See openid-connect Menu

Auth Code Flow pt. 1

Deprecation Notice

There is a more recent version of this OpenId Connect API available. Learn more.

This endpoint will be removed from service on April 20th 2021.

The Authorization Code Flow is the most secure and preferred method to authenticate users via OpenId Connect.

This is the first of two requests that need to be made to complete the flow.

In the first step you will redirect the user to the url described below, the user will be authenticated and then redirected back to your site with an authorization code.

In the second step you will make another request to exchange the authorization code for an access token.

For more detail about the Authorization Code Flow see our Developer Overview for OpenID Connect.

Resource URL

https://<region><client id>&redirect_uri=<redirect uri>&response_type=code&scope=openid

Resource Parameter




Set to the region of your OneLogin instance.

  • openid-connect
  • openid-connect-eu
e.g. If your OneLogin instance is located in Europe then use




The redirect uri that is registered with OneLogin for this OpenId Connect app.




Set to “code”




Requires at least “openid”.

Add “profile” and/or “groups” to get additional user information returned in the id_token and User Info endpoint.



A secure random string that is used by the OpenID provider to protect against replay attacks.



A random string that is returned on success and can be used to verify the call and protect against cross site scripting attacks.



If this optional parameter is set to onelogin:nist:level:1:re-auth the user will be forced to re-authenticate regardless of their current session state. This value will also be returned in the acr claim of the ID Token.



Set this to S256.

Required when Token Endpoint Authentication Method is set to none (PKCE).



A Base64 Url Encoded SHA256 hash of a string that you will be required to send as code_verifier when making the second request in the Auth Code Flow.

Required when Token Endpoint Authentication Method is set to none (PKCE).



Optional. If used must be set to one of the following:

  • login - The user will be prompted with a login dialog.
  • none - The user will not be prompted with a login dialog. If they do not have a current session a login_required error will be returned.



Optional. Set this to the user’s username or email to prepopulate the username field of the OneLogin login screen.

How to hash and encode a code_challenge

This example shows how to use Node.js to define a code_verifier and then hash and encode that value to represent a code_challenge.

const crypto = require('crypto')
const base64url = require('base64url')
var code_verifier = 'helloworld';
var code_challenge = base64url.encode(crypto.createHash('sha256').update(code_verifier).digest());

Sample Response

If the request parameters are valid a 302 redirect will occur to the registered redirect_uri with the following query parameters appended.

Success - User is authenticated


Error - Invalid Response Type


Error - Missing the scope parameter


Error - Prompt=none and the user was not authenticated


Missing the redirect_uri

    "error": "invalid_request",
    "error_description": "missing required parameter(s). (redirect_uri)"
    "error": "invalid_request",
    "error_description": "Authentication Failed"
    "error": "invalid_request",
    "error_description": "Access is unauthorized"

Response Elements

code Use this authorization code to start a new session and obtain an access_token.
state The state parameter provided in the initial request to help prevent cross site scripting attacks

Postman Collection

Replace sample variables indicated by {{ }} with your actual values.

Run in Postman

    Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.

Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.