OAuth2.0 Authorization API

The OAuth 2.0 authorization model allows a Service provider's application to obtain access to a HTTP service or resource, either on behalf of the end-user who owns the resource or on behalf of the Service provider's application itself. To do this, the Service provider's application obtains an access token via the following operations:

  1. API authorization code request.
  2. API access token request.

Obtain Authorization code

This operation entails performing an authorization code grant type OAuth 2.0 request request. In contrast to the other Integration platform APIs (except SignAPI), the messages of this operation are not exchanged directly between the Service provider's application and Integration platform but rather indirectly via the end-user's browser using browser redirects.

This operation lets an Service provider's application obtain authorization from the end-user for accessing one of their resources or their identity data. The end-user's authorization is obtained via an authorization code credential. The authorization code is sent via the browser as a response from the operation. The Service provider's application exchanges the authorization code for the corresponding access token for accessing the resource.


To start the authorization code grant flow, the Service provider's application directs the end-user's browser to one of Authorization server /trustedx-authserver/oauth/ endpoints. As a result of this redirect, the browser sends an HTTP request like the following, which corresponds to the OAuth 2.0 authorization request message. The request must be sent by TLS and use the GET method.

GET /trustedx-authserver/oauth/{as}?response_type=code&
             sign_identity_id = ...&
             digests_summary = ...&
             digests_summary_algorithm = ...&



All the applications integrated with Integration platform authorization server via browser redirect (OAuth 2.0) must do so using a consistent base URL that has the same DNS domain name, the same port (by default, 8082) and the same Web application name (by default, trustedx-authserver). The browsers must always connect to Integration platform Authorization server using the same base address so the identity provider can maintain the sessions and apply SSO consistently.


asPathRequiredIdentifier of the Integration platform authorization server to which the authorization request is sent (Server ID field of one of the Authorization server entities).

Available "as" (will be specified when issuing client_id and client_secret after registration):

lvrtc-eipsign-as (default authorization server for authentification and access to signing services)

lvrtc-eips-as (for identification with age parameter only. Restricted access, contact LVRTC for more information.)
response_typeQueryRequiredMust take the code value, which indicates that an authorization code is requested.
client_idQueryRequiredService provider’s application identifier issued to Service provider by LVRTC
stateQueryRecommendedWe recommend using this parameter to safeguard against CSRF attacks. To do this, the Service provider’s application must include a random value in this parameter, store it in the HTTP session and verify it when the Authorization Response message is received. The random value associates the authorization request with the HTTP session, which safeguards against the Service provider’s application processing an Authorization Response message not returned in response to an Authorization Request message specified previously in the end-user's browser.
redirect_uriQueryRequiredRedirect URI to the Service provider's application. The Service provider's application waits to receive at this URI the Authorization response/Authentication response message with the authorization code. It must match one of the Redirect URIs registered for the Service provider's application, or a redirect URI of the system. If the Service provider's application was configured to allow any redirect URI (not recommended), this parameter is not checked.

This parameter can be omitted if only one specific redirect URI was registered for the Service provider's application. In this case, the registered redirect URI is used.
scopeQueryRecommendedList of values, separated by spaces, that represent the scope of the authorization that the Service provider’s application wants to obtain. It queries the scopes required for accessing the resources or services in question.

Defined scopes:

urn:lvrtc:fpeil:aa – For electronic identification

urn:lvrtc:fpeil:aa:age – For electronic identification with age parameter (Restricted access, contact LVRTC for more information.)

urn:safelayer:eidas:sign:identity:profile – to get signing identity

urn:safelayer:eidas:sign:identity:use:server – to request signature from the HSM.

urn:safelayer:eidas:oauth:token:introspect – For access LVRTC provided Integration platform SignAPI service (Service provider authentication (without end-user involvement)).
promptQueryRecommendedThe values login and none are supported:

- The login value disables SSO, a login page is displayed (redirect) always.

