{
"endpoint": "SsoHandler",
"preferredHttpPath": "l",
"alternateHttpPaths": [
"SsoHandler",
"HttpSso"
],
"summary": "Single sign-on related APIs.",
"description": "This endpoint provides APIs for configuring and using single sign-on (SSO) identity providers (IdPs).\n Currently Google and Apple are supported.\n Two modes of operation are supported:\n 1. The UI redirects the main page or a popup to the appropriate Start*Authentication API, which redirects to the provider\u0027s login page, which is instructed to redirect back to the API\u0027s callback, which interprets and verifies the response, creates the account or logs the user in, and the redirects back to the UI\u0027s configured target with the access token and refresh tokens in the query string. If there is an error in the process, a possibly-different target is called with the error code and message in the query string. The Server never actually renders any UI in this scenario, but it does take control of the browser.\n 2. The UI controls the process, turning control over to the provider and receiving a JWT back from the provider. The UI then POSTs the JWT to the Continue*Authentication API, which verifies the JWT, creates the account or logs the user in, and returns access and refresh tokens in the response.\n Information needed to contact the provider can be obtained by the UI using the Get*AuthenticationConfig APIs.\n System administrators can update that configuration, as well as the associated secrets using the Update*AuthenticationConfig APIs.",
"apis": [
{
"name": "IntermediateGoogleAuthentication",
"httpMethod": "GET",
"httpPathRegex": "^/sso/google/callback",
"subPathPattern": "/sso/google/callback",
"summary": "Receives the Google Ouath credentials from Google. This is usually an intermediate callback that doesn't need to be called by the frontend when using the standard setup.",
"parameters": [
{
"name": "code",
"required": false,
"type": "String",
"description": "The authorization code received from Google after successful OAuth authentication."
},
{
"name": "state",
"required": false,
"type": "String",
"description": "The state passed through the OAuth process. Defaults to all empty state."
},
{
"name": "setTosRead",
"required": false,
"type": "Boolean",
"description": "Whether or not to mark the terms of service as having been read/agreed to (which can also happen if it was previously set into ). Defaults to false."
}
],
"return": {
"type": "RedirectResponse",
"description": "A containing the response"
}
},
{
"name": "IntermediateGoogleAuthentication",
"httpMethod": "POST",
"httpPathRegex": "^/sso/google/callback",
"subPathPattern": "/sso/google/callback",
"summary": "Receives the Google Ouath credentials from Google. This is usually an intermediate callback that doesn't need to be called by the frontend when using the standard setup.",
"parameters": [
{
"name": "code",
"required": false,
"type": "String",
"description": "The authorization code received from Google after successful OAuth authentication."
},
{
"name": "state",
"required": false,
"type": "String",
"description": "The state passed through the OAuth process. Defaults to all empty state."
},
{
"name": "setTosRead",
"required": false,
"type": "Boolean",
"description": "Whether or not to mark the terms of service as having been read/agreed to (which can also happen if it was previously set into ). Defaults to false."
}
],
"return": {
"type": "RedirectResponse",
"description": "A containing the response"
}
},
{
"name": "IntermediateAppleAuthentication",
"httpMethod": "GET",
"httpPathRegex": "^/sso/apple/callback",
"subPathPattern": "/sso/apple/callback",
"summary": "Receives the Apple Ouath credentials from Apple. This is usually an intermediate callback that doesn't need to be called by the frontend when using the standard setup.",
"parameters": [
{
"name": "code",
"required": false,
"type": "String",
"description": "The authorization code received from Apple after successful OAuth authentication."
},
{
"name": "state",
"required": false,
"type": "String",
"description": "The state passed through the OAuth process. Defaults to all empty state."
},
{
"name": "setTosRead",
"required": false,
"type": "Boolean",
"description": "Whether or not to mark the terms of service as having been read/agreed to (which can also happen if it was previously set into ). Defaults to false."
