Mobile Connect Madagascar - Limited
Experience sign in without login and passwords with Mobile Connect authentication - Limited API
1.0

Authentication Madagascar (orange.mg) API

The Authentication Madagascar (orange.mg) API complies with Mobile Connect profile that is built upon profile OpenID Connect standard. OpenID Connect combines authentication and authorization (consent), and allows you to verify the identity of the end-user while authorizing them.
[BASE URL: /openidconnect/mg/v1, API VERSION: 1.0, HOST: https://api.orange.com]
    • get /authorize
      implementation notes

      In order to obtain OpenID Connect/OAuth tokens (i.e. id_token, access_token, refresh_token), you first need to request an "authorization code" as defined in OAuth 2.0 and OpenID Connect. At this stage, the Orange Authorization Server may need to authenticate the end-user and receive his permission before releasing the "Authorization Code". This call will redirect the end-user to a login form and then to your callback URL as you have defined it in Orange Partner.

      parameters
      parametervaluedescriptionparameter typedata type
      code (default)
      (required)
      		Must be set to 'code' for authorization request.querystring
      (required)
      		Your client identifier (from Orange Partner developer website).querystring
      (required)
      		The URL on your server where the end-user will be redirected after authentication. It must match the URL you provided when you registered for Orange Partner. Remember to URL-encode special characters such as :, /, %, ?, &...querystring
      openid (default)
      (required)
      		The scope your application needs. It tells our Orange Authorization server what kind of permissions to asks for when displaying the consent form to the end-user. The scope value 'openid' is mandatory.querystring
      (required)
      		Free parameter to set some data. This field will be sent back in the query-string when redirecting to your callback URL.querystring
      Used to associate a client session with the ID Token. It is passed unmodified from Authorisation Request to ID Token. The value should be unique per session to mitigate replay attacks.querystring
      Authentication Context class Reference. Space separated string (e.g. 2,3) that specifies the Authentication Context Reference to be used during authentication processing. The LOA required by the RP/Client for the use case can be used here. The values appear as order of preference. The acr satisfied during authentication is returned as acr claim valuequerystring
      An indication to our Orange IDP/Authorisation Server on what ID to use for login, e.g. email, MSISDN (phone_number), etc. It is recommended that the value matches the value used for discovery.querystring
      Specify the user interface display for the Authentication and Consent flow. Supported values are: page (default), popup, touch and wap.querystring
      Space delimited (Caution: url-encoded space (%20) is required), case-sensitive ASCII string values to specify to the Authorisation Server whether to prompt or not for reauthentication and consent. Supported value values are: - none: no UI will be displayed (Caution : if end-user is not logged in, or has not consented yet, an error will occur) - login: forces the authentication display even if already logged in - consent: forces the consent page display even if end-user consent was already collected - select_account: not supported.querystring
      Specify the maximum elapsed time in seconds since last authentication of the user. If the elapsed time is greater than this value, a reauthentication must be done.querystring
      Space separated list of user preferred languages and scripts for the UI as per RFC5646.querystring
      Non supported by our Orange Authorization server. Generally used in conjunction with prompt=none to pass the previously issued ID Token as a hint for the current or past authentication session. If the ID Token is still valid and the user is logged in then the server returns a positive response, otherwise should return a login_error response.querystring
      Non supported by our Orange Authorization server. Separated list of user preferred languages and scripts for the Claims being returned as per RFC5646.querystring
      Not supported by our Orange Authorization server. Data to be signed by the private key owned by the end-user (mandatory for LOA=4 use cases).querystring
      response messages
      List of common error codes
      HTTP status codereasonresponse model
      302 (success)If succeed, the Orange Authorization Server informs the client by adding the following parameters to the query component of the redirection URI (see Location header):
      - code (required): authorization code (with a lifetime of about 10 minutes),
      - state (required): identical as the state value added in the request,
      - scope (optional)): validated scope (if different than those requested by the application).
      "Location: <redirect_uri>?code=<auth_code>&state=<state>[&scope=<scope>]"
      302 (errors)In case of error, the Orange Authorization Server informs the client by adding the following parameters to the query component of the redirection URI (see Location header):
      - error (required): single ASCII error code
      - error_description (optional): Human-readable ASCII text providing additional information, used to assist the developer in understanding the error that occurred.
      - state (required): identical as the state value added in the request,

