# OAuth 2.0 / OpenID Connect

Authcore is complaint to [OAuth 2.0](http://oauth.net/documentation) and [OpenID Connect](http://openid.net/) standards. The OAuth 2.0 protocol provides API access control via scoped access tokens, and OpenID Connect provides user authentication and single sign-on (SSO) funcitonality.

## Endpoints

## Authorization

<mark style="color:green;">`POST`</mark> `https://auth.acme.com/oauth/authorize`

This is a starting point for browser-based OpenID Connect flows such as the implicit and authorization code flows. This request authenticates the user and returns tokens along with an authorization grant to the client application as a part of the callback response.

#### Query Parameters

| Name                    | Type   | Description                                                                                                                                                               |
| ----------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| state                   | string | A value to be returned in the token. The client application can use it to remember the state of its interaction with the end user at the time of the authentication call. |
| scope                   | string | Currently empty.                                                                                                                                                          |
| response\_type          | string | Any combination of `code`, `token`, and `id_token`.                                                                                                                       |
| redirect\_uri           | string | Callback location where the authorization code or tokens should be sent. It must match the preset value in client application configuration.                              |
| code\_challenge\_method | string | Method used to derive the code challenge for PKCE. Valid value: S256                                                                                                      |
| code\_challenge         | string | A challenge for PKCE. The challenge is verified in the access token request.                                                                                              |
| client\_id              | string | The ID in client application configuration.                                                                                                                               |

{% tabs %}
{% tab title="200 " %}

```
```

{% endtab %}
{% endtabs %}

## Token

<mark style="color:green;">`POST`</mark> `https://auth.acme.com/oauth/token`

This endpoint returns access tokens, ID tokens, and refresh tokens, depending on the request parameters. For password, client credentials, and refresh token flows, calling `/token` is the only step of the flow. For the authorization code flow, calling `/token` is the second step of the flow.

#### Request Body

| Name           | Type   | Description                                                                                                                                                       |
| -------------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| code           | string | Required if grant\_type is authorization\_code. The value is what was returned from the authorization endpoint.                                                   |
| code\_verifier | string | Required if grant\_type is authorization\_code and code\_challenge was specified in the original authorization request. This value is the code verifier for PKCE. |
| grant\_type    | string | Can be one of the following: authorization\_code, or refresh\_token.                                                                                              |
| redirect\_uri  | string | Required if grant\_type is authorization\_code. Specifies the callback location where the authorization was sent.                                                 |
| refresh\_token | string | Required if grant\_type is refresh\_token.                                                                                                                        |

{% tabs %}
{% tab title="200 " %}

```
{
    "access_token": "access_token",
    "token_type": "token_type",
    "expires_in": 987654321,
    "scope": "",
    "refresh_token": "",
    "id_token": "id_token"
}
```

{% endtab %}
{% endtabs %}

<mark style="color:blue;">`GET`</mark> `https://auth.acme.com/.well-known/openid-configuration`

Returns OpenID Connect metadata about your authorization server.

{% tabs %}
{% tab title="200 " %}

```
{
  "issuer": "https://auth.acme.com",
  "authorization_endpoint": "https://auth.acme.com/oauth/authorize",
  "token_endpoint": "https://auth.acme.com/oauth/token",
  "jwks_uri": "https://auth.acme.com/.well-known/jwks.json",
  "response_types_supported": [
    "code",
    "code id_token",
    "id_token",
    "token id_token"
  ]
}
```

{% endtab %}
{% endtabs %}

## JSON Web Key Set

<mark style="color:blue;">`GET`</mark> `https://auth.acme.com/.well-known/jwks.json`

Returns a JSON Web Key Set (JWKS) that contains the public keys that can be used to verify the signatures of tokens that you receive from your authorization server.

{% tabs %}
{% tab title="200 " %}

```
{
  "keys": [
    {
      "use": "sig",
      "kty": "EC",
      "kid": "hN351AH04N2BBba3N6PgNcVloRohu6KkDRDMcvr5k28",
      "crv": "P-256",
      "alg": "ES256",
      "x": "KY6MShC7UrSkekyczKKvZQXuxFKDRd0DEgV6r9XeDAY",
      "y": "aGDz074Md6DQU2rRSY0jif6kawW6r22Q4jzi6Se75Wk"
    }
  ]
}
```

{% endtab %}
{% endtabs %}