OAuth 2.0 / OpenID Connect
Authcore is complaint to OAuth 2.0 and OpenID Connect standards. The OAuth 2.0 protocol provides API access control via scoped access tokens, and OpenID Connect provides user authentication and single sign-on (SSO) funcitonality.
Endpoints
Authorization
POST
https://auth.acme.com/oauth/authorize
This is a starting point for browser-based OpenID Connect flows such as the implicit and authorization code flows. This request authenticates the user and returns tokens along with an authorization grant to the client application as a part of the callback response.
Query Parameters
Name | Type | Description |
---|---|---|
state | string | A value to be returned in the token. The client application can use it to remember the state of its interaction with the end user at the time of the authentication call. |
scope | string | Currently empty. |
response_type | string | Any combination of |
redirect_uri | string | Callback location where the authorization code or tokens should be sent. It must match the preset value in client application configuration. |
code_challenge_method | string | Method used to derive the code challenge for PKCE. Valid value: S256 |
code_challenge | string | A challenge for PKCE. The challenge is verified in the access token request. |
client_id | string | The ID in client application configuration. |
Token
POST
https://auth.acme.com/oauth/token
This endpoint returns access tokens, ID tokens, and refresh tokens, depending on the request parameters. For password, client credentials, and refresh token flows, calling /token
is the only step of the flow. For the authorization code flow, calling /token
is the second step of the flow.
Request Body
Name | Type | Description |
---|---|---|
code | string | Required if grant_type is authorization_code. The value is what was returned from the authorization endpoint. |
code_verifier | string | Required if grant_type is authorization_code and code_challenge was specified in the original authorization request. This value is the code verifier for PKCE. |
grant_type | string | Can be one of the following: authorization_code, or refresh_token. |
redirect_uri | string | Required if grant_type is authorization_code. Specifies the callback location where the authorization was sent. |
refresh_token | string | Required if grant_type is refresh_token. |
GET
https://auth.acme.com/.well-known/openid-configuration
Returns OpenID Connect metadata about your authorization server.
JSON Web Key Set
GET
https://auth.acme.com/.well-known/jwks.json
Returns a JSON Web Key Set (JWKS) that contains the public keys that can be used to verify the signatures of tokens that you receive from your authorization server.
Last updated