Authorization code grant
- Former user (Deleted)
Authorization Request
Parameters
| Name | Description |
|---|---|
OAuth Parameters | |
response_type | "code" Must be "code", as only Authorization Code flow is currently supported by SSO Server |
| client_id | Value from client registration "client_id" value |
redirect_uri | The address where user agent is redirected after authorization F or loopback addresses , any port value is accepted It is also possible to use private-use uri schemes Client registration parameter "redirect_uris" controls allowed redirect_uri values for application |
| scope | "openid" A space separated list of scope values Should always include "openid" May also specify any number of client_id values of other registered applications, when requesting an access token for other applications Client registration parameter "scope" controls allowed scope values for application. If registration parameter is not defined then all scope values are allowed |
| state | An opaque value used by the client to maintain state between the request and callback |
OpenID Connect Parameters | |
| nonce | An opaque value used by the client to maintain state between the request and id token |
| display | Used by client to choose user interface template Template parameter "oidc.display" controls this feature |
| prompt | "none" Indicates "is-passive" request, where SSO Server will not display any user interface pages "login" Indicates "force-authn" request, where SSO Server will re-authenticate user |
| max_age | "0" Indicates "force-authn" request, where SSO Server will re-authenticate user |
| ui_locales | Used by client to choose user interface language, must match one of configured language codes Template parameter "locales" controls this feature |
| login_hint | A hint about the login identifier the user might use to log in. SSO Server will set "Username" input field to this value. Template parameter "useloginhint" controls this feature |
| acr_values | Used by client for authentication method discovery Authentication method parameter "oidc.acr" controls this feature |
Ubisecure extension parameters | |
| locale | Single-value parameter, otherwise same function as "ui_locales" above |
| template | Used by client to choose user interface template |
Signed and encrypted request
Client registration parameters "request_object_signing_alg", "request_object_encryption_alg" and "request_object_encryption_enc" control this feature
See Signed and encrypted request
Response
Authorization response is a redirect to redirect_uri with following parameters
| Name | Description |
|---|---|
| code | The authorization code generated by authorization server |
| state | Exact value from authorization request |
The client exchanges authorization code for an access token with "authorization_code" Token Request
Token Request
Parameters
| Name | Description |
|---|---|
grant_type | "authorization_code" |
| code | The authorization code received from authorization server |
| redirect_uri | Must match the redirect_uri parameter in the authorization request |