- The none value specifies that there can be no interaction with the end-user (neither for authenticating them nor for requesting their authorization).
acr_valuesQueryOptionalDefines conditions for authenticating the end-user (minimum levels or specific flows) who must authorize the access.

Defined authentication methods:
urn:eparaksts:authentication:flow:mobileid - eParaksts mobile flow;
urn:eparaksts:authentication:flow:sc_plugin – Smart card flow;

If the parameter is not specified, its displays the available logon methods (end-user can choose).
ui_localesQueryOptionalSpecifies a list of languages ordered by preference. The end-user interface, available languages and settings:

lv – Latvian language;
en – English language;
ru – Russian language;

If the parameter is not specified, a end-user's browser language is used, if that language does not exist, then English language is used instead.
sign_identity_idQueryOptional⚠️ This parameter must only be used to obtain the authorization from the end-user for generating a digital signature with a server signing identity enabled via password stored on the HSM. ⚠️

Signing Identity is received from authenticated end-user data request using urn:safelayer:eidas:sign:identity:profile scope (serverid label).
digests_summaryQueryOptional⚠️ This parameter must only be used to obtain the authorization from the end-user for generating a digital signature with a server signing identity enabled via password stored on the HSM. ⚠️

Its value must be the base64 encoded cryptographic hash of the concatenation of the cryptographic hashes of the data to be digitally signed.

Value must be encoded as URL safe.

⚠️ ⚠️ ⚠️ Very important! Hash value shall be recalculated with digests_summary_algorithm from signable data value, e.g. BASE64(SHA256()) ⚠️ ⚠️ ⚠️
digests_summary_algorithmQueryOptional⚠️ This parameter must only be used to obtain the authorization from the end-user for generating a digital signature with a server signing identity enabled via password stored on the HSM. ⚠️

Hash algorithm used to calculate digests_summary value (sha256)



Don’t confuse the HTTP session that the application has with the browser with the security context or _session _the application creates or updates when the OAuth 2.0 flow finishes. The HTTP session exists previously, from the moment the browser accesses the Web application, and even though the end-user has not already authenticated. The security context is data on the authenticated end-user that the application usually stores in the HTTP session to remember that it is this end-user that is logged in to the application via the browser, and/or the OAuth access token. Just as the application does, TrustedX also keeps an HTTP session with the browser and a security context for the authenticated end-user.

Example: Authorization Request

This example shows an OAuth 2.0 authorization request message from the "Portal". The Service provider’s application requests an authorization with the "urn:lvrtc:fpeil:aa" scope to authorization server "lvrtc-eips-as" with condition the login page is displayed in the Latvian language.

GET /trustedx-authserver/oauth/lvrtc-eips-as?response_type=code&
                                   prompt=login& ui_locales=lv HTTP/1.1
Host: eidas.eparaksts.lv

Example: Signature Authorization Request

Additional parameters to end-user authentication must be used to obtain the authorization from the end-user for generating a digital signature with a server signing identity enabled via password stored on the HSM (On signing procedure Server signing checks whatever signable data to be signed conform to data provided for signing).

If end-user is already authenticated with active SSO, end-user will have to enter signing (HSM) password only.

GET /trustedx-authserver/oauth/{as}?response_type=code&


Once the end-user has been authenticated (or SSO applied), and the end-user has granted authorization, the Service provider’s application receives an HTTP GET request of the following type from the end-user's browser. This HTTP request is an OAuth 2.0 authorization response or an OpenID Connect authentication response. The Service provider’s application receives this request at the redirect URL specified in the authorization or authentication request message (the redirect_uri parameter of the request) or in the registered redirect URL.

GET {redirection_uri_path}?code={code}&state={state} HTTP/1.1
Host: {redirection_uri_host}

Where {redirection_uri_host}{redirection_uri_path} is the redirect URI to the Service provider’s application.

Obtain a access token


This operation obtains an OAuth 2.0 access token. This operation can be invoked as part of an OAuth 2.0 authorization code grant flow or via an OAuth 2.0 Service provider's credentials grant flow.

