Authorization Endpoint
The Authorization (/connect/authorize) endpoint is the entry point of the OpenID Connect flow where the client application redirects the user to authenticate.
When a client wants to request an ID token or access token, it sends the user’s browser to this endpoint with a set of parameters. The endpoint displays the provider’s login screen and authenticates the user.
Afterward, it redirects the browser back to the client’s redirect URI with either an authorization code, an ID token, or an access token, depending on the chosen flow.
Authorization Request
GET and POST requests are supported.
Sample request GET
GET /dppassivests/connect/authorize
?client_id=test_client
&response_mode=form_post
&response_type=id_token%20token
&scope=openid%20profile
&nonce=1220EC27-415B-4A69-9766-245B46A83641
&state=8E2EA345-6234-4500-9913-C837F2E69206
&redirect_uri=https%3A%2F%2Fapp.company.com%2Foidc HTTP/1.1
Host: idp.contoso.comSample request POST
POST /dppassivests/connect/authorize HTTP/1.1
Host: idp.contoso.com
client_id=test_client
&response_mode=fragment
&response_type=id_token
&scope=openid+profile
&nonce=1220EC27-415B-4A69-9766-245B46A83641
&state=8E2EA345-6234-4500-9913-C837F2E69206
&redirect_uri=https%3A%2F%2Fapp.company.com%2FoidcWhere:
| Parameter | Description | Status |
|---|---|---|
| client_id | Client identifier | Mandatory |
| response_mode |
Defines the authorization processing flow Supported values are depends on the configured authentication flow for a client:
|
Mandatory |
| response_type |
Defines how authentication result is delivered Supported values are:
|
Mandatory |
| redirect_uri | Redirection URI to which the response will be sent. Must match one of registered values. | Mandatory |
| scope |
List of the requested scopes (space-separated) Must include at least the openid scope. Supported values are:
|
Mandatory |
| nonce |
A unique value required when requesting ID tokens to prevent replay attacks This value will be sent back to the client as a claim in the ID token |
Mandatory |
| [state] |
A value provided by the client to maintain request integrity and prevent CSRF attacks This value will be sent back to the client with a successful authentication response |
Optional |
| [prompt] | Add prompt=login to force user authentication | Optional |
| [max_age] | Enforces re-authentication if the user logged in earlier than the specified number of seconds | Optional |
| [login_hint] | Provides the identity provider with a suggested username to streamline the login experience | Optional |
Authorization Response
After successful authentication the browser will make a request with authentication response to the specified client URI.
Response type form_post
POST /oidc HTTP/1.1
Host: app.company.com
Content-Type: application/x-www-form-urlencoded
id_token=[JWT]&state=8E2EA345-6234-4500-9913-C837F2E69206Response type fragment (only for the implicit and hybrid flows)
GET /oidc#id_token=[JWT]&state=8E2EA345-6234-4500-9913-C837F2E69206 HTTP/1.1
Host: app.company.comResponse type query (only for the authorization code flow)
GET /oidc?code=5a71a3b565b47a18e4d876b00494b6b7&state=8E2EA345-6234-4500-9913-C837F2E69206 HTTP/1.1
Host: app.company.comWhere:
| Parameter | Response type | Description |
|---|---|---|
| scope |
|
List of requested scopes |
| id_token |
|
ID token in the JWT format |
| access_token | Hybrid | Access token |
| expires_in | Hybrid | Access token lifetime in seconds |
| token_type | Hybrid | Token type, always "Bearer" |
| code | Authorization code | A temporary authorization code to use with the grant request |
| state | All | The same value passed in request |