}
],
"return": {
"type": "RedirectResponse",
"description": "A containing the response"
}
},
{
"name": "IntermediateAppleAuthentication",
"httpMethod": "POST",
"httpPathRegex": "^/sso/apple/callback",
"subPathPattern": "/sso/apple/callback",
"summary": "Receives the Apple Ouath credentials from Apple. This is usually an intermediate callback that doesn't need to be called by the frontend when using the standard setup.",
"parameters": [
{
"name": "code",
"required": false,
"type": "String",
"description": "The authorization code received from Apple after successful OAuth authentication."
},
{
"name": "state",
"required": false,
"type": "String",
"description": "The state passed through the OAuth process. Defaults to all empty state."
},
{
"name": "setTosRead",
"required": false,
"type": "Boolean",
"description": "Whether or not to mark the terms of service as having been read/agreed to (which can also happen if it was previously set into ). Defaults to false."
}
],
"return": {
"type": "RedirectResponse",
"description": "A containing the response"
}
},
{
"name": "ContinueGoogleAuthentication",
"httpMethod": "POST",
"httpPathRegex": "^/sso/google/jwt",
"subPathPattern": "/sso/google/jwt",
"summary": "Processes a JWT token received from Google, using that to complete the Google login process.",
"parameters": [
{
"name": "jwtToken",
"required": true,
"type": "String",
"description": "A JWT token received from Google, but not through the normal web UI flow (ie. possibly from the OS in an app)."
},
{
"name": "allowAccountCreation",
"required": false,
"type": "Boolean",
"description": "Whether or not to allow account creation if the Google user doesn't already have an account. Defaults to true."
},
{
"name": "audience",
"required": false,
"type": "String?",
"description": "The audience the calling application, as configured in the Google developer console. Defaults to the configured Client ID."
},
{
"name": "setTosRead",
"required": false,
"type": "Boolean",
"description": "Whether or not to mark the terms of service as having been read/agreed to. Defaults to false."
}
],
"return": {
"type": "ContinueGoogleAuthenticationResponse",
"description": "A containing the response"
}
},
{
"name": "UpdateGoogleAuthenticationConfig",
"httpMethod": "PUT",
"httpPathRegex": "^/config/google",
"subPathPattern": "/config/google",
"summary": "Updates the Google OAuth configuration.",
"parameters": [
{
"name": "config",
"required": true,
"type": "GoogleAuthConfig",
"description": "The to store."
},
{
"name": "configName",
"required": false,
"type": "String?",
"description": "The optional name of the SSO configuration to use for accessing the Google OAuth configuration and secrets. Defaults to the standard Google OAuth configuration."
}
],
"return": {
"type": "UpdateGoogleAuthenticationConfigResponse",
"description": "A containing the response"
}
},
{
"name": "GetGoogleAuthenticationConfig",
"httpMethod": "GET",
"httpPathRegex": "^/config/google",
"subPathPattern": "/config/google",
"summary": "Gets the Google OAuth configuration needed by the client.\n When is false, the client should not display Google authentication.",
"parameters": [
{
"name": "configName",
"required": false,
"type": "String?",
"description": "The optional name of the SSO configuration to use for accessing the Google OAuth configuration and secrets. Defaults to the standard Google OAuth configuration."
}
],
"return": {
"type": "GetGoogleAuthenticationConfigResponse",
"description": "A containing the response"
}
},
{
"name": "ContinueAppleAuthentication",
"httpMethod": "POST",
"httpPathRegex": "^/sso/apple/jwt",
"subPathPattern": "/sso/apple/jwt",
"summary": "Processes a JWT token received from Apple, using that to complete the Apple login process.",
"parameters": [
{
"name": "jwtToken",
"required": true,
"type": "String",
"description": "A JWT token received from Apple, but not through the normal web UI flow (ie. possibly from the OS in an app)."
},
{
"name": "allowAccountCreation",
"required": false,
"type": "Boolean",
"description": "Whether or not to allow account creation if the Apple user doesn't already have an account. Defaults to true."
