Invoking the Authorization Endpoint for OpenID Connect
In OpenID Connect the authorization endpoint handles authentication and authorization of a user.
Before you begin
About this task
The authorization endpoint accepts an authentication request that includes parameters that are
defined by both the OAuth 2.0
and OpenID Connect 1.0
specifications.
In the Authorization Code Flow, the authorization endpoint is used for authentication and authorization and returns an authorization grant to the client. This authorization grant can then be passed in a request by the client to the token endpoint in exchange for an ID token, access token, and refresh token. In the Implicit Flow, the authorization endpoint still performs authentication and authorization but also directly returns an ID token and access token to the client in its response; no interaction is performed with the token endpoint.
A Liberty server with OpenID Connect enabled has access to the OpenID Connect authorization endpoint at the following URL:
https://server.example.com:443/oidc/endpoint/<provider_name>/authorize
If you must use a proxy to access the OpenID Connect Provider (OP), the value that you enter for any OP-related URL property must contain the proxy host and port, not the external OP host and port.
In most cases, you can replace the OP host and port with the proxy host and port. The URL that you enter must be visible to both the RP and client (browser or application). For further guidance on how to determine the correct URL to use, contact your proxy administrator.
In this example, the client expects the SSL port to be set to 443.
Procedure
Results
The OpenID Connect Provider attempts to authenticate and authorize the user once it receives a request from the client.
In the Authorization Code Flow, if authentication
and authorization succeed, the OpenID Connect Provider issues an authorization code and includes it
as a parameter in an OAuth 2.0
Authorization Response to the client. If the initial
request included state, the authorization response will also include the exact
state value that was included in the initial request. Using the
application/x-www-form-urlencoded
format, the code and
state parameters are added as query parameters to the
redirect_uri value that was specified in the authorization request.
In the Implicit Flow, if authentication and authorization succeed, the following parameters are returned from the authorization endpoint.
- access_token: Access token. This is returned unless the [response_type] value in the initial request is [id_token].
- token_type: OAuth 2.0 Token Type. For OpenID Connect, this value is
Bearer
. - id_token: ID token.
- state: Required if included in authorization request.
- expires_in: (Optional) Expiration time of the access token in seconds since the response was generated.
These parameters are added to the fragment component of the redirect_uri value that is specified in the authorization request, not as query parameters such as in the Authorization Code Flow.
Example
An example request for the Authorization Code Flow is shown here:
GET /authorize?
response_type=code
&scope=openid profile email
&client_id=client01
&state=af0ifjsldkj
&redirect_uri=https://server.example.com:8020/oidcclient/redirect/client01 HTTP/1.1
An example request for the Implicit Flow is shown here:
GET /authorize?
response_type=id_token token
&scope=openid profile
&client_id=client01
&state=af0ifjsldkj
&redirect_uri=https://server.example.com:8020/oidcclient/redirect/client01
&nonce=n-0S6_WzA2Mj HTTP/1.1
An example response from the authorization endpoint in the Authorization Code Flow is shown here:
HTTP/1.1 302 Found
Location: https://server.example.com:8020/oidcclient/redirect/client01
code=SplxlOBeZQQYbYS6WxSbIA
&state=af0ifjsldkj
An example response from the authorization endpoint in the Implicit Flow is shown here:
HTTP/1.1 302 Found
Location: https://server.example.com:8020/oidcclient/redirect/client01
access_token=SlAV32hkKG
&token_type=Bearer
&id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso
&expires_in=3600
&state=af0ifjsldkj