Your suggested change has been received. Thank you.
Your suggested change has been received. Thank you.
Download OpenAPI specification:Download
Introduction to the Credential API
The Credential API is aimed at managing end users credentials, such as passwords, primary emails, etc. Credentials can be managed by the end user himself (Self Service) or via a 'Server-to-server' (Management / Admin) process.
Versions of the API
The current version of the credential API only manages the primary email addresses, primary phonenumbers and passwords. Subsequent versions will also support social accounts.
Explanations
What is a credential? In the context of identity management, the term credential can be informally defined as 'anything a user has that gives him access to his account'. A more subtle observation is that 'the term credential is used to denote both the thing uniquely possessed by the user and the corresponding information bound to the digital identity' (source: A Taxonomy of User Authentication Methods - Gartner). iWelcome Credential API aims at managing the credential information that is linked to the digital identity. Email addresses (a.k.a. primary emails) can be considered as credential for 2 reasons:
iWelcome calls an email address that is used for these purposes a primary email address. A (primary) phonenumber is a credential since it can be used to send a login-code for 2FA purposes.
The endpoint is protected and allows end users(CIAM or admin) to get the primary email. The regular users must have 'credential:primary-email:get' scope and admin users must have the 'credential:primary-email:admin:get' scope in order to view another user's primary email.
| user_id required | string^[a-zA-Z0-9]{8}-?[a-zA-Z0-9]{4}-?[a-zA-Z0-9]{... |
When this API is called, it triggers the following process:
Multiple calls to this endpoint can be done:
A user's profile can have multiple email addresses:
If the authenticated user has the scope 'credential:primary-email:post', it can create a new primary email request. An admin user can create a new primary email request only if the scope 'credential:primary-email:admin:post' is present.
| user_id required | string^[a-zA-Z0-9]{8}-?[a-zA-Z0-9]{4}-?[a-zA-Z0-9]{... |
| primary_email required | string <= 254 characters ^[a-zA-Z0-9!#$%&'*+-/=?^_`{|}~]+(?:\.[a-zA-Z0... |
| redirect_url | string^((((https?)://))(%[0-9A-Fa-f]{2}|[-()_.!~*';... After the user has successfully confirmed the new email address he will be redirected to this url. The url may indicate some iWelcome page or it may indicate a web page from a 3rd party. Url whitelisting is applied. |
| id_token | string (IDtoken) An ID-token is the primary extension that OpenID Connect makes to OAuth 2.0 to enable End-Users to be Authenticated. It is a security token that contains Claims about the Authentication of an End-User, such as auth_time and acr. Depending on configuration, the credential API may evaluate the values of the auth_time and acr claims. The auth_time claim may be used to check if the user was authenticated at a sufficiently recent moment. The acr claim may be used to check if the user was authenticated sufficiently strong, i.e. with 2FA. The required maximum age and acr value can be configured indepently for each type of credential; primary email, primary phone and password. If reauthentication is needed, a 403 error response is returned. |
API docs by Redocly{- "user_id": "string",
- "primary_email": "string",
- "redirect_url": "string",
- "id_token": "string"
}{- "id": "string",
- "user_id": "string",
- "requested_primary_email": "string",
- "request_datetime": "2019-08-24T14:15:22Z",
- "email_verification_expiration_datetime": "2019-08-24T14:15:22Z",
- "redirect_url": "string"
}When a user's email address needs to be verified, it sends a link to the user's email address. When that link is clicked on, the user needs to login (if not already) before this protected endpoint can be invoked to confirm the email address and make it primary. The provided access token must have the 'credential:primary-email:post' scope. The reason for protecting this endpoint is to make sure that the user that clicks on the confirmation link, is the legitimate user of the account. This may not be in the case in the following scenario's:
iWelcome considers this as a best practice in the context of 'security and privacy by design'. Customers who prefer a more user-friendly process without the need for logging in, can consider using the "/credential/v1/public/primary-email-confirmation" endpoint instead.