},
{
"name": "audience",
"required": false,
"type": "String?",
"description": "The audience the calling application, as configured in the Apple developer console. Defaults to the configured Service ID."
},
{
"name": "setTosRead",
"required": false,
"type": "Boolean",
"description": "Whether or not to mark the terms of service as having been read/agreed to. Defaults to false."
}
],
"return": {
"type": "ContinueAppleAuthenticationResponse",
"description": "A containing the response"
}
},
{
"name": "UpdateAppleAuthenticationConfig",
"httpMethod": "PUT",
"httpPathRegex": "^/config/apple",
"subPathPattern": "/config/apple",
"summary": "Updates the Apple OAuth configuration.",
"parameters": [
{
"name": "config",
"required": true,
"type": "AppleAuthConfig",
"description": "The to store."
},
{
"name": "configName",
"required": false,
"type": "String?",
"description": "The optional name of the SSO configuration to use for accessing the Apple OAuth configuration and secrets. Defaults to the standard Apple OAuth configuration."
}
],
"return": {
"type": "UpdateAppleAuthenticationConfigResponse",
"description": "A containing the response"
}
},
{
"name": "GetAppleAuthenticationConfig",
"httpMethod": "GET",
"httpPathRegex": "^/config/apple",
"subPathPattern": "/config/apple",
"summary": "Gets the Apple OAuth configuration needed by the client.\n When is false, the client should not display Apple authentication.",
"parameters": [
{
"name": "configName",
"required": false,
"type": "String?",
"description": "The optional name of the SSO configuration to use for accessing the Apple OAuth configuration and secrets. Defaults to the standard Apple OAuth configuration."
}
],
"return": {
"type": "GetAppleAuthenticationConfigResponse",
"description": "A containing the response"
}
},
{
"name": "StartGoogleAuthentication",
"httpMethod": "GET",
"httpPathRegex": "^/sso/google",
"subPathPattern": "/sso/google",
"summary": "Kicks off a Google OAuth login by redirecting to the Google OAuth login page. \n When the login is complete, the browser will be redirected back to the corresponding to ,\n with the parameters \"access\", \"refresh\", \"type\", and \"expires\" appended to the query string.\n If there is an error during the authentication process, the browser will be redirected back to the corresponding to the \"Error:\" prefixed if it exists, or the non-prefixed (success) endpoint if it does not exist.\n Error conditions (to either endpoint) will have the parameters \"error\" and \"message\" appended to the query string.",
"parameters": [
{
"name": "configName",
"required": false,
"type": "String?",
"description": "The optional name of the SSO configuration to use for accessing the Google OAuth configuration and secrets. Defaults to the standard Google OAuth configuration."
},
{
"name": "responseUriId",
"required": false,
"type": "String",
"description": "The endpoint ID of the respsonse (callback) URL as specified in the Google SSO configuration. Defaults to empty string."
},
{
"name": "setTosRead",
"required": false,
"type": "Boolean",
"description": "Whether or not to mark the terms of service as having been read/agreed to. Defaults to false."
}
],
"return": {
"type": "RedirectResponse",
"description": "A containing the response"
}
},
{
"name": "StartAppleAuthentication",
"httpMethod": "GET",
"httpPathRegex": "^/sso/apple",
"subPathPattern": "/sso/apple",
"summary": "Kicks off a Apple OAuth login by redirecting to the Apple OAuth login page. \n When the login is complete, the browser will be redirected back to the corresponding to ,\n with the parameters \"access\", \"refresh\", \"type\", and \"expires\" appended to the query string.\n If there is an error during the authentication process, the browser will be redirected back to the corresponding to the \"Error:\" prefixed if it exists, or the non-prefixed (success) endpoint if it does not exist.\n Error conditions (to either endpoint) will have the parameters \"error\" and \"message\" appended to the query string.",
"parameters": [
{
"name": "configName",
"required": false,
"type": "String?",
"description": "The optional name of the SSO configuration to use for accessing the Apple OAuth configuration and secrets. Defaults to the standard Apple OAuth configuration."
