Skip to content

Latest commit

 

History

History
690 lines (407 loc) · 9.34 KB

configure-the-client-to-call-identity-authentication-authorize-endpoint-for-authorization-a721157.md

File metadata and controls

690 lines (407 loc) · 9.34 KB

Configure the Client to Call Identity Authentication Authorize Endpoint for Authorization Code Flow with PKCE

The authorization code flow with PKCE is recommended for public clients that aren’t capable of keeping the client secrets.

Prerequisites

You have an OpenID Connect application configured with Public client type. For more information how to configure the public client type, see Configure OpenID Connect Application for Authorization Code Flow.

This document explains how to call the authorize endpoint and what are the authorize request parameters supported by Identity Authentication for the authorization code flow with PKCE.

Note:

Public clients are applications that aren’t capable of keeping the client secret, such as mobile applications, native applications and single page applications.

Request

URI:https://<Cloud Identity Services domain>/oauth2/authorize

Note:

The domain part has the following pattern:

<tenant ID>.accounts.ondemand.com or <tenant ID>.accounts.cloud.sap. If you have a configured custom domain, the domain has the following pattern: <your custom domain>.

Tenant ID is an automatically generated ID by the system. The first administrator created for the tenant receives an activation email with a URL in it. This URL contains the tenant ID. For more information about your tenants, see View Assigned Tenants and Admins.

**HTTP Method:**GET

Request Headers

Header

Required

Values

Content-Type

Yes

application/x-www-form-urlencoded

Authorization

Yes

  • Basic Username and password are:

    Client ID and a Secret to authenticate the client (relying party). For more information, see Configure Secrets for API Authentication.

    Note:

    The client ID and secret must be encoded using the "application/x-www-form-urlencoded" encoding algorithm.

  • X.509 Certificate

  • JWT (client_assertion)

Request Parameters

Parameter

Required

Data Type

Additional Information

Parameter Type

client_id

Yes

string

The user ID configured for basic authentication for the application. For more information, see Configure Secrets for API Authentication.

Path

code_challenge

Yes

string

Client created code.

Tip:

You can use online PKCE generator tools to generate the code_challenge values.

Path

code_challenge_method

Yes

string

Code verifier transformation method is "S256" or "plain".

Path

redirect_uri

Yes

string

Configure OpenID Connect Application.

Path

response_type

Yes

string

The supported value is code

Path

scope

Yes

string

Value must be space deliminated parameter, for example: scope=openid email.

The supported values are:

  • openid

  • email

  • profile

  • groups

  • offline_access

    Note:

    The new tokens are independently created from the Identity Authentication Web session. This means that even if a user logs out from Identity Authentication the refresh_token will exist in the database until it expires, and can be used to perform the refresh token flow if the user is not present in Identity Authentication with a Web session.

Path

state

Yes

string

Free text.

Path

app_tid

No

string

Reserved.

Path

login_hint

No

string

The login_hint parameter helps the user when he or she is known to the service provider (SP). Thus it prevents the user from re-typing the user identifier on the logon or conditional screen.

Supported values are the allowed logon identifiers for the users. The options are User ID, Login Name, and Email (For SAML 2.0). For more information, see Configure Allowed Logon Identifiers .

Path

logout_uri

No

string

Path

max_age

No

integer

Maximum time in seconds since the user was last authenticated. When max_age has been reached, the user must re-authenticate.

Path

nonce

No

string

Free text.

Path

prompt

No

string

This parameter enables the client to determine if the user is still present in the current session.

Supported values are:

  • login

    Force reauthentication of the user.

  • none

    Without user interaction, check if there is an exisiting user session. If there is a session, continue as normal. If there is no session or if the user is forced to authenticate for other reasons, return the error code login_required.

Path

refresh_expiry

No

string

Reduces the expiration of a refresh token. It's useful if your application is called from mobile and web applications, and both have different session requirements. If you set the token lifetime to 0, you won't receive a refresh_token in response.

Path

Request Example

Request Example (code_challenge and code_challenge_method are required)

https://my-tenant.ondemand.com/oauth2/authorize?response_type=code&scope=openid&client_id=94ff0b4b0baa45a893c7cd24254b72b7&state=state&redirect_uri=https://example.com&code_challenge=MCVg2_O79Qpr6E7HDA0ik5R-ylwjT-_H3oUgdDQ9W50&code_challenge_method=S256

Response

Response Headers

Header

Description

code

The code is generated by Identity Authentication and is returned in the URL as a parameter. It must be used when making a call to the token endpoint.

Note:

The parameter can be used within two minutes after it is generated and returned in the URL. It can be used only once.

Response Status and Error Codes

Code

Reason

Description

302 Found

Successful operation.

Additionally provides a URL in the header field Location.

Note:

The URL contains code necessary for the token endpoint.

400 Bad Request

Missing or wrong parameter

 

Response Example

Location:
 https://www.example.com/?code=4454554df477w01s34540672dc462e6f0&state=state

Related Information

Configuring OpenID Connect

Proof Key for Code Exchange by OAuth Public Clients (IETF)