OIDC Relying Party Endpoints

This topic describes the OIDC Relying Party endpoints.

Authorization

Request Parameters

Parameter Presence Description
scope Required Must be openid.

response_type

 Required

Implicit Flow (IF): Must be id_token or id_token token.

Authorization Code Flow (ACF): Must be code.

Hybrid Flow (HF): Must be code id_token or code token or code id_token token.
client_id Required Identifies client to the server. Relying Parties table must have client entry identified by (tenant_id, client_id).
redirect_uri Required URL to send response. Must match redirect_uri of the client entry in database.
state Recommended Opaque value used to maintain state between the request and the response (callback).
response_mode Optional Mechanism to be used for returning response (callback). If present, must be fragment, query, or form_post.
nonce

Implicit Flow (IF): Required

Authorization Code Flow (ACF): Optional

 String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
display Optional Not supported and ignored (now).
prompt Optional login and consent (if configured) are supported. none and select_account are not supported (now) and presence will produce an error.
max_age Optional Not supported and ignored.
ui_locales Optional Not supported and ignored.
login_hint Optional Identify authenticating user (subject).
acr_values Optional Single entry may specify authentication policy. Similar to SAML format: urn:rsa:names:tc:oidc:ac:classes:spec:<policy_name>.
claims Optional List of claims to be provided in response id_token. Each claim should have definition (mapping to IS property in ia_oidc_relying_party_claims table). Claims without mapping will be ignored.
code_challenge ACF/HF: Optional A challenge derived from the code_verifier. The challenge to be verified at token_endpoint.
code_challenge_method ACF/HF: Optional A method used to derive code_challenge. Only S256 is supported.


Response Parameters

Parameter Presence Description
access_token Optional Provided for IF only if response_type contains token.

token_type

 Optional

Provided for IF only if response_type contains token.
expires_in Optional Provided for IF only if response_type contains token.
code ACF: Required Provided for ACF only.
id_token IF: Required Provided for IF only.
state Optional Supported and provided conditionally (upon request).


id_token (IDToken)

Parameter Presence Description
iss Required issuer_uri.

sub

 Required

Authentication subject.
aud Required Client issuer_uri.
exp Required Token expiration time.
iat Required Token issuance time.
auth_time Required Authentication time.
nonce Optional Supported and provided conditionally (on request).
acr Optional Single entry identifies policy if it was requested in 'acr_values' of request. Otherwise, assurance level of user authentication.
amr Optional Not supported and not provided.
azp Optional Not supported and not provided.
<claims> Optional Claims requested in request and essential claims specified in ia_oidc_relying_party_claims table for the client.

Token

Request Parameters

Parameter Presence Description
grant_type Required Must be autorization_code.

code

 Required

The code was obtained from response at the authorization endpoint.
redirect_uri Required The response location where the authorization was sent. This value must match the redirect_uri submitted at authorization endpoint.
code_verifier Optional Opaque value used to derive code_challenge submitted at authorization endpoint.

Response Parameters

Parameter Presence Description
access_token Required Provided.

token_type

 Required

Provided: bearer.
expires_in Required Provided. Access token is valid for 300 seconds.
code Not applicable
id_token Required Provided.
state Not applicable

Endpoint

Well-known URI registry - https://<tenant>/oidc-fe/.well-known/openid-configuration

Example, tenant - demo.auth.example.com