The authorization endpoint is always contacted through a browser. This endpoint requires that the user has an existing browser session with the Identity Server. If no session exists at the time of the request, the authorization endpoint redirects the user to log in. This endpoint is used when the client uses the Authorization Code flow or Implicit flow.
Endpoint URL: https://<Identity Server URL: Port Number>/nidp/oauth/nam/authz
Request method: Request method: GET and POST
NOTE:The basic authorization header is not supported for this endpoint.
To get an authorization code, the client application should invoke a GET or a POST request to Identity Server's authorization endpoint with the following request query string parameters:
Parameter |
Required |
Value |
Description |
---|---|---|---|
client_id |
Yes |
Client application ID, which is obtained at the time of client application registration. |
|
response_type |
Yes |
The following values are supported:
|
|
redirect_uri |
Optional |
If provided, the value of this must exactly match one of the registered URIs during application registration. If not provided, the browser will be redirected to any of the registered redirect URIs registered during application registration. |
|
scope |
Yes |
openid |
List of scopes the application requires. The scopes are case-sensitive. The request must contain the scope "openid" to get id_token, otherwise the scope parameter is optional. You can get all "scopes_supported" at the authorization server's OpenID Metadata endpoint. Scope values should be space-separated %20 or +. |
resourceServer |
Optional |
Specify the registered resource server name. If this parameter is present, the authorization server will use the respective configured way to encrypt the access token. For more information, see Creating Custom Resource Server. |
|
state |
Recommended |
An opaque value used by the client to maintain the state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter should be used to prevent cross-site forgery requests. |
|
prompt |
Optional |
none or login or consent |
The values can be "none", "login", or "consent". With none, no user interface will be shown to the user if the user is not already authenticated. If not authenticated, an error message in one of "login_required", "interaction_required", or other will be sent back to client’s application. This is useful if the client want to detect whether the user has an existing session with Identity Server or not and has necessary consents. For more information, see Defining Scopes for a Resource Server. |
login_hint |
Optional |
This parameter takes the username from the client application and auto-populates the Access Manager login form. For example, if you specify login_hint=abc@xyz.com, then when the user is redirected to the Access Manager login page, the username field is populated as abc@xyz.com. |
|
max_age |
Optional |
300 |
Maximum authentication age at Identity Server in seconds. If the user has not logged in within this elapsed time, the user will be re-prompted for authentication. |
acr_values |
Optional |
/name/password/uri |
If client request contains acr_values parameter, Identity Server maps the value to configured contracts in Identity Server and prompts the user with the contract if the user is not already authenticated with the contract. This contract is also sent in the ID Token after authentication. |
device_id |
Optional |
Specify the device ID that token to be associated with the device. |
|
response_mode |
Optional |
query/fragment/form_post |
Specify response_mode to receive response parameters that are required for your client applications. For more information about this parameter and its values, see Response Modes in OAuth 2.0 Multiple Response Type Encoding Practices. NOTE:If response_mode parameter is unavailable, default response_mode is used, which is based on the response_type parameter value as available in the Response Modes specs. |
The Identity Server responds an HTTP 302 redirect message to the requested redirect_uri in the authorization request. If the request does not contain the redirect_uri parameter, Identity Server will redirect to one of the registered redirect_uri.
Parameter |
Description |
---|---|
code |
An opaque binary token with the variable length field. The application should not assume the size of the code but allocate sufficient space for reading the code. |
state |
Contains the state parameter sent in the authentication request above. |
NOTE:If you are using CURL, add -H 'Expect:' in the header of the token request.