This API is for GOV.UK Publishing microservices (the things which make up www.gov.uk) to implement personalisation and user session management. This API is not for other government services.
- Nomenclature
- Using this API
- API endpoints
GET /api/oauth2/sign-in
POST /api/oauth2/callback
GET /api/oauth2/end-session
GET /api/user
GET /user/match-by-email
GET /api/attributes
PATCH /api/attributes
PUT /api/oidc-users/:subject_identifier
DELETE /api/oidc-users/:subject_identifier
GET /api/personalisation/check-email-subscription
POST /api/oidc_events/backchannel_logout
- API errors
The service which authenticates a user. Currently we use the Digital Identity authentication service.
An opaque token which identifies a user and provides access to their attributes.
You should use this API in combination with the govuk_personalisation gem, like so:
class YourRailsController < ApplicationController
# include the concern in your controller
include GovukPersonalisation::AccountConcern
def show
# call the API with gds-api-adapters, the @govuk_account_session is provided by the concern
result = GdsApi.account_api.get_attributes(
attributes: %w[some user attributes],
govuk_account_session: @govuk_account_session,
)
# set up the response header and update @govuk_account_session
set_account_session_header(result["govuk_account_session"])
# do something in your view with the result
@attributes = result["values"]
rescue GdsApi::HTTPUnauthorized
# the user's session is invalid
logout!
rescue GdsApi::HTTPForbidden
# the user needs to reauthenticate with MFA
end
end
The govuk_personalisation gem handles setting the GOVUK-Account-Session
and Vary
response headers for your app, ensuring that responses are not cached. In local development there is a cookie instead of a custom header, which the gem also handles for you.
Generates an OAuth sign in URL.
This URL should be served to the user with a 302 response to authenticate the user against the identity provider.
mfa
(optional)- either
true
(require MFA) orfalse
(do not require MFA, the default)
- either
redirect_path
(optional)- a path on GOV.UK to send the user to after authenticating
auth_uri
- an absolute URL, pointing to the identity provider, which the user should be redirected to so they can authenticate
state
- a random string, used for CSRF protection, which should be stored in a cookie and compared with the
state
returned by the identity provider after the user authenticated
- a random string, used for CSRF protection, which should be stored in a cookie and compared with the
- 200
Request (with gds-api-adapters):
GdsApi.account_api.get_sign_in_url(
redirect_path: "/guidance/keeping-a-pet-pig-or-micropig",
)
Response:
{
"auth_uri": "https://www.account.publishing.service.gov.uk/oauth/authorize?client_id=clientid&nonce=nonce&redirect_uri=https%3A%2F%2Fwww.gov.uk%2Fsign-in%2Fcallback&response_type=code&scope=openid&state=12345%3Aabcd",
"state": "12345:abcdef"
}
Validates an OAuth response from the identity provider.
This is only used by the SessionsController
in frontend, as the
identity provider redirects the user after signing in to
https://www.gov.uk/sign-in/callback
.
code
- the value of the
code
parameter returned from the identity provider
- the value of the
state
- the value of the
state
parameter returned from the identity provider
- the value of the
govuk_account_session
- a session identifier
redirect_path
(optional)- the
redirect_path
which was previously passed toGET /api/oauth2/sign-in
, if given
- the
- 401 if authentication is unsuccessful
- 200 otherwise
Request (with gds-api-adapters):
GdsApi.account_api.validate_auth_response(
code: "12345",
state: "67890",
)
Response:
{
"govuk_account_session": "YWNjZXNzLXRva2Vu.cmVmcmVzaC10b2tlbg==",
"redirect_path": "/guidance/keeping-a-pet-pig-or-micropig",
"cookie_consent": false,
}
Generates a sign out URL.
This URL should be served to the user with a 302 response to terminate their session with the identity provider and connected services. If the session identifier is given, it may be passed to the identity provider to validate the user's session.
This does not invalidate the user's session on www.gov.uk. You must
also use the logout!
method in govuk_personalisation to do that.
GOVUK-Account-Session
(optional)- the user's session identifier
end_session_uri
- an absolute URL, pointing to the identity provider, which the user should be redirected to to end their session
- 200
Request (with gds-api-adapters):
GdsApi.account_api.get_end_session_url(
govuk_account_session: "session-identifier",
)
Response:
{
"end_session_uri": "https://www.account.publishing.service.gov.uk/sign-out?continue=1"
}
Retrieves the information needed to render the /account/home
page.
GOVUK-Account-Session
- the user's session identifier
id
- the user identifier
mfa
true
if the user has authenticated with MFA,false
otherwise
email
- the user's current email address
email_verified
- whether the user has confirmed their email address or not
services
- object of known services, keys are service names and values are one of:
yes
: the user has used the service and can use it nowyes_but_must_reauthenticate
: the user has used the service but must reauthenticate with MFAno
: the user has not used the serviceunknown
: the user must reauthenticate with MFA to check whether they have used the service or not
- object of known services, keys are service names and values are one of:
- 401 if the session identifier is invalid
- 200 otherwise
Request (with gds-api-adapters):
GdsApi.account_api.get_user(
govuk_account_session: "session-identifier",
)
Response:
{
"id": "some-user-identifier",
"mfa": false,
"email": "email@example.com",
"email_verified": false,
"services": {}
}
Checks if a user with the given email address exists and if it is the logged-in user (if a session is given).
This is only used by email-alert-frontend, so it can check if an address corresponds to an account and either log the user in or show an appropriate message with a single API call.
