Skip to content

Latest commit

 

History

History
704 lines (327 loc) · 7.47 KB

configure-the-client-to-call-identity-authentication-authorize-endpoint-for-authorization-a721157.md

File metadata and controls

704 lines (327 loc) · 7.47 KB

Configure the Client to Call Identity Authentication Authorize Endpoint for Authorization Code Flow with PKCE

The authorization code flow with PKCE is recommended for public clients that aren’t capable of keeping the client secrets.

Prerequisites

You have an OpenID Connect application configured with Public client type. For more information how to configure the public client type, see Configure OpenID Connect Application for Authorization Code Flow.

This document explains how to call the authorize endpoint and what are the authorize request parameters supported by Identity Authentication for the authorization code flow with PKCE.

Note:

Public clients are applications that aren’t capable of keeping the client secret, such as mobile applications, native applications and single page applications.

Request

URI:https://<tenant ID>.accounts.ondemand.com/oauth2/authorize

**HTTP Method:**GET

Request Headers

Header

Required

Values

Content-Type

Yes

application/x-www-form-urlencoded

Authentication

Yes

  • Basic Authentication -

    Client ID and a Secret to authenticate the client (relying party). For more information, see Configure Secrets for API Authentication.

    Note:

    The client ID and secret must be encoded using the "application/x-www-form-urlencoded" encoding algorithm.

  • X.509 Certificate

  • JWT (client_assertion)

Request Parameters

Parameter

Required

Data Type

Additional Information

Parameter Type

redirect_uri

Yes

string

Configure OpenID Connect Application.

Path

response_type

Yes

string

The supported value is code

Path

scope

Yes

string

Value must be space deliminated parameter, for example: scope=openid email.

The supported values are:

  • openid

  • email

  • profile

  • offline_access

    Note:

    The new tokens are independently created from the Identity Authentication Web session. This means that even if a user logs out from Identity Authentication the refresh_token will exist in the database until it expires, and can be used to perform the refresh token flow if the user is not present in Identity Authentication with a Web session.

Path

client_id

Yes

string

The user ID configured for basic authentication for the application. For more information, see Configure Secrets for API Authentication.

Path

state

Yes

string

Free text.

Path

nonce

No

string

Free text.

Path

login_hint

No

string

The login_hint parameter facilitates the user when he or she is known to the service provider (SP). Thus it prevents the user from re-typing the user identifier on the logon or conditional screen.

Supported values are the allowed logon identifiers for the users. The options are (For SAML 2.0User ID, Login Name, and E-Mail. For more information, see Configure Allowed Logon Identifiers .

Path

code_challenge

Yes

string

Client created code.

Tip:

You can use online PKCE generator tools to generate the code_challenge values.

Path

code_challenge_method

Yes

string

Code verifier transformation method is "S256" or "plain".

Path

refresh_expiry

No

string

Reduces the expiration of a refresh token. It is useful if your application is called from mobile and web applications, and both have different session requirements. If you set the token lifetime to 0, you won't receive a refresh_token in response.

Path

Request Example

Request Example (code_challange and code_challange_method are required)

https://my-tenant.ondemand.com/oauth2/authorize?response_type=code&scope=openid&client_id=94ff0b4b0baa45a893c7cd24254b72b7&state=state&redirect_uri=https://example.com&code_challenge=MCVg2_O79Qpr6E7HDA0ik5R-ylwjT-_H3oUgdDQ9W50&code_challenge_method=S256

Response

Response Headers

Header

Description

code

The code is generated by Identity Authentication and is returned in the URL as a parameter. It must be used when making a call to the token endpoint.

Note:

The parameter can be used within two minutes after it is generated and returned in the URL. It can be used only once.

Response Status and Error Codes

Code

Reason

Description

302 Found

Successful operation.

Additionally provides a URL in the header field Location.

Note:

The URL contains code necessary for the token endpoint.

400 Bad Request

Missing or wrong parameter

 

Response Example

Location:
 https://www.example.com/?code=4454554df477w01s34540672dc462e6f0&state=state

Related Information

OpenID Connect

Proof Key for Code Exchange by OAuth Public Clients (IETF)