The Flow endpoint returns the authentication types for the first factor authentication and the login_hint if it is present in the initial authorization/authentication request.
Copy
The endpoint is exposed at the following URL (and can be obtained from the server discovery endpoint):
https://[base-server-url]/{tenant}/authn/flow [POST]/[GET]Method Details
Sample Requests and Responses
Copy
Sample request without login_hint parameter
GET https://[base-server-url]/{tenant}/authn/flow?request_uri=urn%3Ahid%3A9e656e74-2650-444b-811f-2d854285b037 HTTP/1.1Copy
Sample response
HTTP/1.1 200 OK
{
"accessCriteria": [{
"authenticators": {
"secondFactorsFiltering": false,
"firstFactorsFiltering": false
},
"accessCriteriaId": "access_criteria.common_to_all"
}],
"firstFactors": [{
"factorId": "factor.fido",
"acr": "acr_fido",
"code": "AT_FIDO",
"userVerification": "required",
"enrollmentRequired": false,
"stepUp": "notRequired",
"enrollActions": ["enroll_action.fido"],
"type": "FIDO",
"rpId": "rp-site.com",
"accessCriteriaId": "access_criteria.common_to_all",
"retry": 3
}
],
"enrollActions": [{
"deviceType": "DT_FIDO",
"credentialType": "CT_FIDOU2F",
"code": "AT_FIDO",
"userVerification": "required",
"attestationVerification": "direct",
"enrollId": "enroll_action.fido",
"type": "FIDO",
"rpId": "rp-site.com",
"accessCriteriaId": "access_criteria.common_to_all",
"deviceBinding": "notRequired",
"attestationVerificationCredential": "CT_FIDOU2F"
}]
}Copy
Sample request with login_hint parameter (for example, response_type=code&scope=openid+profile&client_id=spl-api&redirect_uri=http://localhost&login_hint=myuser)
GET https://[base-server-url]/{tenant}/authn/flow?request_uri=urn%3Ahid%3Ada69b126-d145-44d0-857b-34b0eddf4848&username=myuser HTTP/1.1Copy
Sample response
HTTP/1.1 200 OK
{
"loginHint": "myuser",
"accessCriteria": [
{
"factorsExclusion": [],
"roleIds": {
"criteriaType": "logic_pattern"
},
"securityGroupIds": {
"criteriaType": "logic_pattern"
},
"authenticators": {
"secondFactorsFiltering": true,
"acrFiltering": true,
"firstFactorsFiltering": true
},
"groupIds": {
"criteriaType": "logic_pattern"
},
"accessCriteriaId": "access_criteria.common_to_all"
}],
"firstFactors": [
{
"factorId": "factor.user_password",
"acr": "1",
"code": "AT_EMPPWD",
"stepUp": "automatic",
"type": "LOGIN",
"actions": [
"action.change_password",
"action.forgot_password"
],
"constraints": {
"atLeastOneUp": false,
"atLeastOneNum": false,
"notBlackListed": true,
"atLeastOneLow": false,
"minDiffChars": 5,
"notOldPassword": false,
"minLength": 8,
"notUserAttribute": true,
"characterRange": "nothing",
"maxLength": 100,
"atLeastOneSpecial": false,
"notSequence": true
},
"accessCriteriaId": "access_criteria.common_to_all",
"retry": 3
},
{
"factorId": "factor.otp_token",
"acr": "2",
"code": "AT_EMPOTP",
"stepUp": "automatic",
"type": "OTP",
"accessCriteriaId": "access_criteria.common_to_all",
"retry": 1
}],
"actions": [
{
"actionId": "action.change_password",
"type": "CHANGE_PWD",
"accessCriteriaId": "access_criteria.common_to_all",
"retry": 3
},
{
"validityPeriod": 900,
"actionId": "action.forgot_password",
"type": "FORGOT_PWD",
"accessCriteriaId": "access_criteria.common_to_all",
"retry": 3,
"resetPasswordMethods": [
"sms",
"email"
]
}]
}Error Responses
| Code | Label | Possible Errors |
|---|---|---|
|
400 |
BAD REQUEST |
|
Copy
Error when the request_uri parameter missing
HTTP/1.1 400 Bad Request
{
"error_description": "Invalid request : missing request_uri",
"error": "invalid_request"
}Copy
Error when request_uri does not exist or has expired
HTTP/1.1 400 Bad Request
{
"error_description": "Invalid grant : Cannot find challenge",
"error": "invalid_grant"
}
