Authorization code grant - SSO

Authorization Request

Parameters

NameDescription

OAuth Parameters

response_type

"code"

Must be "code", as only Authorization Code flow is currently supported by SSO Server

client_idValue from client registration "client_id" value

redirect_uri

The address where user agent is redirected after authorization

F or loopback addresses , any port value is accepted

It is also possible to use private-use uri schemes

Client registration parameter "redirect_uris" controls allowed redirect_uri values for application

scope

"openid"

A space separated list of scope values

Should always include "openid"

May also specify any number of client_id values of other registered applications, when requesting an access token for other applications

Client registration parameter "scope" controls allowed scope values for application. If registration parameter is not defined then all scope values are allowed

stateAn opaque value used by the client to maintain state between the request and callback

OpenID Connect Parameters

nonce

An opaque value used by the client to maintain state between the request and id token

display

Used by client to choose user interface template

Template parameter "oidc.display" controls this feature

See General template properties - SSO

prompt

"none"

Indicates "is-passive" request, where SSO Server will not display any user interface pages

"login"

Indicates "force-authn" request, where SSO Server will re-authenticate user

max_age

"0"

Indicates "force-authn" request, where SSO Server will re-authenticate user

ui_locales

Used by client to choose user interface language, must match one of configured language codes

Template parameter "locales" controls this feature

See General template properties - SSO

login_hint

A hint about the login identifier the user might use to log in. SSO Server will set "Username" input field to this value.

Template parameter "useloginhint" controls this feature


See General template properties - SSO

acr_values

Used by client for authentication method discovery

Authentication method parameter "oidc.acr" controls this feature


Ubisecure extension parameters

localeSingle-value parameter, otherwise same function as "ui_locales" above
templateUsed by client to choose user interface template

Signed and encrypted request

Client registration parameters "request_object_signing_alg", "request_object_encryption_alg" and "request_object_encryption_enc" control this feature

See Signed and encrypted request - SSO

Response

Authorization response is a redirect to redirect_uri with following parameters

NameDescription
codeThe authorization code generated by authorization server
stateExact value from authorization request

The client exchanges authorization code for an access token with "authorization_code" Token Request

Token Request

Parameters

NameDescription

grant_type

"authorization_code"
codeThe authorization code received from authorization server
redirect_uriMust match the redirect_uri parameter in the authorization request