},
{
"name": "responseUriId",
"required": false,
"type": "String",
"description": "The endpoint ID of the respsonse (callback) URL as specified in the Apple SSO configuration. Defaults to empty string."
},
{
"name": "setTosRead",
"required": false,
"type": "Boolean",
"description": "Whether or not to mark the terms of service as having been read/agreed to. Defaults to false."
}
],
"return": {
"type": "RedirectResponse",
"description": "A containing the response"
}
}
],
"types": [
{
"name": "RedirectResponse",
"summary": "A special response type to use for an API that causes the framework code to respond with an HTTP redirect. \n This type and the properties within it are never actually returned to callers.\n The caller will recieve a standard HTTP redirect response with a 30? redirect code and a \"Location\" header containing the location this API has redirected you to.\n May also be thrown internally for conditional redirection.",
"type": "proxy",
"representedBy": "HttpRedirect"
},
{
"name": "HttpRedirect",
"summary": "An HTTP response containing a redirect HTTP status response code and a \"Location\" header with a new location for the resource.",
"type": "composite",
"members": [
{
"name": "location",
"type": "Uri",
"summary": "The new location."
}
]
},
{
"name": "ContinueGoogleAuthenticationResponse",
"summary": "A record containing the response from .",
"type": "composite",
"members": [
{
"name": "successfulAuthentication",
"type": "AuthenticationComplete?",
"summary": "A object with information related to a successful authentication."
},
{
"name": "moreAuthenticationRequired",
"type": "MoreAuthenticationRequired?",
"summary": "A object with information indicating that more steps are needed to complete authentication."
}
]
},
{
"name": "MoreAuthenticationRequired",
"summary": "A record whose presence indicates that the user will need to do something else to continue with authentication.\n Each type contains a ContinueWith*** typed token that should be round-tripped through to a ContinueWith*** API along with the additional information that is specific to the type of extra information needed (new password, MFA code, etc.).",
"type": "composite",
"members": [
{
"name": "newPasswordRequired",
"type": "CollectNewPassword?",
"summary": "A containing information needed to set a new password."
},
{
"name": "continueWithMfa",
"type": "ContinueWithMfa?",
"summary": "A containing information needed to finish authenticating with multi-factor authentication."
},
{
"name": "continueWithSigningChallenge",
"type": "ContinueWithSigningChallenge?",
"summary": "A containing information needed to finish authenticating using certificate signing."
}
]
},
{
"name": "ContinueWithSigningChallenge",
"summary": "A record containing data needed to complete login with multi-factor authentication, using either email or an authenticator app.",
"type": "composite",
"members": [
{
"name": "nonce",
"type": "String",
"summary": "A random one-time use string that the caller must sign with the certificate and return in an authentication continuation API call."
}
]
},
{
"name": "ContinueWithMfa",
"summary": "A record containing data needed to complete login with multi-factor authentication, using either email or an authenticator app.",
"type": "composite",
"members": [
{
"name": "token",
"type": "SignedSecurityToken",
"summary": "A that contains the signed MFA security token."
}
]
},
{
"name": "SignedSecurityToken",
"summary": "A struct that holds a PicMe collection sharing authorization code.",
"type": "proxy",
"representedBy": "String"
},
{
"name": "CollectNewPassword",
"summary": "A record containing data needed to set a new password.",
"type": "composite",
"members": [
{
"name": "token",
"type": "NewPasswordChallengeToken",
"summary": "A that can be used to set a new password."
}
]
},
{
"name": "NewPasswordChallengeToken",
"summary": "A struct that holds a password challenge token.",
"type": "proxy",
"representedBy": "String"
},
{
"name": "AuthenticationComplete",
"summary": "A record containing the response to a request to authenticate or refresh authentication.",
"type": "composite",
"members": [
{
"name": "authenticated",
"type": "UserAuthenticated",
"summary": "A object containing authentication information."
