API Endpoints
The relying party first needs to determine the Interac Hub API endpoints required to make and receive API requests/responses. These can be obtained by performing an HTTP GET request to the Hub's .well-known/openid-configuration endpoint.
GET /.well-known/openid-configuration HTTP/1.1
Host: hub_server.example.com
The Interac Developer Portal (Hub developer sandbox) has a single well-known endpoint:
<https://gateway-portal.hub-verify.innovation.interac.ca/.well-known/openid-configuration>
The Hub preprod and prod environments are restricted and their well-known endpoints will be provided during partner onboarding.
The following metadata obtained from the well-known endpoint is required for Hub API requests:
| REQUIREMENT | KEY | DESCRIPTION |
|---|---|---|
| Required | authorization_endpoint | The URL to send the HTTP GET request to the Hub to initiate the auth request |
| Required | token_endpoint | The URL to send the HTTP POST request to the Hub to obtain an access token |
| Required | userinfo_endpoint | The URL to send the HTTP GET request to the Hub to obtain the user claims (PII data) |
| Optional | pushed_authorization_request_endpoint | The URL to send the HTTP POST request to the Hub to initiate a PAR request. This is required only if your client is configured for PAR requests and/or the subject matching feature is enabled. |
| Required | issuer | This will be the value of the iss field in the RP's signed request object during the auth flow. |
Parsing Endpoints: As these endpoints are subject to change, it is good practice to query this .well-known/openid-configuration endpoint periodically to ensure that that the URLs being used are current.
Referenced Standard(s): OpenID 4. Obtaining OpenID Provider Configuration Information
Example Request / Response:
curl https://gateway-devportal2.pp.vids.dev/.well-known/openid-configuration
{
"authorization_endpoint": "https://gateway-devportal2.pp.vids.dev/auth",
"backchannel_logout_session_supported": true,
"backchannel_logout_supported": true,
"claims_supported": [
"sub"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"end_session_endpoint": "https://gateway-devportal2.pp.vids.dev/oauth2/sessions/logout",
"frontchannel_logout_session_supported": true,
"frontchannel_logout_supported": true,
"grant_types_supported": [
"authorization_code",
"implicit",
"client_credentials",
"refresh_token"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"issuer": "https://gateway-devportal2.pp.vids.dev/",
"jwks_uri": "https://gateway-devportal2.pp.vids.dev/.well-known/jwks.json",
"request_object_signing_alg_values_supported": [
"RS256",
"none"
],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"require_request_uri_registration": true,
"response_modes_supported": [
"query",
"fragment"
],
"response_types_supported": [
"code",
"code id_token",
"id_token",
"token id_token",
"token",
"token id_token code"
],
"revocation_endpoint": "https://gateway-devportal2.pp.vids.dev/oauth2/revoke",
"scopes_supported": [
"offline_access",
"offline",
"openid"
],
"subject_types_supported": [
"public",
"pairwise"
],
"token_endpoint": "https://gateway-devportal2.pp.vids.dev/oauth2/token",
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic",
"private_key_jwt",
"none"
],
"userinfo_endpoint": "https://gateway-devportal2.pp.vids.dev/userinfo",
"userinfo_signing_alg_values_supported": [
"none",
"RS256"
],
"pushed_authorization_request_endpoint": "https://gateway-devportal2.pp.vids.dev/auth/par"
}
Updated about 1 month ago