4.3 Authorization Endpoint

The authorization endpoint is always contacted through a browser. This endpoint requires that the user has an existing browser session with the Identity Server. If no session exists at the time of the request, the authorization endpoint redirects the user to log in. This endpoint is used when the client uses the Authorization Code flow or Implicit flow.

Endpoint URL: https://<Identity Server URL: Port Number>/nidp/oauth/nam/authz

Request method: Request method: GET and POST

NOTE:The basic authorization header is not supported for this endpoint.

4.3.1 Request Parameters

To get an authorization code, the client application should invoke a GET or a POST request to Identity Server's authorization endpoint with the following request query string parameters:

Parameter

Required

Value

Description

client_id

Yes

Client application ID, which is obtained at the time of client application registration.

response_type

Yes

The following values are supported:

  • code

  • token

  • id_token

  • code token

  • code token id_token

redirect_uri

Optional

If provided, the value of this must exactly match one of the registered URIs during application registration. If not provided, the browser will be redirected to any of the registered redirect URIs registered during application registration.

scope

Yes

openid

List of scopes the application requires. The scopes are case-sensitive. The request must contain the scope "openid" to get id_token, otherwise the scope parameter is optional. You can get all "scopes_supported" at the authorization server's OpenID Metadata endpoint. Scope values should be space-separated %20 or +.

resourceServer

Optional

Specify the registered resource server name. If this parameter is present, the authorization server will use the respective configured way to encrypt the access token. For more information, see Creating Custom Resource Server.

state

Recommended

An opaque value used by the client to maintain the state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter should be used to prevent cross-site forgery requests.

prompt

Optional

none

or

login

or

consent

The values can be "none", "login", or "consent".

With none, no user interface will be shown to the user if the user is not already authenticated. If not authenticated, an error message in one of "login_required", "interaction_required", or other will be sent back to client’s application. This is useful if the client want to detect whether the user has an existing session with Identity Server or not and has necessary consents.

For more information, see Defining Scopes for a Resource Server.

login_hint

Optional

This parameter takes the username from the client application and auto-populates the Access Manager login form.

For example, if you specify login_hint=abc@xyz.com, then when the user is redirected to the Access Manager login page, the username field is populated as abc@xyz.com.

max_age

Optional

300

Maximum authentication age at Identity Server in seconds. If the user has not logged in within this elapsed time, the user will be re-prompted for authentication.

acr_values

Optional

/name/password/uri

If client request contains acr_values parameter, Identity Server maps the value to configured contracts in Identity Server and prompts the user with the contract if the user is not already authenticated with the contract. This contract is also sent in the ID Token after authentication.

device_id

Optional

Specify the device ID that token to be associated with the device.

response_mode

Optional

query/fragment/form_post

Specify response_mode to receive response parameters that are required for your client applications. For more information about this parameter and its values, see Response Modes in OAuth 2.0 Multiple Response Type Encoding Practices.

NOTE:If response_mode parameter is unavailable, default response_mode is used, which is based on the response_type parameter value as available in the Response Modes specs.

4.3.2 Response Values

The Identity Server responds an HTTP 302 redirect message to the requested redirect_uri in the authorization request. If the request does not contain the redirect_uri parameter, Identity Server will redirect to one of the registered redirect_uri.

Parameter

Description

code

An opaque binary token with the variable length field. The application should not assume the size of the code but allocate sufficient space for reading the code.

state

Contains the state parameter sent in the authentication request above.

NOTE:If you are using CURL, add -H 'Expect:' in the header of the token request.