},
{
"name": "authenticatedUser",
"type": "UserData",
"summary": " for the authenticated user."
}
]
},
{
"name": "UserData",
"summary": "A record containing a selective copy of information about a user.",
"type": "composite",
"members": [
{
"name": "userId",
"type": "UserId",
"summary": "The user's , which uniquely identifies this user account."
},
{
"name": "userGlobalId",
"type": "RecordGlobalId",
"summary": "A that can be used to generically identify the user record."
},
{
"name": "email",
"type": "String",
"summary": "A possibly-empty email address for the user."
},
{
"name": "name",
"type": "String",
"summary": "A possibly-empty name (firstname/lastname) for the user."
},
{
"name": "phoneNumber",
"type": "String",
"summary": "A possibly-empty phone number for the user."
},
{
"name": "emailVerified",
"type": "Boolean",
"summary": "Whether or not the email address has been verified."
},
{
"name": "phoneNumberVerified",
"type": "Boolean",
"summary": "Whether or not the phone number has been verified."
},
{
"name": "termsOfServiceRead",
"type": "Boolean",
"summary": "Whether or not the terms of service have been read and agreed to."
},
{
"name": "isRegistered",
"type": "Boolean",
"summary": "Whether or not the user is \"registered\"."
},
{
"name": "externalIds",
"type": "ExternalEntityIdentifier[]?",
"summary": "An optional array of identifying this user account in external systems."
}
]
},
{
"name": "ExternalEntityIdentifier",
"summary": "A record that contains an external system identifier and an identifier for a specific item in that system.",
"type": "composite",
"members": [
{
"name": "externalSystemId",
"type": "String",
"summary": "A string that uniquely identifies an external system, often a reverse domain name like 'com.facebook' or 'com.venmo'."
},
{
"name": "externalItemId",
"type": "String",
"summary": "A string that uniquely identifies an item in that external system."
}
]
},
{
"name": "RecordGlobalId",
"summary": "A structured replacement for that contains the same data, a type-qualified and parent-qualified global identifier for a database record.\n Records may be children of other records, and this identifier contains the path to the parent in addition to the path to the child record.\n An example of a record that is a child of another record is an upload within a collection.",
"type": "proxy",
"representedBy": "String"
},
{
"name": "UserId",
"summary": "A struct that holds a user identifier.",
"type": "proxy",
"representedBy": "String"
},
{
"name": "UserAuthenticated",
"summary": "A record containing authentication information.",
"type": "composite",
"members": [
{
"name": "accessToken",
"type": "SignedSecurityToken",
"summary": "The temporary access token."
},
{
"name": "tokenType",
"type": "String",
"summary": "The token type. Currently always \"Bearer\"."
},
{
"name": "refreshToken",
"type": "SignedSecurityToken",
"summary": "The more long-term refresh token. For guest accounts, there is no account password, so this is a permanent token stored in the app, or in the browser data."
},
{
"name": "expiresInSeconds",
"type": "Int32",
"summary": "The number of seconds that will last before needing to be refreshed."
},
{
"name": "serverTime",
"type": "DateTime",
"summary": "The server time in case there is a discrepancy with the client."
}
]
},
{
"name": "GoogleAuthConfig",
"summary": "A record containing Google-specific authentication configuration.",
"type": "composite",
"members": [
{
"name": "googleLoginEndpoint",
"type": "String?",
"summary": "The Google login endpoint URL."
},
{
"name": "googleTokenExchangeEndpoint",
"type": "String?",
"summary": "The URL to exchange a Google authentication code for a JWT."
},
{
"name": "googleJwtValidationEndpoint",
"type": "String?",
"summary": "The URL used to validate the Google JWT."
},
{
"name": "googleClientId",
"type": "String",
"summary": "The Google Client ID."
},
{
"name": "googleClientSecret",
"type": "String",
"summary": "The Google Client Secret."
},
{
"name": "googleProjectId",
"type": "String?",
"summary": "The Google Project ID."
