OpenID Connect Authorization Endpoint
This OpenID Connect endpoint is to request an access token using the implicit grant, or an authorization code using the authorization code grant.
GET /{tenant}/oauth2/v1/auth/
The OpenID Connect endpoint supports all operations and request parameters of the OAuth 2.0 Authorization Endpoint.
For more information on OpenID Connect see the specifications
Requesting an access token using the Implicit Grant
Request
Only OpenID Connect specific parameters are listed. For the OAuth 2.0 parameters see the OAuth 2.0 Authorization Endpoint.
Name | Values | Description | Required |
---|---|---|---|
response_mode | form_post | In this mode, Authorization Response parameters are encoded as HTML form values that are auto-submitted in the User Agent, and thus are transmitted via the HTTP POST method to the Client. See https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html. | No |
nonce | String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. | No | |
prompt | Supported values: - none: The Authorization Server MUST NOT display any authentication or consent user interface pages - login: The Authorization Server SHOULD prompt the End-User for reauthentication. |
Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. | No |
max_age | Maximum number of seconds | Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by The Identity Hub. If the elapsed time is greater than this value, The Identity Hub attempts to actively re-authenticate the End-User. | No |
GET /{tenant}/oauth2/v1/auth/?
response_type=token
&client_id=[YOUR_CLIENT_ID]
&redirect_uri=https://[YOUR_APP_REDIRECT_URI]/
&scope=[SCOPES]
&state=[STATE]
Response
If the user successfully authenticates and grants access if needed, The Identity Hub returns an access token to your application. The response parameters are returned to your application in the fragment. Since a uri fragment is not returned to the server, client-side script must parse the fragment and extract the value of the access_token parameter.
Only OpenID Connect specific response parameters are listed. For the OAuth 2.0 parameters see the OAuth 2.0 Authorization Endpoint.
Name | Values | Description |
---|---|---|
id_token | The OpenID Connect ID Token | Only when openid scope was specified in authorization request. The ID token is in the format |
https://[YOUR_APP_REDIRECT_URI]/#
access_token=X5678IYHI690UJJJ000
&token_type=bearer
&expires_in=960
&scope=[SCOPES]
&state=[STATE]
&id_token=[IDTOKEN]
Handling errors
If the specified parameters of the request are invalid, The Identity Hub will respond with an error. When the specified client_id or redirect_uri parameter in the access token request is invalid, the user agent is not redirected to the specified redirect_uri. Instead a message is displayed by The Identity Hub to the user.
Only OpenID Connect specific response parameters are listed. For the OAuth 2.0 parameters see the OAuth 2.0 Authorization Endpoint.
Name | Values | Description |
---|---|---|
error | request_not_supported | The Identity Hub does not support use of the request parameter defined. |
account_selection_required | This error MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface to prompt for a session to use. | |
login_required | This error returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface for End-User authentication. |
https://[YOUR_APP_REDIRECT_URI]/#error=request_not_supported
Requesting an authorization code using the Authorization Code Grant
Request
Only OpenID Connect specific parameters are listed. For the OAuth 2.0 parameters see the OAuth 2.0 Authorization Endpoint.
Name | Values | Description | Required |
---|---|---|---|
response_mode | form_post | In this mode, Authorization Response parameters are encoded as HTML form values that are auto-submitted in the User Agent, and thus are transmitted via the HTTP POST method to the Client. See https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html. | No |
nonce | String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. | No | |
prompt | Supported values: - none: The Authorization Server MUST NOT display any authentication or consent user interface pages - login: The Authorization Server SHOULD prompt the End-User for reauthentication. |
Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. | No |
max_age | Maximum number of seconds | Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by The Identity Hub. If the elapsed time is greater than this value, The Identity Hub attempts to actively re-authenticate the End-User. | No |
GET /{tenant}/oauth2/v1/auth/?
response_type=code
&client_id=[YOUR_CLIENT_ID]
&redirect_uri=https://[YOUR_APP_REDIRECT_URI]/
&scope=[SCOPES]
&state=[STATE]
&code_challenge=[CODE_CHALLENGE]
&code_challenge_method=[CODE_CHALLENGE_METHOD]
Response
If the user successfully authenticates and grants access if needed, The Identity Hub returns an authorization code to your application. The response parameters are returned to your application in the query string of the redirect uri, so they can be read by the web server.
Only OpenID Connect specific parameters are listed. For the OAuth 2.0 parameters see the OAuth 2.0 Authorization Endpoint.
https://[YOUR_APP_REDIRECT_URI]/?code=X5678IYHI690UJJJ000&state=[STATE]
Handling errors
If the specified parameters of the request are invalid, The Identity Hub will respond with an error. When the specified client_id or redirect_uri parameter in the access token request is invalid, the user agent is not redirected to the specified redirect_uri. Instead a message is displayed by The Identity Hub to the user.
Only OpenID Connect specific response parameters are listed. For the OAuth 2.0 parameters see the OAuth 2.0 Authorization Endpoint.
Name | Values | Description |
---|---|---|
error | request_not_supported | The Identity Hub does not support use of the request parameter defined. |
account_selection_required | This error MAY be returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface to prompt for a session to use. | |
login_required | This error returned when the prompt parameter value in the Authentication Request is none, but the Authentication Request cannot be completed without displaying a user interface for End-User authentication. |
https://[YOUR_APP_REDIRECT_URI]/#error=access_denied