UAE PASS
  • UAE PASS
  • Overview
  • Getting Onboarded with UAE PASS
    • Onboarding Process for UAE PASS Service Providers
      • Initiation Phase
      • Development Phase
      • Assessment Phase
      • Go live Phase
  • Quick Start Guide - UAE PASS Staging Environment
    • User Account Types
    • Create Staging UAE PASS Account
    • Upgrade Staging UAE PASS Account
    • Testing Credentials for POC
    • Conduct a POC with UAE PASS Authentication
  • Feature Guides
    • Authentication
      • Web Integration
        • Introduction
        • Pre-Requisites
        • Endpoints
        • 1. Authorization Code
        • 2. Access Token
        • 3. User Information
        • 4. Logout
        • Login Button
        • Authentication Postman Walkthrough
      • Mobile Integration
        • Introduction
        • Pre-Requisites
        • Requirements
        • Guide
          • SDK
          • API
        • SDK Integration
      • Token Validation API
        • Introduction
        • Pre-Requistes
        • Endpoints
        • Integration Steps
          • 1. Verify access token API using Basic Authentication
          • 2. Obtaining Authenticated User Information from the Access Token
        • Validation Decisions
      • User Linking
        • Automatic Linking
        • Manual Linking
        • Corporate Account
    • Digital Signature
      • Digital Signature (Single Document)
        • Signing Guide
          • Endpoints
          • Document Signing Steps
            • 1. Token
            • 2. Create Signer Process
            • 3. Sign Document
            • 4. Obtaining Document
            • 5. LTV Configuration
              • Integration Web Services
              • Postman Collection for LTV
            • 6. Deleting Document
          • Document Signature verification Process
          • Postman Collection for Digital Signature
            • Digital Signature Postman Walkthrough
        • Verification API Integration
          • Web Service Details
          • Postman Collection for Signature Verification API
      • Digital Signature (Multiple Document)
        • Signing Guide
          • Endpoints
          • Document Signing Steps
            • 1. Token
            • 2.Create Documents
            • 3. Create Signer Process
            • 4. Sign Document
            • 5. Obtaining Document
            • 6. LTV Configuration
              • Integration Web Services
              • Postman Collection for LTV
            • 7. Deleting Document
          • Document Signature verification Process
          • Postman Collection for Multiple Document Signing.
    • e-Seal
      • Introduction
      • DESC Process for Dubai Entities
        • Process overview
        • Detailed DESC process description
      • ICA Process for Non-Dubai Entities
        • Onboarding Process
        • Obtaining Credentials and Certificates
      • Integration Web Service
        • PAdES eSeal Signing
        • CAdES eSeal Signing
        • eSeal verification
        • eSeal error codes
      • Postman Collection
    • Hash Signing
      • Introduction
      • Hash Signing (Single Document)
        • Hash Signing (Java SDK Set Up)
          • Quick Setup
          • Hash Signing Process
            • 1. Start the Process
            • 2. Initiate Signing Process
            • 3. Sign PDF Document
          • Endpoints
          • Postman Collection
          • Utility Files
      • Bulk Hash Signing (Multiple Documents)
        • Quick Setup
        • Hash Signing Process
          • 1. Start Signing Process
          • 2. Initiate Signing Process
          • 3. Sign PDF Document
        • Endpoints
        • Postman Collection
  • Web Registration
    • Introduction
    • Steps to create account
    • Endpoints
      • 1. Access Code
      • 2. Access Token
      • 3. User Information
  • Facial Biometric Transactions Confirmation
    • Web Integration
      • Endpoints
      • Integration Steps
        • Obtain Authorization Code
        • Obtain Access Token
        • Obtain User Info
        • Log out User
    • Mobile Integration
      • Mobile Integration Guidelines
  • Guidelines
    • Use-Case Guidelines
      • Standard Authentication Scenarios for Service Provider Use Cases
      • Standard Digital Signature Scenarios for Service Provider Use Cases
      • Standard Implementation Guidelines
    • Design Guidelines
      • UAEPASS Button Guideline
      • Text Message Guidelines
  • Resources
    • Attributes List
    • Sample Apps
    • Staging Apps
    • Assets
  • FAQ
    • Common Integration Issues
  • Versioning
Powered by GitBook
On this page

Was this helpful?

  1. Feature Guides
  2. Authentication
  3. Token Validation API

Validation Decisions

Previous2. Obtaining Authenticated User Information from the Access TokenNextUser Linking

Last updated 9 months ago

Was this helpful?

As per , SP might have invoked the validation API and below are some guidelines on how to make decision on token validation response.

Based on the response from earlier section, “” and “Obtain User information API”, SP should check below in chronological order:

1.(Mandatory) As per response of “Verify Access Token” API, If the token is not active i.e. active=false, then the resource server or SP should deny access to the resource.

2.(Mandatory) If the SP wants to verify if the token presented is issued by a particular client, then it should verify the value of “client_id” or the values available under “client_claims” from the response of “Verify Access Token” API.

  • For example, if SP wants to validate that the token presented is issued by “SDG Digital Vault App” then it should check below values:

"client_id":"sdg_digivault",
"client_claims": 
{
    "distinguished_name":"CN=SDG DigitalVault",
    "sub":"sdg_digitalvault",
    "name":"SDG Digital Vault App",
    "domain":"urn:safelayer:eidas:domain:oauth:client",
    "acr":"urn:safelayer:tws:policies:authentication:level:low",
    "amr":"["urn:oasis:names:tc:SAML:1:0:am:password"]
}

3.(Optional but recommended) If SP needs to determine the "uuid" of the user who has been authenticated with the presented access token, then it should check the value of "sub" attribute returned in "Verify Access Token" API response.

  • For example, SP needs to get the "uuid" of the authenticated user as per below:

{
"sub": "800F475AC0E7A9ED01B2D5D2C25A59B3",
…
…………
………… 
"acr":
"urn:safelayer:tws:policies:authentication:level:high", 
"mobile": "9715555555555",
"amr": [ "urn:safelayer:tws:policies:authentication:adaptive:methods:mobileid", "urn:uae:authentication:method:verified"] 
}

4.(Optional but recommended) If SP needs to fetch the claims or attributes (e.g. Emirates ID etc.) of the user belonging to the access token, then SP should invoke “User information API” as mentioned in previous Section.

  • For example: SP needs to get the Emirates ID of the authenticated user, then they should call "User information API" and validate the attributes returned in the response.

5.(Optional) If SP needs to make sure that the presented access token is issued for a particular scope, in order to decide whether to provide access or not, then it should check the value of the “scope” parameter in the validation token response.

{
    "active": true, 
    "scope": 
    "urn:uae:digitalid:profile:general", "exp":
}
above section
Verify Access Token