The confirmation has the following effects on the attribute value metadata (AVM) of the new email address:
the token and the authenticated user
| token required | string <= 100 characters ^[\p{L}\p{Zs}0-9\.,_'\-]+$ It is a random string which is part of the confirmation email. The confirmation email is sent when the API which triggers a primary email request is called. The result of calling that API would be an email sent to the user, containing a link on which the user must click in order to confirm the primary email, and that link contains the token. |
{- "token": "string"
}{- "user_id": "string",
- "primary_email": "string",
- "previous_primary_email": "string",
- "redirect_url": "string"
}Customers need to request iWelcome to expose this endpoint, which by default is not the case, since usage does not follow the principle of 'security by design'. The benefit of this endpoint above the protected version is that the end-user will get a better user-experience since he doesn't have to login when confirming the new e-mail address.
This endpoint is the same as the /credential/v1/primary-email-request endpoint, but without the need for the end-user to authenticate himself. As a consequence, a 401 response is not applicable.
the token and the authenticated user
| token required | string <= 100 characters ^[\p{L}\p{Zs}0-9\.,_'\-]+$ It is a random string which is part of the confirmation email. The confirmation email is sent when the API which triggers a primary email request is called. The result of calling that API would be an email sent to the user, containing a link on which the user must click in order to confirm the primary email, and that link contains the token. |
{- "token": "string"
}{- "user_id": "string",
- "primary_email": "string",
- "previous_primary_email": "string",
- "redirect_url": "string"
}The endpoint is protected and allows end users(CIAM or admin) to get the current primary phone number. The regular users must have 'credential:primary-phonenumber:get' scope and admin users must have the 'credential:primary-phonenumber:admin:get' scope in order to view another user's primary phone number.
| user_id required | string^[a-zA-Z0-9]{8}-?[a-zA-Z0-9]{4}-?[a-zA-Z0-9]{... |
When this API is called, it triggers the following process:
Multiple calls to this endpoint can be done:
A user's profile can have multiple phone numbers:
If the authenticated user has the scope 'credential:primary-phonenumber:post', it can create a new primary phone number request. An admin user can create a new primary phone number request only if the scope 'credential:primary-phonenumber:admin:post' is present.
| user_id | string^[a-zA-Z0-9]{8}-?[a-zA-Z0-9]{4}-?[a-zA-Z0-9]{... |
| primary_phone_number required | string <= 30 characters ^(tel:)?((?:\+|00)[1-9]|0)(|\-)(\d)?((\(\d{1,... |
| locale | string <= 5 characters ^[a-zA-Z_-]+$ |
| id_token | string (IDtoken) An ID-token is the primary extension that OpenID Connect makes to OAuth 2.0 to enable End-Users to be Authenticated. It is a security token that contains Claims about the Authentication of an End-User, such as auth_time and acr. Depending on configuration, the credential API may evaluate the values of the auth_time and acr claims. The auth_time claim may be used to check if the user was authenticated at a sufficiently recent moment. The acr claim may be used to check if the user was authenticated sufficiently strong, i.e. with 2FA. The required maximum age and acr value can be configured indepently for each type of credential; primary email, primary phone and password. If reauthentication is needed, a 403 error response is returned. |
| transmission_method | string <= 32 characters ^[\p{L}\p{Zs}0-9\.,_'\-]+$ The channel through which the OTP will be sent to the user in order to confirms its primary phone number. Examples: "sms", "voice", etc. |
{- "user_id": "string",
- "primary_phone_number": "string",
- "locale": "strin",
- "id_token": "string",
- "transmission_method": "string"
}{- "user_id": "string",
- "requested_primary_phone_number": "string",
- "requested_locale": "string",
- "request_datetime": "2019-08-24T14:15:22Z"
}When a user's phone number needs to be verified, it sends a SMS with the OTP token to the user's phone number. When that token is provided to this endpoint along with an access token containing the 'credential:primary-phonenumber:post' scope, the user's phone number will become primary.
