Web Authenticator API
Introduction
The Web Authenticator API is the interface between authenticator implementations (server) and their views (user agent/browser) and is based on HTTP and JSON.
HTTP requirements
All API request MUST use HTTP method PUT
.
User agent MUST support/allow cookies.
Message format
WAAPI uses a standardised format for API messages. It's an enveloped JSON format with common headers and custom data.
Name | Description |
---|---|
| |
| Error reason. Only supplied for non successful (failed) messages/responses. |
| Message type. Used for routing, authenticators registers handlers for each message type they support. |
| Reply address |
| Custom message data object. May contain arbitrary data of JSON format. |
| Response message object. If a message is supplied it should be translated and displayed to the end user. If both message and location is supplied, message is first displayed and when confirmed redirection is performed. Commonly used in messages of type |
| Message text or a translation key. |
| Redirect location. If a location is supplied, the view MUST redirect to this location. Always supplied in responses of type |
Protocol
Each authenticator defines it own protocol when is comes to which messages to support and what messages should contain. This is documented on respective authenticator.
Message status
The status of a message represent the result of the operation returning the message.
If the operation succeeded without errors, "success": true
is returned.
If the operation failed, "success": false
is returned.
Each authenticators define what is considered to be a failure and not. If an error is a part of the normal operation (for example invalid user input) it is perfectly valid to return a failure message (i.e. a message with "type": "failure"
) with status "success": true
containing an error message. In this case the message object in data should be used, not the reason header which is only allowed in combination with "success": false
.
Common messages
Cancel
Use this message to cancel the operation(s) of the current authenticator. If successful, authenticator replies with a redirect location to where the view MUST redirect.
Complete
This response message means that the authentication process for the current authenticator is completed and can be . This message always contain a redirect location to where the view MUST redirect.
Requests of type "complete"
are not allowed.
Failure
When a failure occurs a failure response is returned. This message SHOULD contain a message which MUST be displayed to the user. Message MAY contain a location for redirect, which the user agent MUST follow. If both message and location is supplied, message MUST first be displayed and when confirmed, redirect is performed.
Requests of type "failure"
are not allowed.