2. Authorization endpoint
Request
The authorization endpoint is the entry point to start an identification process. The customer's client application redirects the user’s browser to this entry point:
https://<servername>/connect/authorize
This URL can be retrieved from the Discovery Endpoint, using the key authorization_endpoint.
Request query parameters:
Parameter | Description | Use |
---|---|---|
response_type | This defines the processing flow to be used when forming the response. Because Connective Identity Hub uses the Authorization Code Flow, this value must be code. | Required |
client_id | Identifier for the client customer application, supplied by Connective. | Required |
acr_values | Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. This parameter will be used to decide on the actual Identity Provider that will be called. For this reason, the value must contain idp:<name_of_identity_provider>. |
Required |
redirect_uri | URL where the Connective Identity Hub will redirect the user’s browser to with the intent to deliver a code to the customer's client application when successful, or to inform it about errors. Must match the client’s configuration as seen in section Getting Started. Note: when using https://localhost as redirect_uri, the response_mode=form_post must be used |
Required |
scope | The scope parameter allows the application to express the desired scope of the access request. It must contain the value openid. You may also specify additional scopes, separated by spaces, to request more information about the user. Please read the documentation of the specific Identity Provider to get the full list of supported scopes. |
Required |
state | An opaque value used in the Authentication Request, which will be returned unchanged in the Authorization Code. This parameter should be used for preventing cross-site request forgery (XRSF). | Recommended |
nonce | A string value used to associate a session with an Id Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the Id Token. Sufficient entropy must be present in the nonce values used to prevent attackers from guessing values. | Recommended |
claims | This parameter is used to request specific claims. The value is a JSON object listing the requested claims. Please read the documentation of the specific Identity Provider to get the full list of supported claims. | Optional |
ui_locales | Language code to indicate in which language to present the UI. Please read the documentation of the specific Identity Provider to get the full list of supported locales. | Optional |
code_challenge | A challenge derived from the code verifier that is sent in the authorization request, to be verified against later. A code verifier is a cryptographically random string that is used to correlate the authorization request to the token request. Use this parameter to initiate a PKCE (Proof Key for Code Exchange) flow. | Optional |
code_challenge_method | The method that was used to derive code challenge. It must contain the value S256 if a code_challenge, and thus the PKCE (Proof Key for Code Exchange) flow, is used. The challenge is calculated as follows: code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) |
Conditional |
Response
Success
If the user is successfully authenticated and authorizes access to the requested data, Connective Identity Hub will return an Authorization Code to your server component. This is achieved by returning an Authentication Response, which is a HTTP 302 redirect request to the redirect_uri specified previously in the Authentication Request.
The response will contain following query parameters:
Parameter | Description | Use |
---|---|---|
code | The code parameter holds the Authorization Code, which is a string value. This value should be provided to the Token endpoint as described in the Token Endpoint section. | Required |
state | The state parameter will be returned if a value was provided in the Authentication Request. The returned value should match the one supplied in the Authentication Request. | Conditional |
Error
If the request fails due to a missing, invalid, or mismatching redirection URI, or if the client identifier is missing or invalid, the Identity Provider should inform the user of the error and must not automatically redirect him to the invalid redirection URI.
If the user denies the Authentication Request or if the request fails for reasons other than a missing or invalid redirection URI, the Connective Identity Hub will return an error response to your client application. As for a successful response this is achieved by returning a HTTP 302 redirect request to the redirect_uri specified in the Authentication Request.
The error response query parameters are the following:
Parameter | Description | Use |
---|---|---|
error | The error type | Required |
error_description | A description of the error, indicating the problem in more detail. | Optional |
state | The state parameter will be returned if a value was provided in the Authentication Request. | Conditional |