PKCE Authorization Code Mode

API Description
The user (browser) can be redirected to this API address for login. Customer Identity Access Management (CIAM) will redirect the user to the authentication page for login authentication. After login, CIAM redirects the user to the address specified by the redirect_uri parameter.
If the user is already logged in, CIAM will redirect the user to redirect_uri.
Note: 
According to the best security practices of the OAuth protocol, this API uses the Proof Key for Code Exchange (PKCE) authorization code mode.
The application system's Redirect URI used in the sample request is https://example.com/callback.
Supported Applications
Web applications, single-page applications (SPA), and mobile applications.
Request Method
GET
Request Path
/oauth2/authorize
Sample Requests
GET /oauth2/authorize?scope=openid&client_id=TENANT_CLIENT_ID&redirect_uri=https%3A%2F%2FTENANT.APP.DOMAIN%2Flogin%2Foauth2%2Fcode%2FTENANT_APP_ID&response_type=code&state=MOCK_STATE&code_challenge_method=S256&code_challenge=MOCK_CODE_CHALLENGE&auth_source_id=MOCK_USERNAME_PASSWORD_AUTH_SOURCE_ID HTTP/1.1
Host: sample.portal.tencentciam.com
Request Parameters
Parameter
Optional
Description
scope
false
Fixed value: openid.
client_id
false
The client_id of the application. Go to the application management page and select the application, and then click Application Configuration to find the Client ID.
redirect_uri
false
The redirected address after authorization. This should be the same as the address configured on the console.
response_type
false
Fixed value: code.
state
true
A string randomly generated by the application, which will be returned by the server to the application as an HTTP response parameter. To prevent cross-site request forgery (CSRF) attacks, we recommend that you use this parameter.
code_challenge_method
false
Algorithm for calculating the PKCE code_challenge. Only S256 is supported.
code_challenge
false
PKCE code_challenge . For more information about the calculation method, see RFC 7636.
auth_source_id
true
The ID of the authentication source for login. If this parameter is not specified, the default login page is displayed.
Sample Success Responses
The user is not logged in, and the default login page for authentication is displayed.
HTTP/1.1 302 Found
Location: https://sample.portal.tencentciam.com/portal/login?p_state=MOCK_LOGIN_PORTAL_STATE
The user is logged in, and is redirected to the application callback address with the authorization code and state parameter carried.
HTTP/1.1 302 Found
Location: https://example.com/callback?code=DVtNBg5XGqeu2IytLi6WOWwfh7pRc5jqI8vUb2K8k_2OryR2OsYN3260DwhlTDqEMtUSD1XN6gNuRDjYQ25nJX6H8MzfpIxJHIoi0tdtkXfRpV1ELhmw7behuwYraTlC&state=MOCK_STATE
Note: 
 After the code parameter is returned in the application callback address, the API for getting the Token via PKCE mode should be called to get the Access Token and ID Token for login.
Sample Error Responses
The client_id parameter is missing or incorrect.
HTTP/1.1 400 Bad Request
The redirect_uri parameter does not match the sign-up information.
HTTP/1.1 400 Bad Request
The response_type parameter is missing or incorrect.
HTTP/1.1 400 Bad Request
The code_challenge_method parameter is not supported.
HTTP/1.1 302 Found
Location: https://example.com/callback?error=invalid_request&error_description=OAuth%202.0%20Parameter:%20code_challenge_method&error_uri=https://datatracker.ietf.org/doc/html/rfc7636%23section-4.4.1&state=MOCK_STATE
﻿

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

Parameter	Optional	Description
scope	false	Fixed value: `openid`.
client_id	false	The `client_id` of the application. Go to the application management page and select the application, and then click Application Configuration to find the Client ID.
redirect_uri	false	The redirected address after authorization. This should be the same as the address configured on the console.
response_type	false	Fixed value: `code`.
state	true	A string randomly generated by the application, which will be returned by the server to the application as an HTTP response parameter. To prevent cross-site request forgery (CSRF) attacks, we recommend that you use this parameter.
code_challenge_method	false	Algorithm for calculating the PKCE code_challenge. Only `S256` is supported.
code_challenge	false	PKCE `code_challenge` . For more information about the calculation method, see RFC 7636.
auth_source_id	true	The ID of the authentication source for login. If this parameter is not specified, the default login page is displayed.

tencent cloud

Sign Up

Log in

Compute

Microservice

Data Migration

Database SaaS Tool

Data Security

Application Security

Big Data

Image Creation

Internet of Things

Stream Services

Cloud Real-time Rendering

Cloud Resource Management

More

Edge Computing

Serverless

Relational Database

Networking

Business Security

Domains & Websites

Face Recognition

AI Platform Service

Middleware

Media On-Demand

Game Services

Management and Audit Tools

Container

Essential Storage Service

Enterprise Distributed DBMS

CDN and Acceleration

Security Services

Enterprise Applications

Tencent Big Model

Natural Language Processing

Communication

Media Process Services

Education Sevices

Developer Tools

Distributed cloud

Data Process and Analysis

NoSQL Database

Network Security

Cloud Security

Office Collaboration

Voice Technology

Optical Character Recognition

Interactive Video Services

Media SDK

Medical Services

Monitor and Operation

API Description

Supported Applications

Request Method

Request Path

Sample Requests

Request Parameters

Sample Success Responses

Sample Error Responses