Step 10: Send an authorization request
GET {{authPath}}/{{destinationEnvID}}/as/authorize?response_type=code&client_id={{oidcAppDestinationID}}&redirect_uri=https://example.com&scope=openid profile&nonce=123
Use the PingOne authorization endpoint {{apiPath}}/{{destinationEnvID}}/as/authorize to interact with the resource owner and obtain an authorization grant. The request body must include the following parameters:
client_id
The destination application's UUID, which was returned in step 8.
response_type
The code or token type returned by an authorization request. For this activity, the value is code.
redirect_uri
The URL that specifies the return entry point of the application. For this activity, the value is https://example.com.
scope
A string that specifies permissions that determine the resources that the application can access. For this activity, the custom scope is openid profile.
The response returns a 302 message with a flowID embedded in the Location header, which specifies that a call should be made to another resource to continue the authentication flow. The Location header looks like this:
Location: https://apps.pingone.com/5caa81af-ec05-41ff-a709-c7378007a99c/signon/?flowId=72df1cd2-3b99-4225-a1fa-6dc9ec0f78fc
Then execute the authentication flow:
Open a private browser window, and enter the
Locationheader URL.Click the button that matches your OIDC IdP connection.
Authenticate as a user in the source environment. Depending on your configuration, you may need to perform account linking or user verification.
You should be able to sign on as a source environment user, indicating that authentication from the source environment to the OIDC IdP in the destination environment is working. After authenticating, you are taken to the redirect_uri of the application in your destination environment.
For more information, see Authorize (authorization_code).
Note: If this call fails to return a 302 HTTP Status, for a possible solution see Configuring and managing Qodex.
Request Params
| Key | Datatype | Required | Description |
|---|---|---|---|
response_type | string | Required | |
client_id | string | Required | |
redirect_uri | string | Required | |
scope | string | Required - must have Grant for requested scopes | |
nonce | number | Required | |
state | string | Recommended | |
prompt | string | Optional ( none | |
max_age | number | Optional - uses seconds | |
acr_values | string | Optional - use Sign-on Policy names (space-delimited) |