      List of possible error codes:
      - invalid_request: a required parameter is missing in the request, or a parameter value is unknown.
      - unsupported_response_type: the authorization server does not support obtaining an authorization code using this method.
      - unauthorized_client: the authenticated client is not authorized to use this authorization grant type.
      - access_denied: the end-user cancelled the consent form.
      - invalid_scope: the given scope does not match known one.
      - login_required: the user is not authenticated, you have to send the request again without prompt=none so the UI sequence is processed.
      - consent_required: the user has never accepted the TOS, you have to send the request again without prompt=none so the UI sequence is processed.
      - server_error: an internal server error occurred and the request can not be fulfilled.
      - temporarily_unavailable: the request could not be currently handled.
      "Location: <redirect_uri>?error=<code>&error_description=<description>&state=<state>"
    • post /authorize
      implementation notes

      In order to obtain OpenID Connect/OAuth tokens (i.e. id_token, access_token, refresh_token), you first need to request an "authorization code" as defined in OAuth 2.0 and OpenID Connect. At this stage, the Orange Authorization Server may need to authenticate the end-user and receive his permission before releasing the "Authorization Code". This call will redirect the end-user to a login form and then to your callback URL as you have defined it in Orange Partner.

      parameters
      parametervaluedescriptionparameter typedata type
      code (default)
      (required)
      		Must be set to 'code' for authorization request.formDatastring
      (required)
      		Your client identifier (from Orange Partner developer website).formDatastring
      (required)
      		The URL on your server where the end-user will be redirected after authentication. It must match the URL you provided when you registered for Orange Partner. Remember to URL-encode special characters such as :, /, %, ?, &...formDatastring
      openid (default)
      (required)
      		The scope your application needs. It tells our Orange Authorization server what kind of permissions to asks for when displaying the consent form to the end-user. The scope value 'openid' is mandatory.formDatastring
      (required)
      		Free parameter to set some data. This field will be sent back in the query-string when redirecting to your callback URL.formDatastring
      Used to associate a client session with the ID Token. It is passed unmodified from Authorisation Request to ID Token. The value should be unique per session to mitigate replay attacks.formDatastring
      Authentication Context class Reference. Space separated string (e.g. 2,3) that specifies the Authentication Context Reference to be used during authentication processing. The LOA required by the RP/Client for the use case can be used here. The values appear as order of preference. The acr satisfied during authentication is returned as acr claim valueformDatastring
      An indication to our Orange IDP/Authorisation Server on what ID to use for login, e.g. email, MSISDN (phone_number), etc. It is recommended that the value matches the value used for discovery.formDatastring
      Specify the user interface display for the Authentication and Consent flow. Supported values are: page (default), popup, touch and wap.formDatastring
      Space delimited (Caution: url-encoded space (%20) is required), case-sensitive ASCII string values to specify to the Authorisation Server whether to prompt or not for reauthentication and consent. Supported value values are: - none: no UI will be displayed (Caution : if end-user is not logged in, or has not consented yet, an error will occur) - login: forces the authentication display even if already logged in - consent: forces the consent page display even if end-user consent was already collected - select_account: not supported.formDatastring
      Specify the maximum elapsed time in seconds since last authentication of the user. If the elapsed time is greater than this value, a reauthentication must be done.formDatastring
      Space separated list of user preferred languages and scripts for the UI as per RFC5646.formDatastring
      Non supported by our Orange Authorization server. Generally used in conjunction with prompt=none to pass the previously issued ID Token as a hint for the current or past authentication session. If the ID Token is still valid and the user is logged in then the server returns a positive response, otherwise should return a login_error response.formDatastring
      Non supported by our Orange Authorization server. Separated list of user preferred languages and scripts for the Claims being returned as per RFC5646.formDatastring
      Non supported by our Orange Authorization server. Data to be signed by the private key owned by the end-user (mandatory for LOA=4 use cases).formDatastring
      response messages
      List of common error codes
      HTTP status codereasonresponse model
      302 (success)If succeed, the Orange Authorization Server informs the client by adding the following parameters to the query component of the redirection URI (see Location header):
      - code (required): authorization code (with a lifetime of about 10 minutes),
      - state (required): identical as the state value added in the request,
      - scope (optional)): validated scope (if different than those requested by the application).
      "Location: <redirect_uri>?code=<auth_code>&state=<state>[&scope=<scope>]"
      302 (errors)In case of error, the Orange Authorization Server informs the client by adding the following parameters to the query component of the redirection URI (see Location header):
      - error (required): single ASCII error code
      - error_description (optional): Human-readable ASCII text providing additional information, used to assist the developer in understanding the error that occurred.
      - state (required): identical as the state value added in the request,