The confirmation has the following effects on the attribute value metadata (AVM) of the new phone number:
the token and the authenticated user
| verification_code required | string <= 100 characters ^[\p{L}\p{Zs}0-9\.,_'\-]+$ |
| phone_number required | string <= 30 characters ^(tel:)?((?:\+|00)[1-9]|0)(|\-)(\d)?((\(\d{1,... |
{- "verification_code": "string",
- "phone_number": "string"
}{- "user_id": "string",
- "primary_phone_number": "string",
- "previous_primary_phone_number": "string"
}When this API is called, it triggers the following process:
Multiple calls to this endpoint can be done:
A user's profile can have multiple phone numbers:
If the authenticated user has the scope 'credential:primary-phonenumber:post', it can create a new primary phone number request. The authenticated user id will be used for performing the operation. An admin user can create a new primary phone number request only if the scope 'credential:primary-phonenumber:admin:post' is present. If this scope is present, then the request must contain the user id, otherwise the request will fail with 400 Bad Request, indicating that the user_id is not valid.
| user_id | string^[a-zA-Z0-9]{8}-?[a-zA-Z0-9]{4}-?[a-zA-Z0-9]{... |
| primary_phone_number required | string <= 30 characters ^(tel:)?((?:\+|00)[1-9]|0)(|\-)(\d)?((\(\d{1,... |
| locale | string <= 5 characters ^[a-zA-Z_-]+$ |
| id_token | string (IDtoken) An ID-token is the primary extension that OpenID Connect makes to OAuth 2.0 to enable End-Users to be Authenticated. It is a security token that contains Claims about the Authentication of an End-User, such as auth_time and acr. Depending on configuration, the credential API may evaluate the values of the auth_time and acr claims. The auth_time claim may be used to check if the user was authenticated at a sufficiently recent moment. The acr claim may be used to check if the user was authenticated sufficiently strong, i.e. with 2FA. The required maximum age and acr value can be configured indepently for each type of credential; primary email, primary phone and password. If reauthentication is needed, a 403 error response is returned. |
| transmission_method | string <= 32 characters ^[\p{L}\p{Zs}0-9\.,_'\-]+$ The channel through which the OTP will be sent to the user in order to confirms its primary phone number. Examples: "sms", "voice", etc. |
{- "user_id": "string",
- "primary_phone_number": "string",
- "locale": "strin",
- "id_token": "string",
- "transmission_method": "string"
}{- "user_id": "string",
- "requested_primary_phone_number": "string",
- "requested_locale": "string",
- "request_datetime": "2019-08-24T14:15:22Z"
}When a user's phone number needs to be verified, it sends a SMS with the OTP token to the user's phone number. When the authenticated user is verifying it's own phone number, the scope 'credential:primary-phonenumber::post' is required. If an admin is performing this operation on behalf of the user, the scope 'credential:primary-phonenumber:admin:post' is needed. If this scope is present, then the request must contain the user id, otherwise the request will fail with 400 Bad Request, indicating that the user_id is not valid. Assuming the access token has the correct scope assigned, the user's phone number will become primary.
The confirmation has the following effects on the attribute value metadata (AVM) of the new phone number:
the token and the authenticated user
| verification_code required | string <= 100 characters ^[\p{L}\p{Zs}0-9\.,_'\-]+$ |
| phone_number required | string <= 30 characters ^(tel:)?((?:\+|00)[1-9]|0)(|\-)(\d)?((\(\d{1,... |
| user_id | string^[a-zA-Z0-9]{8}-?[a-zA-Z0-9]{4}-?[a-zA-Z0-9]{... |
{- "verification_code": "string",
- "phone_number": "string",
- "user_id": "string"
}{- "user_id": "string",
- "primary_phone_number": "string",
- "previous_primary_phone_number": "string"
}An endpoint to retrieve profile data from any social provider. The access_token needs to have the scope: 'credential:identity-link:profile:post'.
