Authentication API Documentation

v1Showing ATRP specific information

To use the IAGL Avios API, partners need to register and obtain an API key for our staging environment. A different key will be provided when the partner application is deployed to live.

The IAGL Avios API offers loyalty services across 3 programmes:

British Airways Executive Club
Aer Lingus AerClub
Vueling Club

Member authentication is mandatory for most of the Avios endpoints and achieved through an Oauth2 Authorization Code flow:

When a member attempts authentication, the partner application will present a third-party login form according to their programme.
After the Authentication system validates the partner and lets the member enter their credentials.
The Authentication system validates the member and returns an auth_code to the partner application.
The partner sends a request to the Authentication system with the auth_code and the authorisation code grant_type.
The Authentication system generates and returns a token to the partner, which can be passed into subsequent requests to call other Avios endpoints.

Client credentials authentication is applicable to some Avios endpoints through an Oauth2 Client Credentials flow:

The partner sends a request to the Authentication system with its client identifier and secret and the client credentials grant_type.
The Authentication system generates and returns a token to the partner, which can be passed into subsequent requests to call other Avios endpoints.

The token issued depends on the programme.

Programme	Grant Authorisation	Token
British Airways Executive Club	client_id (Confidential)	Oauth2 Bearer token Or JWT
Aer Lingus AerClub	Basic Auth	JWT
Vueling Club	Basic Auth	JWT

This authentication applies to Aer Lingus AerClub and Vueling Club.

Usage of the Authentication API follows successful calls to both the Join Programme and Register Account endpoints. The Authentication API must be called prior to, Retrieve Membership, Update Membership, Retrieve Transaction, Debit Currency or Reverse Transaction (and to execute Debit Currency a pricing request must have been performed).

The following steps are performed by the Authentication service:

Authenticate partner/member.
Generate an access token.

Important Technical Notes

The endpoint returns the response attributes in uppercase and lowercase ASCII characters as appropriate.

Pre-conditions

In order to authenticate, the partner must have successfully registered with a supported loyalty programme.
The partner must have then obtained from Avios the following values: a business-context-identifier, a programme-identifier, a partner secret and a client identifier.
An account must exist within the Avios loyalty platform for the member.
The partner must have successfully obtained auth_code.

Post-conditions

Success outcome: An access token is returned in the API response message.

Error outcome: Service error is returned.

Partner Login Page Endpoint:

'POST https://partnerservices.avios.com/secure/code?response_type={response_type}&client_id={client_id}&scope={scope}&state={state}&brandName={brandName}&programme-identifier={programme-identifier}&business-context-identifier={business-context-identifier}'

Example:

https://partnerservices.avios.com/secure/code?response_type=code&client_id=TESTA00001&scope=READ&state=Sogo2&brandName=TESTA&programme-identifier=ATRP&business-context-identifier=BCI

Name	Data type	Description
`response_type` Required	String	Value must be set to 'code' always. This signifies that the partner is attempting to initiate the token process using OAuth's authorization_code grant type Format: String
`redirect_uri` Conditional	String	Representing the endpoint to which the authorization server sends the auth code as query parameter. The redirect uri should match with configured uri. Different redirect uris are configured for different partners. Format: Alphabetic plus colon (:), forward slash (/), dash (-), underscore or period (.).
`client_id` Required	String	Client Id specific to each partner. This will have been provided during the partner on-boarding process. Format: Alphanumeric
`scope` Optional	String
`state` Optional	String	To maintain state between the request and call-back to avoid the CSRF (Cross-Site Request Forgery) attacks. Format: Alphanumeric
`brandName` Optional	String	To display the partner logo in the login pages Format: Alphabetic only
`Programme-Identifier` Required	String	The identifier for the loyalty programme to which the member belongs. This will have been provided during the partner on-boarding process. Format: Alphabetic only. Max length: 20
`Business-Context-Identifier` Required	String	Context through which the information is coming. The value assigned to the partner. Once the value was passed it should be used when calling all other endpoints which required business- context-identifier. Currently not in use, business-context-identifier value will have been provided during the partner on-boarding process which should be used when calling other endpoints. Format: Alphabetic only. Max length: 50

