tencent cloud

Feedback

PKCE Authorization Code Mode

Last updated: 2023-12-22 11:42:07

    API Description

    The user (browser) can be redirected to this API address for login. Customer Identity Access Management (CIAM) will redirect the user to the authentication page for login authentication. After login, CIAM redirects the user to the address specified by the redirect_uri parameter.
    If the user is already logged in, CIAM will redirect the user to redirect_uri.
    Note:
    According to the best security practices of the OAuth protocol, this API uses the Proof Key for Code Exchange (PKCE) authorization code mode.
    The application system's Redirect URI used in the sample request is https://example.com/callback.

    Supported Applications

    Web applications, single-page applications (SPA), and mobile applications.

    Request Method

    GET

    Request Path

    /oauth2/authorize

    Sample Requests

    GET /oauth2/authorize?scope=openid&client_id=TENANT_CLIENT_ID&redirect_uri=https%3A%2F%2FTENANT.APP.DOMAIN%2Flogin%2Foauth2%2Fcode%2FTENANT_APP_ID&response_type=code&state=MOCK_STATE&code_challenge_method=S256&code_challenge=MOCK_CODE_CHALLENGE&auth_source_id=MOCK_USERNAME_PASSWORD_AUTH_SOURCE_ID HTTP/1.1
    Host: sample.portal.tencentciam.com

    Request Parameters

    Parameter
    Optional
    Description
    scope
    false
    Fixed value: openid.
    client_id
    false
    The client_id of the application. Go to the application management page and select the application, and then click Application Configuration to find the Client ID.
    redirect_uri
    false
    The redirected address after authorization. This should be the same as the address configured on the console.
    response_type
    false
    Fixed value: code.
    state
    true
    A string randomly generated by the application, which will be returned by the server to the application as an HTTP response parameter. To prevent cross-site request forgery (CSRF) attacks, we recommend that you use this parameter.
    code_challenge_method
    false
    Algorithm for calculating the PKCE code_challenge. Only S256 is supported.
    code_challenge
    false
    PKCE code_challenge . For more information about the calculation method, see RFC 7636.
    auth_source_id
    true
    The ID of the authentication source for login. If this parameter is not specified, the default login page is displayed.

    Sample Success Responses

    The user is not logged in, and the default login page for authentication is displayed.
    HTTP/1.1 302 Found
    Location: https://sample.portal.tencentciam.com/portal/login?p_state=MOCK_LOGIN_PORTAL_STATE
    The user is logged in, and is redirected to the application callback address with the authorization code and state parameter carried.
    HTTP/1.1 302 Found
    Location: https://example.com/callback?code=DVtNBg5XGqeu2IytLi6WOWwfh7pRc5jqI8vUb2K8k_2OryR2OsYN3260DwhlTDqEMtUSD1XN6gNuRDjYQ25nJX6H8MzfpIxJHIoi0tdtkXfRpV1ELhmw7behuwYraTlC&state=MOCK_STATE
    Note:
    After the code parameter is returned in the application callback address, the API for getting the Token via PKCE mode should be called to get the Access Token and ID Token for login.

    Sample Error Responses

    The client_id parameter is missing or incorrect.
    HTTP/1.1 400 Bad Request
    The redirect_uri parameter does not match the sign-up information.
    HTTP/1.1 400 Bad Request
    The response_type parameter is missing or incorrect.
    HTTP/1.1 400 Bad Request
    The code_challenge_method parameter is not supported.
    HTTP/1.1 302 Found
    Location: https://example.com/callback?error=invalid_request&error_description=OAuth%202.0%20Parameter:%20code_challenge_method&error_uri=https://datatracker.ietf.org/doc/html/rfc7636%23section-4.4.1&state=MOCK_STATE
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support