profile request
| link_id required | string |
| redirect_url | string Represents the redirect url which was used in the request for initiating the identity link request. If this url is different than the one used in the init identity link request, the request will fail. |
| authorization_code required | string^[\p{L}\/p\\{Zs}0-9\.,_'\-%=&]+$ Authorization code as received from the OAuth Identity Provider |
{- "link_id": "string",
- "redirect_url": "string",
- "authorization_code": "string"
}An endpoint to initiate the account linking process before redirecting the user to the (social) identity provider for login. The access_token needs to have one of the following scopes: 'credential:identity-link:post' is needed when the authenticated user is initiating its own identity link and scope 'credential:identity-link:admin:post' is needed when the initiated link is made by an application. This endpoint returns parameter values that must be sent to the OAuth specified /authorize endpoint at the external identity provider):
Social provider name
| identity_provider required | string (OAuthIdentityProviderName) |
| id_token | string (IDtoken) An ID-token is the primary extension that OpenID Connect makes to OAuth 2.0 to enable End-Users to be Authenticated. It is a security token that contains Claims about the Authentication of an End-User, such as auth_time and acr. Depending on configuration, the credential API may evaluate the values of the auth_time and acr claims. The auth_time claim may be used to check if the user was authenticated at a sufficiently recent moment. The acr claim may be used to check if the user was authenticated sufficiently strong, i.e. with 2FA. The required maximum age and acr value can be configured indepently for each type of credential; primary email, primary phone and password. If reauthentication is needed, a 403 error response is returned. |
{- "identity_provider": "string",
- "id_token": "string"
}| user_id | string If this query parameter is provided, the access_token must have scope 'credential:identity-link:admin:get' as authorisation to query other users' identity-links. If the scope 'credential:identity-link:get' is present, the endpoint will return the identity-links for the authenticated user. |
Method used to activate the identity link. Invoking this method changes the status of the identity-link from 'inactive' or 'pending' to 'active'. The access_token needs to have one of the following scopes: 'credential:identity-link:patch' is needed when the authenticated user is activating its own IDP and scope 'credential:identity-link:admin:patch' is needed when the link is activated by an application. In this situation, the user id of the identity link with 'linkId' is set to the one from the payload.
| linkId required | string identifier for the linked account |
the activate identity link request
| user_id | string non-empty ^[\S]+$ |
| idp_user_id | string non-empty ^[\S]+$ |
| id_token | string (IDtoken) An ID-token is the primary extension that OpenID Connect makes to OAuth 2.0 to enable End-Users to be Authenticated. It is a security token that contains Claims about the Authentication of an End-User, such as auth_time and acr. Depending on configuration, the credential API may evaluate the values of the auth_time and acr claims. The auth_time claim may be used to check if the user was authenticated at a sufficiently recent moment. The acr claim may be used to check if the user was authenticated sufficiently strong, i.e. with 2FA. The required maximum age and acr value can be configured indepently for each type of credential; primary email, primary phone and password. If reauthentication is needed, a 403 error response is returned. |
{- "user_id": "string",
- "idp_user_id": "string",
- "id_token": "string"
}Endpoint used to link a (social) identity to the authenticated user. The 'state' parameter that the OAuth identity provider provided in the call-back must be used. The access_token needs to have one of the following scopes: 'credential:identity-link:put' is needed when the authenticated user is linking its own IDP and scope 'credential:identity-link:admin:put' is needed when the link is made by an application. In this situation, the user id of the identity link with 'authorizationCode' is set to the one from the payload.
| id required | string identifier for the linked account |
the Authorization codet
| authorization_code required | string^[\p{L}\/p\\{Zs}0-9\.,_'\-%=&]+$ Authorization code as received from the OAuth Identity Provider |
| id_token | string (IDtoken) An ID-token is the primary extension that OpenID Connect makes to OAuth 2.0 to enable End-Users to be Authenticated. It is a security token that contains Claims about the Authentication of an End-User, such as auth_time and acr. Depending on configuration, the credential API may evaluate the values of the auth_time and acr claims. The auth_time claim may be used to check if the user was authenticated at a sufficiently recent moment. The acr claim may be used to check if the user was authenticated sufficiently strong, i.e. with 2FA. The required maximum age and acr value can be configured indepently for each type of credential; primary email, primary phone and password. If reauthentication is needed, a 403 error response is returned. |
| user_id | string |
{- "authorization_code": "string",
- "id_token": "string",
- "user_id": "string"
}Endpoint used to unlink a (social) account from the authenticated user. The access_token needs to have one of the following scopes 'credential:identity-link:delete' is needed when the authenticated user is deleting its own identity link and to delete a link of somebody else the access_token needs to have scope 'credential:identity-link:admin:delete' as authorisation.
