- Product Introduction
- Purchase Guide
- Operation Guide
- Development Guide
- API Documentation
- FAQs
- CIAM Policy
- Product Introduction
- Purchase Guide
- Operation Guide
- Development Guide
- API Documentation
- FAQs
- CIAM Policy
PKCE Authorization Code Mode
Last updated: 2023-12-22 11:42:07
API Description
The user (browser) can be redirected to this API address for login. Customer Identity Access Management (CIAM) will redirect the user to the authentication page for login authentication. After login, CIAM redirects the user to the address specified by the
redirect_uri parameter.If the user is already logged in, CIAM will redirect the user to
redirect_uri.Note:
According to the best security practices of the OAuth protocol, this API uses the Proof Key for Code Exchange (PKCE) authorization code mode.
The application system's Redirect URI used in the sample request is
https://example.com/callback.Supported Applications
Web applications, single-page applications (SPA), and mobile applications.
Request Method
GET
Request Path
/oauth2/authorize
Sample Requests
GET /oauth2/authorize?scope=openid&client_id=TENANT_CLIENT_ID&redirect_uri=https%3A%2F%2FTENANT.APP.DOMAIN%2Flogin%2Foauth2%2Fcode%2FTENANT_APP_ID&response_type=code&state=MOCK_STATE&code_challenge_method=S256&code_challenge=MOCK_CODE_CHALLENGE&auth_source_id=MOCK_USERNAME_PASSWORD_AUTH_SOURCE_ID HTTP/1.1Host: sample.portal.tencentciam.com
Request Parameters
Parameter | Optional | Description |
scope | false | Fixed value: openid. |
client_id | false | The client_id of the application. Go to the application management page and select the application, and then click Application Configuration to find the Client ID. |
redirect_uri | false | The redirected address after authorization. This should be the same as the address configured on the console. |
response_type | false | Fixed value: code. |
state | true | A string randomly generated by the application, which will be returned by the server to the application as an HTTP response parameter. To prevent cross-site request forgery (CSRF) attacks, we recommend that you use this parameter. |
code_challenge_method | false | Algorithm for calculating the PKCE code_challenge. Only S256 is supported. |
code_challenge | false | |
auth_source_id | true | The ID of the authentication source for login. If this parameter is not specified, the default login page is displayed. |
Sample Success Responses
The user is not logged in, and the default login page for authentication is displayed.
HTTP/1.1 302 FoundLocation: https://sample.portal.tencentciam.com/portal/login?p_state=MOCK_LOGIN_PORTAL_STATE
The user is logged in, and is redirected to the application callback address with the authorization code and
state parameter carried.HTTP/1.1 302 FoundLocation: https://example.com/callback?code=DVtNBg5XGqeu2IytLi6WOWwfh7pRc5jqI8vUb2K8k_2OryR2OsYN3260DwhlTDqEMtUSD1XN6gNuRDjYQ25nJX6H8MzfpIxJHIoi0tdtkXfRpV1ELhmw7behuwYraTlC&state=MOCK_STATE
Note:
After the
code parameter is returned in the application callback address, the API for getting the Token via PKCE mode should be called to get the Access Token and ID Token for login.Sample Error Responses
The
client_id parameter is missing or incorrect.HTTP/1.1 400 Bad Request
The
redirect_uri parameter does not match the sign-up information.HTTP/1.1 400 Bad Request
The
response_type parameter is missing or incorrect.HTTP/1.1 400 Bad Request
The
code_challenge_method parameter is not supported.HTTP/1.1 302 FoundLocation: https://example.com/callback?error=invalid_request&error_description=OAuth%202.0%20Parameter:%20code_challenge_method&error_uri=https://datatracker.ietf.org/doc/html/rfc7636%23section-4.4.1&state=MOCK_STATE
Yes
No
Was this page helpful?