The Authorization Endpoint performs Authentication of the End-User. This is done by sending the User Agent to the Authorization Server's Authorization Endpoint for Authentication and Authorization, using request parameters defined by OAuth 2.0 and additional parameters and parameter values defined by OpenID Connect.
An Authentication Request is an OAuth 2.0 Authorization Request that requests that the End-User be authenticated by the Authorization Server.
Authorization Servers MUST support the use of the HTTP GET and POST methods defined in RFC 2616 at the Authorization Endpoint. Clients MAY use the HTTP GET or POST methods to send the Authorization Request to the Authorization Server. If using the HTTP GET method, the request parameters are serialized using URI Query String Serialization. If using the HTTP POST method, the request parameters are serialized using Form Serialization.
Request and response
The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. Since this is a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server.
+----------+ | Resource | | Owner | | | +----------+ ^ (B) +----|-----+ Client Identifier +---------------+ | User +----(A)-- + Redirection URI ---->| Authorization | | Agent +----(B)-- User authenticates --->| Server | | +----(C)-- Authorization Code --->| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | ^ v | | +---------+ | | | |<---(D)-- Authorization Code ---------' | | Client | + Redirection URI | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)
Note: The lines illustrating steps (A), (B), and (C) are broken into two parts as they pass through the user-agent.
Example
The following is a non-normative example HTTP 302 redirect response by the Client, which triggers the User Agent to make an Authentication Request to the Authorization Endpoint (with line wraps within values for display purposes only):
HTTP/1.1 302 Found Location: https://server.example.com/authorize? response_type=code &scope=openid%20profile%20email &client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
An Authentication Response is an OAuth 2.0 Authorization Response message returned from the OP's Authorization Endpoint in response to the Authorization Request message sent by the RP.
The following is a non-normative example successful response using this flow (with line wraps within values for display purposes only):
HTTP/1.1 302 Found Location: https://client.example.org/cb? code=SplxlOBeZQQYbYS6WxSbIA &state=af0ifjsldkj
API resources
API resources
GET implementation of the POST Authorization Request method.
Headers and URI patternCookie | string | HEADER | A cookie set by the Key Bridge OpenID service. References an existing authenticated session. Name = JSESSIONOPENID |
OpenID end user authentication rest end point. This establishes (or renews) an OAuth session on the Key Bridge OpenId service linking the End User and the Client, and provides authentication for the End User to access the Client using the End User AuthN token and the Client's (previously issued) OAuth credentials. The client_id and redirect_uri are specified as query parameters, while the user OpenId session (if present) is retrieved from a browser cookie.
Headers and URI patternCookie | string | HEADER | A cookie set by the Key Bridge OpenID service when an End User presents a valid user name and password. The cookie references an authenticated session binding an End User and a Client on the OpenId service. Name = JSESSIONOPENID |
Response | text/plain | On success an HTTP redirect with an authorization code. On error an HTTP redirect to the OpenId sign in page. |