General Public Authentication Page

Owned by BrightSign TechDocs
Last updated: Nov 01, 2024
1 min read

The BSN.cloud Self API version 2022/06 now lets persons authenticated by external identity providers (Microsoft Entra ID), and using OAuth2 access and refresh tokens without a network context, sign in to a network.

The Keycloak intermediate identity and access manager has replaced the custom BSN.cloud authentication server (oa.bsn.cloud) for person registration, authentication, and password reset workflows. User access and refresh tokens will disappear along with all network-specific OAuth2 scope tokens and claims currently used by BSN.cloud API client applications.

BrightSign has introduced the concept of a “User Session”, and the BSN.cloud Self API has been as a result of these changes:

  • (User Session) A sid (session Id) claim will be added to all person access and refresh tokens issued by Keycloak. The sid is extracted from the person access token and so will be implicit for client applications.

  • (User Session) The same person can maintain multiple active sessions but can have only one refresh token related to each session.

  • (User Session) The caller authentication workflow in the BSN.cloud API has been modified and the person claims identity is now resolved based on person access tokens issued by Keycloak

  • (User Session) The request authorization workflow in the BSN.cloud API has been modified and the OAuth2 scope-based authorization has been replaced by the identical custom check based on the authorization scope calculated in the same way.

  • (BSN.cloud Self API) The updated client applications can now retrieve the person membership information using the existing GET ~/2022/06/REST/Self/Networks/ and GET ~/2022/06/REST/Self/Users/ methods.