| id required | string identifier for the linked account |
| id_token | string (IDtoken) An ID-token is the primary extension that OpenID Connect makes to OAuth 2.0 to enable End-Users to be Authenticated. It is a security token that contains Claims about the Authentication of an End-User, such as auth_time and acr. Depending on configuration, the credential API may evaluate the values of the auth_time and acr claims. The auth_time claim may be used to check if the user was authenticated at a sufficiently recent moment. The acr claim may be used to check if the user was authenticated sufficiently strong, i.e. with 2FA. The required maximum age and acr value can be configured indepently for each type of credential; primary email, primary phone and password. If reauthentication is needed, a 403 error response is returned. |
{- "id_token": "string"
}This is a protected endpoint and allows end users(CIAM or admin) to set their passwords. Admin users must have the 'credential:password:manager' scope in order to set another user's password.
| Authorization required | string The authorization header must contain 'Bearer |
| userId | string^[a-zA-Z0-9]{8}-?[a-zA-Z0-9]{4}-?[a-zA-Z0-9]{... A string representing the id of the user to set the password for. |
| password | string A string representing the password to assign for the user specified. |
{- "userId": "string",
- "password": "string"
}{- "maxPasswordAge": "P183D",
- "warningInterval": "P14D",
- "minimumLength": 8,
- "minimumLowercaseCharacters": 1,
- "minimumUppercaseCharacters": 1,
- "minimumDecimals": 1,
- "minimumSpecialCharacters": 1,
- "minimumNumberOfCategoriesToBeUsed": 4,
- "forbiddenLeadingChars": "abc",
- "forbiddenTrailingChars": "xyz",
- "accountLockout": {
- "enabled": true,
- "maximumBlockTime": "PT24H",
- "blockingTimePeriod": "PT2M",
- "maxFailedLoginAttempts": 5,
- "multiplyingFactor": 2,
- "supportedModules": "UsernameAndPassword,TwoFASms,TwoFAOptions"
}, - "passwordHistory": {
- "enabled": true,
- "size": 0,
- "period": {
- "size": 0,
- "length": "string"
}, - "algorithm": "string"
}, - "forcePasswordChange": {
- "triggers": [
- {
- "operation": "string",
- "expression": "string"
}
]
}
}Obtain information about the user's password.
| user_id required | string^[a-zA-Z0-9]{8}-?[a-zA-Z0-9]{4}-?[a-zA-Z0-9]{... |
{- "set_date": "2019-08-24T14:15:22Z",
- "password_provided": true,
- "is_expired": true,
- "validity_duration": {
- "days": 0,
- "hours": 0,
- "minutes": 0,
- "seconds": 0
}, - "expiration_date": "2019-08-24T14:15:22Z"
}The Set Password API is a protected endpoint and allows end-users(CIAM) to change their password. For security reasons, the authenticated user needs to provide either one of: * current password * ID-token
| user_id required | string^[a-zA-Z0-9]{8}-?[a-zA-Z0-9]{4}-?[a-zA-Z0-9]{... |
| Authorization required | string The end-user's access_token must be provided as a Bearer token, for example "Bearer 2YotnFZFEjr1zCsicMWpAA". |
| password required | string A string representing the password to assign for the user specified. |
| current_password | string A string representing the user's current password. This is mandatory |
| id_token | string (IDtoken) An ID-token is the primary extension that OpenID Connect makes to OAuth 2.0 to enable End-Users to be Authenticated. It is a security token that contains Claims about the Authentication of an End-User, such as auth_time and acr. Depending on configuration, the credential API may evaluate the values of the auth_time and acr claims. The auth_time claim may be used to check if the user was authenticated at a sufficiently recent moment. The acr claim may be used to check if the user was authenticated sufficiently strong, i.e. with 2FA. The required maximum age and acr value can be configured indepently for each type of credential; primary email, primary phone and password. If reauthentication is needed, a 403 error response is returned. |
{- "password": "string",
- "current_password": "string",
- "id_token": "string"
}{- "set_date": "2019-08-24T14:15:22Z",
- "password_provided": true,
- "is_expired": true,
- "validity_duration": {
- "days": 0,
- "hours": 0,
- "minutes": 0,
- "seconds": 0
}, - "expiration_date": "2019-08-24T14:15:22Z"
}