Skip to content
Islamic Open Finance™

OAuth2 Rail

OAuth2 Rail

Section titled “OAuth2 Rail”

OAuth 2.0 and OpenID Connect implementation.

Overview

Section titled “Overview”

The OAuth2 Rail provides endpoints for OAuth 2.0 authorization flows and OpenID Connect identity services.

Base URL

Section titled “Base URL”
/api/v1/oauth2

Authorization Flows

Section titled “Authorization Flows”

Authorization Code Flow

Section titled “Authorization Code Flow”
  1. Authorize
GET /api/v1/oauth2/authorize

Query Parameters:

ParameterDescription
client_idApplication client ID
redirect_uriCallback URL
response_typecode
scopeRequested scopes
stateCSRF token
code_challengePKCE challenge
code_challenge_methodS256
  1. Token Exchange
POST /api/v1/oauth2/token

Request Body:

{
  "grant_type": "authorization_code",
  "code": "auth_code_here",
  "redirect_uri": "https://app.example.com/callback",
  "client_id": "client_123",
  "client_secret": "secret_xxx",
  "code_verifier": "pkce_verifier"
}

Response:

{
  "access_token": "eyJhbGciOiJSUzI1NiIs...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "dGhpcyBpcyBhIHJlZnJl...",
  "scope": "openid profile email",
  "id_token": "eyJhbGciOiJSUzI1NiIs..."
}

Client Credentials Flow

Section titled “Client Credentials Flow”
POST /api/v1/oauth2/token

Request Body:

{
  "grant_type": "client_credentials",
  "client_id": "client_123",
  "client_secret": "secret_xxx",
  "scope": "contracts:read contracts:write"
}

Refresh Token

Section titled “Refresh Token”
POST /api/v1/oauth2/token

Request Body:

{
  "grant_type": "refresh_token",
  "refresh_token": "dGhpcyBpcyBhIHJlZnJl...",
  "client_id": "client_123"
}

OpenID Connect

Section titled “OpenID Connect”

UserInfo

Section titled “UserInfo”
GET /api/v1/oauth2/userinfo

Get authenticated user information.

Response:

{
  "sub": "user_123",
  "name": "Ahmad Abdullah",
  "email": "ahmad@example.com",
  "email_verified": true,
  "tenant_id": "tenant_456",
  "roles": ["admin", "compliance_officer"]
}

Discovery

Section titled “Discovery”
GET /.well-known/openid-configuration

OpenID Connect discovery document.

JWKS

Section titled “JWKS”
GET /.well-known/jwks.json

JSON Web Key Set for token verification.

Client Management

Section titled “Client Management”

Register Client

Section titled “Register Client”
POST /api/v1/oauth2/clients

Register a new OAuth client.

Request Body:

{
  "name": "My Application",
  "type": "CONFIDENTIAL",
  "redirectUris": ["https://app.example.com/callback"],
  "allowedScopes": ["openid", "profile", "contracts:read"],
  "grantTypes": ["authorization_code", "refresh_token"]
}

List Clients

Section titled “List Clients”
GET /api/v1/oauth2/clients

List registered OAuth clients.

Update Client

Section titled “Update Client”
PATCH /api/v1/oauth2/clients/:clientId

Update client configuration.

Rotate Secret

Section titled “Rotate Secret”
POST /api/v1/oauth2/clients/:clientId/rotate-secret

Rotate client secret.

Revoke Token

Section titled “Revoke Token”
POST /api/v1/oauth2/revoke

Revoke an access or refresh token.

Scopes

Section titled “Scopes”
ScopeDescription
openidOpenID Connect
profileUser profile
emailEmail address
contracts:readRead contracts
contracts:writeWrite contracts
adminAdministrative access

Grant Types

Section titled “Grant Types”
Grant TypeUse Case
authorization_codeWeb applications
client_credentialsMachine-to-machine
refresh_tokenToken refresh

Events

Section titled “Events”
EventDescription
oauth2.token.issuedToken issued
oauth2.token.revokedToken revoked
oauth2.client.createdClient registered
oauth2.consent.grantedUser consent granted

See Also

Section titled “See Also”
Edit page