-
Notifications
You must be signed in to change notification settings - Fork 2
Second Factor Only
Bas Zoetekouw edited this page Sep 1, 2021
·
2 revisions
If a user needs to show his / hers second factor, then eduTeams proxy does a redirect to the following endpoint:
https://sbs.sram.surf.nl/api/mfa/sfo?access_token=<base64 encoded signed JTW>
The query parameter access_token is a signed JWT with the following information:
{
'sub': '<user_identifier>@sram.eduteams.org',
'auth_time': 1624262681,
'nonce': 'e0127b79-d793-46cc-87ac-816c12ac56f4',
'iss': 'https://proxy.acc.sram.eduteams.org',
'iat': 1624262681,
'exp': 1624262981,
'aud': ['<SRAM client_id>']
}
The access_token is signed with one of the public keys of https://proxy.acc.sram.eduteams.org/OIDC/jwks. Note that currently only RS256-signature are supported.
The SBS server redirects to the SBS UI to register / verify the second factor and after successful verification the user is redirected to a configured endpoint in the eduteams domain
https://proxy.acc.sram.eduteams.org/OIDC/sfo?id_token=<base64 encoded signed JTW>
The query parameter id_token is a signed JWT with the following information:
{
'sub': '<user_identifier>@sram.eduteams.org',
'auth_time': 1624262681,
'acr': ['https://refeds.org/profile/mfa']
'nonce': 'e0127b79-d793-46cc-87ac-816c12ac56f4',
'iss': '<SRAM client_id>',
'iat': 1624262681,
'exp': 1624262981,
'aud': ['https://proxy.acc.sram.eduteams.org']
}
The id_token is signed with one of the public keys of https://sbs.sram.surf.nl/api/mfa/jwks.