      List of possible error codes:
      - invalid_request: a required parameter is missing in the request, or a parameter value is unknown.
      - unsupported_response_type: the authorization server does not support obtaining an authorization code using this method.
      - unauthorized_client: the authenticated client is not authorized to use this authorization grant type.
      - access_denied: the end-user cancelled the consent form.
      - invalid_scope: the given scope does not match known one.
      - login_required: the user is not authenticated, you have to send the request again without prompt=none so the UI sequence is processed.
      - consent_required: the user has never accepted the TOS, you have to send the request again without prompt=none so the UI sequence is processed.
      - server_error: an internal server error occurred and the request can not be fulfilled.
      - temporarily_unavailable: the request could not be currently handled.
      "Location: <redirect_uri>?error=<code>&error_description=<description>&state=<state>"
    • get /res/status Status
      implementation notes

      Returns the status

      response class (status 200)
      {
  "name": "myproxy_v1",
  "status": "ok",
  "version": "1.0.9",
  "components": [
    {
      "status": "ok",
      "version": "v1.1",
      "name": "redis"
    }
  ]
}
      response messages
      List of common error codes
      HTTP status codereasonresponse model
      503http status
      {
  "name": "myproxy_v1",
  "status": "ok",
  "version": "1.0.9",
  "components": [
    {
      "status": "ok",
      "version": "v1.1",
      "name": "redis"
    }
  ]
}
      defaultError
      [
  {
    "code": 23,
    "message": "Missing body field",
    "description": "The field 'productionDate' is missing from posted body"
  }
]
    • post /token (with refresh token)
      implementation notes

      You can also use a previously obtained "refresh token" to request a new "access token" (without necessarily having the end-user "online").

      response class (status 200)
      {
  "token_type": "Bearer",
  "access_token": "string",
  "expires_in": 0
}
      parameters
      parametervaluedescriptionparameter typedata type
      (required)
      		The Authorization with valid app's credentialsheaderstring
      refresh_token (default)
      (required)
      		The value must be "refresh_token".formDatastring
      (required)
      		The refresh token received from the authorization serverformDatastring
      Requested scope (it must not include any scope not originally granted, and if omitted is treated as equal to the scope originally granted when the refresh token was issued).formDatastring
      response messages
      List of common error codes
      HTTP status codereasonresponse model
      400Bad Request. List of error codes:
      - invalid_request: a required parameter is missing in the request, or a parameter value is unknown.
      - invalid_grant: the provided authorization grant (e.g., authorization code) or refresh token is invalid, expired, revoked, etc.
      - unauthorized_client: the authenticated client is not authorized to use this authorization grant type.
      - unsupported_grant_type: the authorization grant type is not supported by our authorization server.
      - invalid_scope: the requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner.
      {
  "error": "string",
  "error_description": "string"
}
      401Unauthorized. List of error codes:
      - invalid_client: client authentication failed (e.g., unknown client_id).
      {
  "error": "string",
  "error_description": "string"
}
      defaultCommon error list
      [
  {
    "code": 23,
    "message": "Missing body field",
    "description": "The field 'productionDate' is missing from posted body"
  }
]

    • tokens : get access token, [id_token], [refresh_token]

    • post /token (with authorization code)
      implementation notes

      You can now exchange the obtained "authorization code" for tokens. You must make this call in order to obtain a token that you will use either directly with each subsequent calls to other API.

