Authorization code
For the authorization code flow, calling the token endpoint is the second step of the flow. HTTP POST is used for the token endpoint.
Example: http://127.0.0.1:8080/oidc/tenant1/token-endpointRequest parameters
These parameters must be posted as a part of the URL-encoded form values.
Note: Mandatory request parameters can be configured on each OIDC provider. Mandatory values below are the default behaviour.
code
The value that was returned from the authorization endpoint.
client_id
Identifies the client and must match the value configured in FortifiedID Integrity.
client_secret
Authenticates the client and must match the value configured in FortifiedID Integrity.
grant_type
Supported value is authorization_code.
redirect_uri
Specifies the redirect location. It must match the value configured in FortifiedID Integrity.
code_verifier
Required if code_challenge was used in the authorization endpoint request.
The token endpoint accepts either:
client authentication with
client_secret_basicorclient_secret_postPKCE with
code_verifier
If code_verifier is present, client_secret is not required. If neither client authentication nor PKCE is used, the request is rejected.
When PKCE or client_secret_post is used, client_id must still be included so the relying party can be resolved.
Client authentication methods
Parameter: token_endpoint_auth_methods_supported
in discovery_meta configuration section.
FortifiedID Integrity supports the following methods:
client_secret_basic
Provide 'clientid' and 'client_secret' in the Authorization header. (Basic auth)
client_secret_post
Provide 'clientid' and 'client_secret' as parameters in the POST request body.
none
For PKCE use. Provide the 'code_verifier' as a parameter in the POST request body.
Last updated