End-user access token

When the authorization code grant flow is used, the obtained access token represents the authorization granted by a end-user to the Service provider's application making the call for accessing certain resources or services on this end-user's behalf (identity data, signature identities, etc.). To obtain the token, the Service provider's application must present the authorization code obtained with the Obtain authorization operation.


This type access token is used to receive end-user's:

  • Electronic identification;
  • signing identities;
  • eParaksts Mobile related signing and authentication certificates;
  • PKSC#1 signature

Introspect access token

When the Service provider's credentials grant flow is used, the obtained access token demonstrates the administrative authorization of the Service provider's application making the call for accessing certain resources or services (i.e., without direct intervention of the resource's owner), or for accessing resources of the Service provider's application. Token is issued when the authorization server that processes the request is not associated to an identity provider. A token of this type can be used for accessing resources not associated to end-users or to end-user resources of any domain.


This type of access token is used to get access to Signature creation and validation service API's


To obtain the token, the Service provider's application must send a request like the following to authorization server using TLS. This request is sent directly from the Service provider’s application to authorization server and does not go via the browser.

POST /trustedx-authserver/oauth/{as}/token


aspathmandatoryIdentifier of the authorization server from which the token is requested

available "as":

Content-Type Header

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

In HTTP POST request is necessary to incorporated the following main attribute: Authorization – API access token.

Authorization: Basic <API-Key>


The content of the request varies according to the type of OAuth 2.0 flow in which the token is requested:

Content in the Case of the Authorization Code Grant Flow (used for electronic identification/signing requests)

grant_typemandatoryMust have the authorization_code value.
codemandatoryThe authorization code received in the previous authorization response.
redirect_urimandatoryURI where the authorization response was received with the authorization code. Must match the redirect_uri parameter of the API authorization code request (see API authorization code request), and must be omitted if it is also omitted in the authorization request.

Content in the Case of the Client Credentials Grant Flow - Introspect access token (used for access SignAPI service)

grant_typemandatoryMust have the client_credentials value
scopemandatoryMust have the urn:safelayer:eidas:oauth:token:introspect value

Example (end-users access token)

POST /trustedx-authserver/oauth/lvrtc-eipsign-as/token HTTP/1.1
Host: eidas-demo.eparaksts.lv
Authorization: Basic cG9ydCVDNCU4MWxzOmRybyVDNSVBMSVDNCVBQmJh
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Example (Introspect access token)

The following example shows a situation in which the Service provider’s application with the identifier "Portal" and the password "drošība" authority shall transmit the request to the server with the identifier "lvrtc-eips-as":

POST /trustedx-authserver/oauth/lvrtc-eipsign-as/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic cG9ydCVDNCU4MWxzOmRybyVDNSVBMSVDNCVBQmJh
Host: eidas-demo.eparaksts.lv


In response, Integration platform authorization server issues a bearer-type OAuth 2.0 access token and returns it in a JSON structure.

"access_token" : {string},
"token_type" : "Bearer",
"expires_in" : {number}


access_tokenAccess token generated by Authorization server. The token has the characteristics specified in the configuration of the authorization server that processed the request and consists of a random string of the number of bytes specified in the Access token number of random bytes (by default, 32), encoded in hexadecimal.
token_typeType of access token. Always has the "bearer" value. (Bearer type OAuth 2.0 access token).
expires_inLifetime (in seconds) of the access token. The Service provider’s application must perform the access the token authorizes before the token expires. This value can be configured in the Token timeout option of the authorization server (by default, 120 seconds). Once this timeout has expired, the token becomes invalid, and the Service provider’s application must obtain another one if it wants to continue invoking the protected services.


Access token with end-user authentication:

HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
"access_token" : "a2b4...6daf",
"token_type" : "Bearer",
"expires_in" : 120

Introspect access token:

HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
 "scope": "urn:safelayer:eidas:oauth:token:introspect",
 "access_token": "dfffb0d7f90bed142464750cacad5e4b9e23f58ecb1d77e3bdf706ba208ad16a",
 "token_type": "Bearer",
 "expires_in": 600