
Resource
Method
Change credentials
/credentials/<<version>>/{user_id}
POST
/credentials/<<version>>/me
POST
{
"type": "Password",
"fields": [{
"fieldName":"currentPassword",
"fieldValue":"OldSecretPassword"
},
{
"fieldName":"newPassword",
"fieldValue":"SecretPassword"
}]
}
Response
{
"statusCode":"000",
"statusMessage":"success"
}
{
"type": "Password",
"fields": [{
"fieldName":"currentPassword",
"fieldValue":"OldSecretPassword"
},
{
"fieldName":"newPassword",
"fieldValue":"SecretPassword"
}]
}
Response
{
"statusCode":"000",
"statusMessage":"success"
}
Resource
Method
/credentials/<<version>>/{user_id}
GET
Request
GET:/credentials/1.0/{user_id}
Response
[{
"type": "Password",
"fields": [{
"fieldName":"newPassword",
"fieldValue":"xxxxxxxxxx"
}]
}]
Request
GET:/credentials/1.0/{user_id}
Response
[{
"type": "Password",
"fields": [{
"fieldName":"currentPassword",
"fieldValue":"xxxxxxxxxx"
}]
},
{
"type": "Challenge Q&A",
"fields": [{
"fieldName":"01",
"fieldValue":"xxxxxxxxxx"
},
{
"fieldName":"03",
"fieldValue":"xxxxxxxxxx"
}]
}]
Request
GET:/credentials/1.0/{user_id}
Response
[{
"type": "Challenge Q&A",
"fields": [{
"fieldName":"01",
"fieldValue":"xxxxxxxxxx"
},
{
"fieldName":"03",
"fieldValue":"xxxxxxxxxx"
}]
}]
Resource
Method
Change Credentials
/credentials/<<version>>/{user_id}
POST
/credentials/<<version>>/me
POST
/credentials/<<version>>/challengeqa/{user_id}
PATCH
/credentials/<<version>>/challengeqa/{user_id}
POST
/credentials/<<version>>/challengeqa/{user_id}
DELETE
/credentials/<<version>>/challengeqa/{lang}
GET
{
"type": "Challenge Q&A",
"fields": [{
"fieldName":"01",
"fieldValue":"My Answer to 01"
},
{
"fieldName":"02",
"fieldValue":"My Answer to 02"
},
{
"fieldName":"newPassword",
"fieldValue":"SecretPassword"
}]
}
Response
{
"statusCode":"000",
"statusMessage":"success"
}
{
"type": "Challenge Q&A",
"fields": [{
"fieldName":"01",
"fieldValue":"My Answer to 01"
},
{
"fieldName":"02",
"fieldValue":"My Answer to 02"
},
{
"fieldName":"newPassword",
"fieldValue":"SecretPassword"
}]
}
Response
{
"statusCode":"000",
"statusMessage":"success"
}
{
"type": "Challenge Q&A",
"fields": [{
"fieldName":"01",
"fieldValue":"My Answer to 01"
},
{
"fieldName":"02",
"fieldValue":"My Answer to 02"
}]
}
Response
{
"statusCode":"000",
"statusMessage":"success"
}
{
"type": "Challenge Q&A",
"fields": [{
"fieldName":"01",
"fieldValue":"My Answer to 01"
},
{
"fieldName":"02",
"fieldValue":"My Answer to 02"
}]
}
Response
{
"statusCode":"000",
"statusMessage":"success"
}
Request
DELETE:/credentials/<<version>>/challengeqa/{user_id}
{
"type": "Challenge Q&A",
"fields": [{
"fieldName":"01"
},
{
"fieldName":"02"
}]
}
Response
{
"statusCode":"000",
"statusMessage":"success"
}
Response
{
"statusCode": "000",
"statusMessage": "success",
"credentials": {
"type": "Challenge Q&A",
"fields": [{
"fieldName":"01",
"fieldValue":"What is your mother's maiden name?"
},
{
"fieldName":"02",
"fieldValue":"Where is your city of birth?"
},
{
"fieldName":"03",
"fieldValue":"What's your favorite food?"
}]
}
}
Usage
Resource
Method
/credentials/<<version>>/otp/{user_id}
GET
{
"type": "OTP",
"fields": [{
"fieldName":"OTP_CODE",
"fieldValue":"123456"
},
{
"fieldName":"newPassword",
"fieldValue":"SecretPassword"
}]
}
Response
{
"statusCode":"000",
"statusMessage":"success"
}
Response
{
"statusCode": "000",
"statusMessage": "success",
"credentials": {
"type": "OTP",
"fields": [{
"fieldName": "OTP_CODE",
"fieldValue": "793458"
}]
}
}
POST:/credentials/1.0/otp/{user_id}
{
"type": "OTP",
"fields": [{
"fieldName":"OTP_Code",
"fieldValue":"123456"
}]
}
Response
{
"statusCode":"000",
"statusMessage":"success"
}
JSON Schema
The following schemas are used for request and response payload.
User Profile: UserProfile.json
Credential: Credentials.json
Search Query: SearchQuery.json
Note that these schemas are for single object payload only. When there is a need to use a multi-valued object, an array of the above mentioned
schemas are used.
Go to Sample JSON Payload to look at the sample JSON payload.
Authentication Store
uid
uid
uid
name
givenName
givenName
cn
displayName
sn
familyName
primaryEmail
emails.primary = true
emails
telephoneNumber
Work
mobile
Mobile
homePhone
Home
emails
phoneNumbers
addresses
addresses.type = Home
socialConnections
externalUID
idp, identifier
systemAttributes
regComplete
regComplete
emailVerified
emailVerified
nonVerifiedEmail
nonVerifiedEmail
extendedAttributes
source
source
aListCardNumber
aListCardNumber
aListHomeStore
aListHomeStore
addresses
billingAddress
addresses.type=Billing
shippingAddress
addresses.type=Shipping
preferredStoreLocation
preferredStoreLocation
preferredFood
preferredFood
preferredBeverage
preferredBeverage
favoriteRestaurant
favoriteRestaurant
mobileAppPush
mobileAppPush
userPreferences
userPreferences
termsOfUse
termsOfUse
profileURL
profileURL
photoURL
photoURL
maritalStatus
maritalStatus
incomeRange
incomeRange
ageRange
ageRange
cfaAgeRangeEffectiveDate
cfaAgeRangeEffectiveDate
birthDate
dateOfBirth
emailOptIn
emailOptIn
smsOptIn
smsOptIn
extendedAttributes