This endpoint is used with browser redirection only. Trying to access it via GET HTTP call will fail. It discovers the user’s Identity Provider (IdP) and sends the user to the IdP login page.This is the starting point of the OAuth 2.0 flow to authenticate end users from your application. This authorization endpoint must be used by clients to authenticate users and obtain an authorization code. To use this endpoint, your application must be registered as an OAuth 2.0 client with CSP and have the ‘authorization_code’ grant type enabled.
|Role||User Accounts||Service Accounts (Client Credentials Applications)|
The validity in seconds for the access token. If a value lower than the client’s accessTokenValiditySeconds is provided, the provided accessTokenValiditySeconds value will be used. Else if an invalid value, a value higher than the client’s accessTokenValiditySeconds, or no value is provided, then the client’s accessTokenValiditySeconds will be used. For example if the client’s default accessTokenValiditySeconds is 5 minutes ie 300 seconds, to get a token with only one minute validity provide accessTokenValiditySeconds as 60
This is the identifier of the OAuth 2.0 client that was registered with CSP
The challenge generated from ‘code_verifier’. Used to secure authorization code grants via Proof Key for Code Exchange (PKCE) from a native client. Required if performing a PKCE request. For more information, refer the PKCE RFC at https://tools.ietf.org/html/rfc7636
The method used to encode the ‘code_verifier’ for the ‘code_challenge’ parameter. Only the ‘S256’ value is supported currently. Required if performing a PKCE request. For more information, refer the PKCE RFC at https://tools.ietf.org/html/rfc7636
The human readable label for the refresh token. It is an optional parameter that allows the caller to specify a label for a refresh token, to avoid displaying the refresh token value to the end user.
Specifies to the Authorization Server about the login identifier the End-User might use to log in. When supplied, the discovery will be skipped, as if the value was entered by the user.
1. If the user is already logged in with a different account than the provided login_hint it’s value will be ignored.
2. The login_hint must be in a valid email format, otherwise, it will be ignored.
The maximum number of groups allowed in the ID token. If the value provided is lower than the client’s registered ‘maxGroupsInIdToken’, the provided value will be used, else if an invalid value, a value higher than the client’s ‘maxGroupsInIdToken’, or no value is provided, then the client’s ‘maxGroupsInIdToken’ will be used. This is only relevant if the client has registered groups related scopes such as ‘group_names’, ‘group_ids’, ‘grpn://…’ or ‘grpid://…’.
A random value generated by the client and supplied in the authentication request that enables replay protection when present. The client should enforce protection against replay attacks by ensuring it is presented only once. The provided value will be returned in the id_token.
The link to the organization the user is trying to access. If not provided, the user’s default organization link will be used
Specifies whether the Authorization Server prompts the End-User for re-authentication.
Specifies the callback endpoint in your application that will receive the authorization code. When sending the redirect_uri as a URL parameter it has to be URL encoded.
The validity in seconds for the refresh token. If a value lower than the client’s refreshTokenValiditySeconds is provided, the provided refreshTokenValiditySeconds value will be used. Else if an invalid value, a value higher than the client’s refreshTokenValiditySeconds, or no value is provided, then the client’s refreshTokenValiditySeconds will be used. For example if the client’s default refreshTokenValiditySeconds is 30 minutes ie 1800 seconds, to get a token with one hour validity provide refreshTokenValiditySeconds as 3600
The list of scopes separated by a space and is URL encoded. Scope parameter can be used to request different scopes. The requested scope must not include any scope not originally granted. If omitted, the returned scopes will be the ones originally granted.
A random string that your application generates and that will be sent back as a parameter during the URI redirection.
The requested resource could not be found
The user has sent too many requests
An unexpected error has occurred while processing the request
x-required-roles: "" x-slo-tier: TIER2