Authentication Grant Type: Authorization_code

Authorization_code Grant Type Endpoint:

https://partnerservices.avios.com/secure/key?grant_type={grant_type}&code={code}&client_id={client_id}

Example:

https://partnerservices.avios.com/secure/key?grant_type=authorization_code&code=oIjPSa&client_id=TESTA00001

Name	Data type	Description
`grant_type` Required	String	This grant type allows partner to use their credentials to retrieve an access token directly, which allows access to resource under partner’s control. Must be set to ‘authorization_code’. Format: Enumeration
`code` Required	String	This is the authorization code previously retrieved from OAuth authorization server in auth code for partner login page scenario. Authorization code can only be used once to authenticate a member. Format: Alpha numeric
`client_id` Optional	String	Client Id specific to each partner. This will have been provided during the partner on-boarding process. Format: Alphanumeric
`scope` Optional	String	Providing scope is only necessary when resetting the password or retrieving the username of a member. The values of the scope can be set to “reset_password” or “retrieve_username”. Format: Enumeration

Authentication Headers for grant Type: Authorization_code

Name	Data type	Description
`business-context-identifier` Required	String	Channel through which the information is coming. The value assigned to the partner. Format: Alphabetic only. Min length: 1, Max length: 50
`programme-identifier` Required	String	The identifier for the loyalty programme to which the member belongs. Format: Alphabetic only
`authorization` Required	String	This is base64 encoded combination of client Identifier and Partner Secret. This information is shared as part of partner on-boarding. Format: Base 64 encoded
`accept` Optional	String	The Accept request-header field is used to specify certain media types which are acceptable for the response. Only supported value is “application/json” Format: application/json
`x-forwarded-for` Optional	String	The IP address of the end customer. Format: Valid IP address

Request Elements

There is no separate request payload. The details required for token are available in request headers and query parameters.

Response Elements

The following is an example of a response generated by the Authentication API. Token response for grant type ‘authorization_code‘:

{
  "access_token": "eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjM0NzU2MTcxNTYsInVzZXJfbmFtZSI6InVzZXJuYW1lX0plZXQiLCJzY29wZSI6WyJ3cml0ZSJdLCJqdGkiOiI5NzNkMDEyYi04NDVhLTQzMjEtYjJmNC0yNTdlMDFkZTcxZDQiLCJjbGllbnRfaWQiOiJ0ZXN0ciIsIlRva2VuX0luZm9ybWF0aW9uIjp7ImRhdGVUaW1lSXNzdWVkIjoiMjAxNi0xMC0wNCIsImF1dGhlbnRpY2F0aW9uTGV2ZWwiOiJBVVRIRU5USUNBVEVEIiwibWVtYmVyc2hpcE51bWJlciI6IjMwODE0NzEwMTA5OTM2MzEiLCJyZXF1ZXN0QXBwbGljYXRpb24iOiJBUEkiLCJyZXF1ZXN0ZWRQYXJ0bmVySWQiOiJ0ZXN0ciIsInByb2dyYW1tZUlkZW50aWZpZXIiOiJBVFJQIn19.rciZVcZGdRmPA66FGIDZzAeeHfSuxJ0n1Nac",
  "token_type": "bearer",
  "refresh_token": "eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NzU3ODUzNjcsInVzZXJfbmFtZSI6InVzZXJuYW1lX0plZXQiLCJzY29wZSI6WyJ3cml0ZSJdLCJqdGkiOiJi ZDdjM2I1OC04N2IxLTRmYzctYTJhOC0zZTU3OTQ4MjQ3NWMiLCJjbGllbnRfaWQiOiJ0ZXN0ciIsImF0aSI6Ijk3M2QwMTJiLTg0NWEtNDMyMS1iMmY0LTI1N2UwMWRlNzFkNCJ9.KZnyldWK7yhE-vZaoYfD_r31qIdFK55C_eTE2bAArnA",
  "expires_in": 2000031788,...

The elements that make up the response message are detailed in the following table. The endpoint returns the response attributes in uppercase or lowercase ASCII characters as appropriate.

