Authorization code
Last updated
Last updated
For the authorization code flow, calling the token endpoint is the second step of the flow. HTTP POST is used for the token endpoint.
These parameters must be posted as a part of the URL-encoded form values.
Note: Mandatory request parameters can be configured on each OIDC provider. Mandatory values below are the default behaviour.
| Parameter | Description | Mandatory |
|---|---|---|
Parameter: token_endpoint_auth_methods_supported
in discovery_meta configuration section.
FortifiedID Integrity supports the following methods:
| Method | Description |
|---|---|
code
The value that was returned from the authorization endpoint.
client_id
Identifies the client and must match the value configured in FortifiedID Integrity.
client_secret
Authenticates the client and must match the value configured in FortifiedID Integrity.
grant_type
Supported value is authorization_code.
redirect_uri
Specifies the redirect location. It must match the value configured in FortifiedID Integrity.
code_verifier
Required if code_challenge was used in the authorization endpoint request.
client_secret_basic
Provide 'clientid' and 'client_secret' in the Authorization header. (Basic auth)
client_secret_post
Provide 'clientid' and 'client_secret' as parameters in the POST request body.
none
For PKCE use. Provide the 'code_verifier' as a parameter in the POST request body.