},
{
"name": "endpoints",
"type": "SsoAuthCallbackEndpoint[]",
"summary": "The array of s to use for callback endpoints."
}
]
},
{
"name": "SsoAuthCallbackEndpoint",
"summary": "A record containing an auth callback endpoint and the corresonding redirect URL.",
"type": "composite",
"members": [
{
"name": "endpointId",
"type": "String",
"summary": "A string that uniquely identifies this endpoint. The empty string endpoint is the default. Endpoints should come in pairs with an \"Error:\" prefix for the corresponding error endpoint (\"Error:\" by itself is the default error endpoint)."
},
{
"name": "endpointUri",
"type": "String",
"summary": "The URI to redirect to when this endpoint's name is specified at the start of the SSO login process. The URI may contain {access}, {refresh}, {code}, {message}, {type}, {expires}, and/or {requestErrorId} either in the path or query string to indicate where it is desired."
}
]
},
{
"name": "UpdateGoogleAuthenticationConfigResponse",
"summary": "A record containing the response to a request to set the Google authentication configuration."
},
{
"name": "GetGoogleAuthenticationConfigResponse",
"summary": "A record containing the response to a request to get the Google authentication configuration.",
"type": "composite",
"members": [
{
"name": "available",
"type": "Boolean",
"summary": "Whether Google SSO is configured and enabled for this request."
},
{
"name": "googleClientId",
"type": "String?",
"summary": "The Google Client ID the client should use for Google OuAth SSO, or null when is false."
},
{
"name": "endpoints",
"type": "SsoAuthCallbackEndpoint[]?",
"summary": "The named s that should be redirected to on completion, or null when is false."
}
]
},
{
"name": "ContinueAppleAuthenticationResponse",
"summary": "A record containing the response from .",
"type": "composite",
"members": [
{
"name": "successfulAuthentication",
"type": "AuthenticationComplete?",
"summary": "A object with information related to a successful authentication."
},
{
"name": "moreAuthenticationRequired",
"type": "MoreAuthenticationRequired?",
"summary": "A object with information indicating that more steps are needed to complete authentication."
}
]
},
{
"name": "AppleAuthConfig",
"summary": "A record containing Apple-specific authentication configuration.",
"type": "composite",
"members": [
{
"name": "appleLoginEndpoint",
"type": "String?",
"summary": "The Apple login endpoint."
},
{
"name": "appleTokenExchangeEndpoint",
"type": "String?",
"summary": "The Apple code exchange endpoint."
},
{
"name": "appleJwtValidationEndpoint",
"type": "String?",
"summary": "The Apple JWT validation endpoint."
},
{
"name": "appleServiceId",
"type": "String",
"summary": "The Apple service ID."
},
{
"name": "appleTeamId",
"type": "String",
"summary": "The Apple team ID."
},
{
"name": "appleKeyId",
"type": "String",
"summary": "The Apple key ID."
},
{
"name": "appleKey",
"type": "String",
"summary": "The Apple key."
},
{
"name": "endpoints",
"type": "SsoAuthCallbackEndpoint[]",
"summary": "The list of s to use for Apple SSO."
}
]
},
{
"name": "UpdateAppleAuthenticationConfigResponse",
"summary": "A record containing the response to a request to set the Apple authentication configuration."
},
{
"name": "GetAppleAuthenticationConfigResponse",
"summary": "A record containing the response to a request to get the Apple authentication configuration.",
"type": "composite",
"members": [
{
"name": "available",
"type": "Boolean",
"summary": "Whether Apple web SSO is configured, enabled, and supported for this request."
},
{
"name": "appleServiceId",
"type": "String?",
"summary": "The Apple Service ID the client should use for Apple OAth SSO, or null when is false."
},
{
"name": "endpoints",
"type": "SsoAuthCallbackEndpoint[]?",
"summary": "The named s that should be redirected to on completion, or null when is false."
}
]
}
]
}