GOVUK-Account-Session
(optional)- the user's session identifier, if not given
"match": true
is not a possible response
- the user's session identifier, if not given
email
- the email address to search for
match
true
if the session has the given email address, orfalse
if a different user has that email address
- 404 if there is no user with that email address
- 200 otherwise
Request (with gds-api-adapters):
GdsApi.account_api.match_user_by_email(
email: "email@example.com",
)
Response:
{
"match": false
}
Request with a session (with gds-api-adapters):
GdsApi.account_api.match_user_by_email(
email: "email@example.com",
govuk_account_session: "session-identifier",
)
Response:
{
"match": true
}
Retrieves attribute values for the current user.
GOVUK-Account-Session
- the user's session identifier
attributes[]
(one for each attribute)- a list of attribute names, specified once for each name
govuk_account_session
(optional)- a new session identifier
values
- a JSON object of attribute values, where keys are attribute names and values are attribute values
- 422 if any attributes are unknown (see error: unknown attribute names)
- 403 if the user must reauthenticate with MFA (see error: MFA required)
- 401 if the session identifier is invalid
- 200 otherwise
Request (with gds-api-adapters):
GdsApi.account_api.get_attributes(
attributes: %w[name1 name2],
govuk_account_session: "session-identifier",
)
Response:
{
"govuk_account_session": "YWNjZXNzLXRva2Vu.cmVmcmVzaC10b2tlbg==",
"values": {
"name1": "value1",
"name2": "value2"
}
}
Updates the attributes of the current user.
GOVUK-Account-Session
- the user's session identifier
attributes
- a JSON object where keys are attribute names and values are attribute values
govuk_account_session
(optional)- a new session identifier
- 422 if any attributes are unknown (see error: unknown attribute names)
- 403 if any attributes are unwritable (see error: unwritable attributes)
- 403 if the user must reauthenticate with MFA (see error: MFA required)
- 401 if the session identifier is invalid
- 200 otherwise
Request (with gds-api-adapters):
GdsApi.account_api.set_attributes(
attributes: { name1: "value1", name2: "value2" },
govuk_account_session: "session-identifier",
)
Response:
{
"govuk_account_session": "YWNjZXNzLXRva2Vu.cmVmcmVzaC10b2tlbg=="
}
Update an account and its email subscriptions by subject identifier.
This endpoint requires the update_protected_attributes
scope.
subject_identifier
- the subject identifier of the user to update
legacy_sub
(optional)- if this is a user created pre-migration, their original subject identifier (a string)
email
(optional)- the new email address (a string)
email_verified
(optional)- whether the new email address is verified (a boolean)
sub
- the subject identifier
email
email_verified
- 200
Request (with gds-api-adapters):
GdsApi.account_api.update_user_by_subject_identifier(
subject_identifier: "subject-identifier",
email: "user@example.com",
email_verified: true,
)
Response:
{
"sub": "subject-identifier",
"email": "user@example.com",
"email_verified": true,
}
Delete an account by subject identifier. This endpoint requires the
update_protected_attributes
scope.
subject_identifier
- the subject identifier of the user to delete
legacy_sub
(optional)- if this is a user created pre-migration, their original subject identifier (a string)
- 404 if the user cannot be found
- 204 otherwise
Request (with gds-api-adapters):
GdsApi.account_api.delete_user_by_subject_identifier(
subject_identifier: "subject-identifier",
)
Response is status code only.
Personalisation endpoint for checking if an email subscription is active.
See Progressive enhancement ADR for more details
subject_identifier
- the subject identifier from a user session
base_path
(optional)- the base path of the page (to match against the "url" of an email-alert-api subscriber list)
topic_slug
(optional)- the email-alert-api topic slug
Exactly one of base_path
and topic_slug
must be specified.
base_path
- the base_path parameter, if there is one (a string)
topic_slug
- the topic_slug parameter, if there is one (a string)
active
- whether the subscription is active (a boolean)
- 401 if the session identifier is invalid
- 422 if neither
base_path
nortopic_slug
are passed; or if both are - 200 otherwise
Note: This endpoint is not included in the GDS API Adaptors wrappers. As a personalisation endpoint, it allows us to progressively enhance pages from client side requests.
To test the endpoint with curl:
curl -H "GOVUK-Account-Session={{account_session_header}}" \
"{{GOV.UK environment}}/api/personalisation/check-email-subscription?base_path=/guidance/keeping-a-pet-pig-or-micropig"
{
"base_path": "/guidance/keeping-a-pet-pig-or-micropig",
"active": true,
"button_html": "<form>...</form>"
}
A public API endpoint that Implements OpenID Connect Back-Channel Logout 1.0 - draft 07.
logout_token
- A signed JWT
- 400 if the Logout Token JWT is invalid or signature cannot be verified
- 200 otherwise
This endpoint will only ever receive calls from the Oidc OP (Digital Identity), as an OIDC event. Because of that, there is not an GDS API Adaptor for this endpoint, as it will not be called from another Ruby application.
API errors are returned as an RFC 7807 "Problem Detail" object, in the following format:
{
"type": "URI which identifies the problem type and points to further information",
"title": "Short human-readable summary of the problem type",
"detail": "Human-readable explanation of this specific instance of the problem."
}
Each error type may define additional response fields.
You have tried to access something requires MFA, but the current user has not authenticated with MFA.
This is not an error, the user must be reauthenticated with MFA.
One or more of the attribute names you have specified are not known.
The attributes
response field lists these.
One or more of the attributes you have specified cannot be updated
through account-api. The attributes
response field lists these.
Do not just reauthenticate the user and try again.
- check the
errors
returned as an extra detail in the response for specific error messages