Authorize (hybrid)
POST {{authPath}}/{{envID}}/as/authorize
The authorization endpoint can be used to initiate a hybrid flow authorization request, in which an authorization code is returned from the authorization endpoint, some tokens are returned from the authorization endpoint, and others are returned from the token endpoint. In a hybrid flow, the authorization endpoint's response_type property specifies the code type and it also specifies id_token, or token, or both. An authorization code (specified by the code response type) is always returned in a hybrid flow. An ID token is returned when the response_type property is code id_token or code id_token token. An access token is returned when the response_type property is code token or code id_token token.
Note that for the POST request, parameters and their values are Form Serialized by adding the parameter names and values to the entity body of the HTTP request and specifying the Content-Type: application/x-www-form-urlencoded request header.
For a Proof Key for Code Exchange (PKCE) authorization request, the /{{envID}}/as/authorize request must include the code_challenge parameter. The code_challenge_method parameter is required if the application's pkceEnforcement property is set to S256_REQUIRED. Otherwise, it is optional.
Note: The optional request property specifies a JWT that enables OIDC/OAuth2 request parameters to be passed as a single, self-contained parameter. For details on how to construct the JWT, see Create a request property JWT. For information on pi.template see Notifications Templates. For information on pi.clientContext see Device Authentication.
The sample shows the POST /{{envID}}/as/authorize operation for a hybrid flow. For more information about hybrid flows, see Authentication using the Hybrid Flow.
Prerequisites
See OpenID Connect/OAuth 2 for important overview information.
Create an application to get an
appID. See Application Operations. Run Read All Applications to find an existing application.Run Read All Templates to find a
templateName.Run Read All Contents to find a
variantName.
| Property | Type | Required? |
|---|---|---|
acr_values | String | Optional |
client_id | String | Required |
login_hint | String | Optional |
mobilePayload | String | Optional |
max_age | String | Optional |
nonce | String | Optional |
prompt | String | Optional |
redirect_uri | String | Required |
request | String | Optional |
response_mode | String | Optional |
response_type | String | Required |
scope | String | Optional |
state | String | Optional |
See the OpenID Connect/OAuth2 data model for full property descriptions.
| Parameter | Description |
|---|---|
client_id | The application's UUID. |
code_challenge_method | Specifies the computation logic used to generate the codechallenge string. The token endpoint uses this method to verify the codeverifier for PKCE authorization requests. Options are: plainand S256. |
nonce | A string that is used to associate a client session with a token to mitigate replay attacks. The value is passed through unmodified from the authentication request to the token. This is an optional property for authorization requests that return a code. |
redirect_uri | A string that specifies the URL that specifies the return entry point of the application. This is a required property. |
response_type | The code or token type returned by an authorization request. Options are token, id_token, and code. |
scope | Permissions that determine the resources that the application can access. This parameter is not required, but it is needed to specify accessible resources. |
Request Params
| Key | Datatype | Required | Description |
|---|---|---|---|
client_id | string | The application's UUID. | |
code_challenge_method | string | Specifies the computation logic used to generate the code_challenge string. | |
nonce | string | A string that is used to associate a client session with a token to mitigate replay attacks. | |
redirect_uri | string | A string that specifies the URL that specifies the return entry point of the application. | |
response_type | string | The code or token type returned by an authorization request. | |
scope | string | Permissions that determine the resources that the application can access. |
Request Body
[{"name"=>"response_type", "value"=>"code id_token", "datatype"=>"string"}, {"name"=>"client_id", "value"=>"{{appID}}", "datatype"=>"string"}, {"name"=>"redirect_uri", "value"=>"{{redirect_uri}}", "datatype"=>"string"}, {"name"=>"scope", "value"=>"openid profile email", "datatype"=>"string"}, {"name"=>"state", "value"=>"{{state}}", "datatype"=>"string"}]