      response class (status 200)
      {
  "token_type": "Bearer",
  "access_token": "string",
  "expires_in": 0,
  "scope": "string",
  "refresh_token": "string",
  "id_token": "string"
}
      parameters
      parametervaluedescriptionparameter typedata type
      (required)
      		The Authorization with valid app's credentialsheaderstring
      authorization_code (default)
      (required)
      		Fixed value. To be set with 'authorization_code' value.formDatastring
      (required)
      		It must contain the code you received in the callback query-string when you called the /authorize.formDatastring
      (required)
      		It must be set to the callback URL you provided at registration. Note that it is mandatory for security reasons.formDatastring
      response messages
      List of common error codes
      HTTP status codereasonresponse model
      400Bad Request. List of error codes:
      - invalid_request: a required parameter is missing in the request, or a parameter value is unknown.
      - invalid_grant: the provided authorization grant (e.g., authorization code) or refresh token is invalid, expired, revoked, etc.
      - unauthorized_client: the authenticated client is not authorized to use this authorization grant type.
      - unsupported_grant_type: the authorization grant type is not supported by our authorization server.
      - invalid_scope: the requested scope is invalid, unknown, malformed, or exceeds the scope granted by the resource owner.
      {
  "error": "string",
  "error_description": "string"
}
      401Unauthorized. List of error codes:
      - invalid_client: client authentication failed (e.g., unknown client_id).
      {
  "error": "string",
  "error_description": "string"
}
      defaultCommon error list
      [
  {
    "code": 23,
    "message": "Missing body field",
    "description": "The field 'productionDate' is missing from posted body"
  }
]
    • HTTP status codereasonresponse model
      400List of supported error codes:
      - 20: Invalid URL parameter value
      - 21: Missing body
      - 22: Invalid body
      - 23: Missing body field
      - 24: Invalid body field
      - 25: Missing header
      - 26: Invalid header value
      - 27: Missing query-string parameter
      - 28: Invalid query-string parameter value
      {
  "code": 28,
  "message": "Invalid query-string parameter value",
  "description": "One or more query-string parameters contain invalid values."
}
      401List of supported error codes:
      - 40: Missing credentials
      - 41: Invalid credentials
      - 42: Expired credentials
      {
  "code": 42,
  "message": "Expired credentials",
  "description": "The requested service needs credentials, and the ones provided were out-of-date."
}
      403List of supported error codes:
      - 50: Access denied
      - 51: Forbidden requester
      - 52: Forbidden user
      - 53: Too many requests
      {
  "code": 53,
  "message": "Too many requests",
  "description": "The application has made too many calls and has exceeded the rate limit for this service."
}
      404List of supported error codes:
      - 60: Resource not found
      {
  "code": 60,
  "message": "Resource not found",
  "description": "The requested URI or the requested resource does not exist."
}
      405List of supported error codes:
      - 61: Method not allowed
      {
  "code": 61,
  "message": "Method not allowed",
  "description": "The URI does not support the requested method. The available methods should be set in the response header 'Allow'"
}
      406List of supported error codes:
      - 62: Not acceptable
      {
  "code": 62,
  "message": "Not acceptable",
  "description": "The Accept incoming header does not match any available content-type."
}
      408List of supported error codes:
      - 63: Request time-out
      {
  "code": 63,
  "message": "Request time-out",
  "description": "The server timed out waiting for the incoming request."
}
      411List of supported error codes:
      - 64: Length required
      {
  "code": 64,
  "message": "Length required",
  "description": "The request did not specify a Content-Length header, which is required by the requested resource."
}
      412List of supported error codes:
      - 65: Precondition failed
      {
  "code": 65,
  "message": "Precondition failed",
  "description": "One of the precondition request headers (aka. 'If-None-Match', 'If-Match', 'If-Modified-Since', and 'If-Unmodified-Since') failed to match."
}
      413List of supported error codes:
      - 66: Request entity too large
      {
  "code": 66,
  "message": "Request entity too large",
  "description": "The body of a request (PATCH, POST and PUT methods) is larger than the server is willing or able to process."
}
      414List of supported error codes:
      - 67: Request-URI too long
      {
  "code": 67,
  "message": "Request-URI too long",
  "description": "The URI provided was too long for the server to process."
}
      415List of supported error codes:
      - 68: Unsupported Media Type
      {
  "code": 68,
  "message": "Unsupported Media Type",
  "description": "The format of the posted body is not supported by the endpoint."
}
      500List of supported error codes:
      - 1: Internal error
      {
  "code": 1,
  "message": "internal error",
  "description": "Generic failure message, used if no more precise code can be provided."
}
      503List of supported error codes:
      - 5: The service is temporarily unavailable
      - 6: Orange API is over capacity, retry later !
      {
  "code": 6,
  "message": "Orange API is over capacity, retry later !",
  "description": "The service faces too much requests and can not handle the call."
}