Authorization code

For the authorization code flow, calling the token endpoint is the second step of the flow. HTTP POST is used for the token endpoint.

Example: http://127.0.0.1:8080/oidc/tenant1/token-endpoint

These parameters must be posted as a part of the URL-encoded form values.

Note: Mandatory request parameters can be configured on each OIDC provider. Mandatory values below are the default behaviour.

Parameter

Description

Mandatory

code

The value that was returned from the authorization endpoint.

client_id

Identifies the client and must match the value configured in FortifiedID Integrity.

client_secret

Authenticates the client and must match the value configured in FortifiedID Integrity.

grant_type

Supported value is authorization_code.

redirect_uri

Specifies the redirect location. It must match the value configured in FortifiedID Integrity.

code_verifier

Required if code_challenge was used in the authorization endpoint request.

Parameter: token_endpoint_auth_methods_supported

in discovery_meta configuration section.

FortifiedID Integrity supports the following methods:

Method

Description

client_secret_basic

Provide 'clientid' and 'client_secret' in the Authorization header. (Basic auth)

client_secret_post

Provide 'clientid' and 'client_secret' as parameters in the POST request body.

none

For PKCE use. Provide the 'code_verifier' as a parameter in the POST request body.

"discovery_meta": {
    ...
    "token_endpoint_auth_methods_supported" : 
        ["client_secret_post", "client_secret_basic"]
    ...
}