[{"label":"Latest (v1.0)","version":"latest"}]
csp

Get Discovery

Description

This endpoint is used with browser redirection only. Trying to access it via GET HTTP call will fail. It discovers the user’s Identity Provider (IdP) and sends the user to the IdP login page.
This is the starting point of the OAuth 2.0 flow to authenticate end users from your application. This authorization endpoint must be used by clients to authenticate users and obtain an authorization code. To use this endpoint, your application must be registered as an OAuth 2.0 client with CSP and have the ‘authorization_code’ grant type enabled.

Access Policy

Role User Accounts Service Accounts (Client Credentials Applications)
Anonymous ✔️ ✔️

Request

Request

URL

URL


get
https://{api_host}/csp/gateway/discovery
Copy

Query Parameters

Query Parameters

integer
accessTokenValiditySeconds Optional

The validity in seconds for the access token. If a value lower than the client’s accessTokenValiditySeconds is provided, the provided accessTokenValiditySeconds value will be used. Else if an invalid value, a value higher than the client’s accessTokenValiditySeconds, or no value is provided, then the client’s accessTokenValiditySeconds will be used. For example if the client’s default accessTokenValiditySeconds is 5 minutes ie 300 seconds, to get a token with only one minute validity provide accessTokenValiditySeconds as 60.

Parameter Serialization Style: form Explode:true

string
client_id Required

This is the identifier of the OAuth 2.0 client that was registered with the Cloud Services Platform (CSP).

Parameter Serialization Style: form Explode:true

string
code_challenge Optional

The challenge generated from ‘code_verifier’. Used to secure authorization code grants via Proof Key for Code Exchange (PKCE) from a native client. Required if performing a PKCE request. For more information, refer the PKCE RFC at https://tools.ietf.org/html/rfc7636.

Parameter Serialization Style: form Explode:true

string
code_challenge_method Optional

The method used to encode the ‘code_verifier’ for the ‘code_challenge’ parameter. Only the ‘S256’ value is supported currently. Required if performing a PKCE request. For more information, refer the PKCE RFC at https://tools.ietf.org/html/rfc7636.

Parameter Serialization Style: form Explode:true

string
label Optional

The human readable label for the refresh token. It is an optional parameter that allows the caller to specify a label for a refresh token, to avoid displaying the refresh token value to the end user.

Parameter Serialization Style: form Explode:true

string
login_hint Optional

Specifies to the Authorization server about the login identifier the end user might use to log in. When supplied, the discovery will be skipped, as if the value was entered by the user.
Important:
1. If the user is already logged in with a different account than the provided login_hint it’s value will be ignored.
2. The login_hint must be in a valid email format, otherwise, it will be ignored.

Parameter Serialization Style: form Explode:true

integer
maxGroupsInIdToken Optional

The maximum number of groups allowed in the ID token. If the value provided is lower than the client’s registered “maxGroupsInIdToken”, the provided value will be used, else if an invalid value, a value higher than the client’s “maxGroupsInIdToken”, or no value is provided, then the client’s “maxGroupsInIdToken” will be used.This is only relevant if the client has registered groups related scopes such as “group_names”, ‘group_ids", ‘grpn://…" or ‘grpid://…".

Parameter Serialization Style: form Explode:true

string
nonce Optional

A random value generated by the client and supplied in the authentication request that enables replay protection when present. The client should enforce protection against replay attacks by ensuring it is presented only once. The provided value will be returned in the id_token.

Parameter Serialization Style: form Explode:true

string
orgLink Optional

The link to the organization trying to access. If not provided, the user’s default organization link will be used. Requires to be in the format: /csp/am/api/orgs/{orgId} where {orgId} refers to the organization id

Parameter Serialization Style: form Explode:true
orgLink example
map[code:"/csp/am/api/orgs/{orgId}"
]

string
prompt Optional

Specifies whether the Authorization server prompts the end user for re-authentication.

Parameter Serialization Style: form Explode:true
prompt example
map[code:"login"
]

string
redirect_uri Required

Specifies the callback endpoint in your application that will receive the authorization code. When sending the redirect_uri as a URL parameter it has to be URL encoded.

Parameter Serialization Style: form Explode:true

integer
refreshTokenValiditySeconds Optional

The validity in seconds for the refresh token. If a value lower than the client’s refreshTokenValiditySeconds is provided, the provided refreshTokenValiditySeconds value will be used. Else if an invalid value, a value higher than the client’s refreshTokenValiditySeconds, or no value is provided, then the client’s refreshTokenValiditySeconds will be used. For example if the client’s default refreshTokenValiditySeconds is 30 minutes ie 1800 seconds, to get a token with one hour validity provide refreshTokenValiditySeconds as 3600.

Parameter Serialization Style: form Explode:true

string
scope Optional

The list of scopes separated by a space and is URL encoded. Scope parameter can be used to request different scopes. The requested scope must not include any scope not originally granted. If omitted, the returned scopes will be the ones originally granted.

Parameter Serialization Style: form Explode:true

string
state Required

A random string that your application generates and that will be sent back as a parameter during the URI redirection.

Parameter Serialization Style: form Explode:true

Authentication

Authentication

This operation uses the following authentication methods.

Response

Response

200 OK

OK

Errors

Errors

404

The requested resource could not be found


429

The user has sent too many requests


500

An unexpected error has occurred while processing the request

Code Samples

Code Samples

cURL Command

curl https://{api_host}/csp/gateway/discovery?client_id=string&redirect_uri=string&state=string
Vendor Extensions

Vendor Extensions

This operation contains the following vendor extensions defined in the spec:
x-required-roles: ""
x-slo-tier: TIER2


[{"label":"Latest (v1.0)","version":"latest"}]
csp
Feedback

Was this page helpful?