Name	Data Type	Description
`token` Present	Complex type	Token represents credentials used to access protected resources.
`token.access_token` Present	String	An access token is a string representing an authorisation issued to the client. This token must be provided to secured API calls like update security profile, retrieve member etc. Format: JWT Token
`token.token_type` Present	String	Type of the token generated for the partner Format: Enumeration
`token.refresh_token` Conditional	String	A refresh token is a string representing an authorisation issued to the client for obtaining a new access token. Because refresh tokens are typically long-lasting credentials used to request additional access tokens, the refresh token is bound to the client to which it was issued. Format: JWT Token
`token.expires_in` Present	Number	The time interval after which the token will expire. The unit in seconds Format: Numeric
`token.scope` Present	String	Providing scope is only necessary when resetting the password or retrieving the username of a member. The values of the scope can be set to “reset_password” or “retrieve_username”. Format: Enumeration
`token.jti` Present	Number	This represents jwt token identifier Format: Numeric
`token.Token Information` Present	Complex type	Additional information provided along with the token.
`token.token_Information.dateTimeIssued` Present	Date	The date when the token was issued to the partner. Format: yyyy-mm-dd
`token.token_Information.authenticationLevel` Present	String	This describes the authentication status. Will always be ‘AUTHENTICATED’ Format: Enumeration
`token.token_Information.requestApplication` Present	String	The application which requested the token. Business-Context- Identifier header is set as requestApplication. Format: Alphabets only
`token.token_Information.membershipNumber` Conditional	String	Membership number is the member identifier who’s credentials are authorised for obtaining the access token. This is only applicable for password grant type. Format: Min length = 16. Max Length = 24. Numeric only
`token.token_Information.requestedPartnerId` Present	String	This represents partner identifier who requested the token Format: Min length: 8. Max length: 20. Alphanumeric
`token.token_Information.programmeIdentifier` Present	String	Identifier specifying the loyalty programme the member belongs to. Value will be the same which were provided in the request header. Format: Alphabets only

Exception Message Elements

Error message 1:

{
  "error": "unsupported_grant_type",
  "error_description": "Unsupported grant type: passwordw"
}

Error message 2:

{
  "error": "server_error",
  "error_description": "Request UnAuthorized"
}

This service returns standard OAuth 2.0 error messages. The exception message responses may be formatted in either upper or lower case.

Name	Data type	Description
`error` Required	String	Error code. Example: server_error Format: Alphabetic plus underscore
`description` Conditional	String	Description of the error. Example: Request UnAuthorized Format: Alphanumeric with special characters colon (:), space ( ).
`scope` Conditional	String	Describes possible scopes of grant type client credentials. Will be present when the requested scope is invalid, unknown, or malformed. Example: read Format: Alphanumeric

Error Codes

All the errors from the Authentication service are returned in the standard OAuth 2.0 format shown above. This reports errors as a combination of parent error code and child error code.

The error codes for Authentication are shown in the following table:

Http Status Code	Description
`400` Invalid_request	The request is missing a required parameter, includes an invalid parameter value
`401` unauthorized	The client is not authorised to request an access token using this method
`401` access_denied	The resource owner or authorisation server denied the request
`400` invalid_scope	The requested scope is invalid, unknown, or malformed
`500` server_error	The authorisation server encountered an unexpected condition which prevented it from fulfilling the request
`500` temporarily_unavailable	The authorisation server is currently unable to handle the request due to a temporary overloading or maintenance of the server
`400` unsupported_grant_type	Provided grant_type is invalid
`400` Invalid_grant	Provided Auth code is already used or incorrect
`401` Invalid_client	Provided client id doesn’t match to the authentication information specified in headers.

User Friendly Error Codes

The following table describes the list of user friendly error message when the member tries to login using login page.

Error Scenario	Error Message
Multiple attempts for a username	Your details have not been recognised, please try again or update them at avios.com.
Invalid username.password	Your details have not been recognised, please try again or update them at avios.com.
System Unavailable.Invalid security test	We seem to be experiencing some difficulties. Please try again later.
Username field is blank	Please enter your username.
Password field is blank	Please enter your password.
Password and Username fields are blank	Please enter your username. Please enter your password.
Invalid format of Username.Password	Your details have not been recognised, please try again or update them at avios.com.
Invalid format of IP Address	We seem to be experiencing some difficulties. Please try again later.