Authorization endpoint is always contacted through a browser. This endpoint requires that user has existing browser session with the Identity Server. If no session exists at the time of request, the authorization endpoint redirects the user to the login page. This endpoint is used when the client uses the Authorization Code flow or Implicit flow.
Endpoint URL: https://<Identity Server URL: Port Number>/nidp/oauth/nam/authz
Request method: Request method: GET and POST
NOTE:The basic authorization header is not supported for this endpoint.
To get an authorization code, the client application should invoke a GET or a POST request to Identity Server's authorization endpoint with the following request query string parameters:
Parameter |
Required |
Value |
Description |
---|---|---|---|
client_id |
Yes |
Client application ID, which is obtained at the time of client application registration. |
|
response_type |
Yes |
code/code id_token/ code token/code id_token token. |
Set it to "code", to indicate Authorization Code flow. OpenID Connect Hybrid flow is also supported and the supported response_type values are code, code id_token, code token and code id_token token. |
redirect_uri |
Optional |
If provided, the value of this must exactly match one of the registered URIs during application registration. If not provided, the browser will be redirected to any of the registered redirect URIs registered during application registration. |
|
scope |
Yes |
openid |
List of scopes the application requires. It should contain "openid". You can get all "scopes_supported" at the authorization server's OpenID Metadata Endpoint. Scope values should be space separated %20 or +. |
resourceServer |
Optional |
Specify the registered resource server name. If this parameter is present, the authorization server will use the respective configured way to encrypt the access token. For more information, see Section 3.2, Creating Custom Resource Server. |
|
state |
Recommended |
An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter should be used to prevent cross- site forgery requests. |
|
prompt |
Optional |
none or login or consent |
The values can be "none", "login", or "consent". With none, no user interface will be shown to user if user is not already authenticated. If not authenticated, an error message in one of "login_required", "interaction_required" or other will be sent back to client application. This is useful if client want to detect whether the user has an existing session with Identity Server or not and has necessary consents. |
max_age |
Optional |
300 |
Maximum authentication age at Identity Server in seconds. If the user has not logged in within this elapsed time, the user will be re-prompted for authentication. |
acr_values |
Optional |
/name/password/uri |
If client request contains acr_values parameter, Identity Server maps the value to configured contracts in Identity Server and prompts the user with the contract if the user is not already authenticated with the contract. The contract is not sent in ID token in this release. |
device_id |
Optional |
Specify device id that token to be associated with device. |
|
response_mode |
Optional |
query/fragment/form_post |
Specify “response_mode” to receive response parameters that are required for your client applications. For more information about this parameter and its values, refer to Response Modes in OAuth 2.0 Multiple Response Type Encoding Practices. NOTE:If response_mode parameter is unavailable, default response_mode is used, which is based on the response_type parameter value as available in the Response Modes specs. |
The Identity Server responds an HTTP 302 redirect message to the requested redirect_uri in the authorization request. If the request does not contain the redirect_uri parameter, Identity Server will redirect to one of the registered redirect_uri.
Parameter |
Description |
---|---|
code |
An opaque binary token with variable length field. Application should not assume the size of the code but allocate sufficient space for reading the code. |
state |
Contains the state parameter sent in the authentication request above. |