See openid-connect Menu

Auth Code Flow pt. 1


Upgrade Available

There is a more recent version of this OpenId Connect API available. Learn more.

The Authorization Code Flow is the most secure and preferred method to authenticate users via OpenId Connect.

This is the first of two requests that need to be made to complete the flow.

In the first step you will redirect the user to the url described below, the user will be authenticated and then redirected back to your site with an authorization code.

In the second step you will make another request to exchange the authorization code for an access token.

For more detail about the Authorization Code Flow see our Developer Overview for OpenID Connect.

Resource URL

https://<region>.onelogin.com/oidc/auth?client_id=<client id>&redirect_uri=<redirect uri>&response_type=code&scope=openid

Resource Parameter

region

required

string

Set to the region of your OneLogin instance.

  • openid-connect
  • openid-connect-eu
e.g. If your OneLogin instance is located in Europe then use https://openid-connect-eu.onelogin.com/oidc

redirect_uri

required

string

The redirect uri that is registered with OneLogin for this OpenId Connect app.

response_type

required

string

Set to “code”

scope

required

string

Requires at least “openid”.

Add “profile” and/or “groups” to get additional user information returned in the id_token and User Info endpoint.

nonce

string

A secure random string that is used by the OpenID provider to protect against replay attacks.

state

string

A random string that is returned on success and can be used to verify the call and protect against cross site scripting attacks.

acr_values

string

If this optional parameter is set to onelogin:nist:level:1:re-auth the user will be forced to re-authenticate regardless of their current session state. This value will also be returned in the acr claim of the ID Token.

code_challenge_method

string

Set this to S256.

Required when Token Endpoint Authentication Method is set to none (PKCE).

code_challenge

string

A Base64 Url Encoded SHA256 hash of a string that you will be required to send as code_verifier when making the second request in the Auth Code Flow.

Required when Token Endpoint Authentication Method is set to none (PKCE).

prompt

string

Optional. If used must be set to one of the following:

  • login - The user will be prompted with a login dialog.
  • none - The user will not be prompted with a login dialog. If they do not have a current session a login_required error will be returned.

login_hint

string

Optional. Set this to the user’s username or email to prepopulate the username field of the OneLogin login screen.

How to hash and encode a code_challenge

This example shows how to use Node.js to define a code_verifier and then hash and encode that value to represent a code_challenge.


const crypto = require('crypto')
const base64url = require('base64url')
var code_verifier = 'helloworld';
var code_challenge = base64url.encode(crypto.createHash('sha256').update(code_verifier).digest());

Sample Response

If the request parameters are valid a 302 redirect will occur to the registered redirect_uri with the following query parameters appended.

Success - User is authenticated

?code=M2QyYWU2OGQtNDAxNi00NzQyLTlhYzktMDRmNTY0ZTIyNTZifFPdOVT...&state=61c07cd68b0c65a0e9a35bf6c4f472f4

Error - Invalid Response Type

?error=unsupported_response_type&error_description=response_type%20not%20supported

Error - Missing the scope parameter

?error=invalid_request&error_description=missing%20required%20parameter(s)%20scope

Error - Prompt=none and the user was not authenticated

?error=login_required&error_description=End-User%20authentication%20is%20required

Missing the redirect_uri

{
    "error": "invalid_request",
    "error_description": "missing required parameter(s). (redirect_uri)"
}
{
    "error": "invalid_request",
    "error_description": "Authentication Failed"
}
{
    "error": "invalid_request",
    "error_description": "Access is unauthorized"
}

Response Elements

code Use this authorization code to start a new session and obtain an access_token.
state The state parameter provided in the initial request to help prevent cross site scripting attacks

Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.

StackOverflow discussions about "[onelogin] openid connect"

  • 5
    Votes
    1
    Answers

    Q: How to use onelogin SSO with AngularJS?

    Asked Jun 20 2016

    questions: 1> Onelogin is using SAML instead of OpenID Connect. I am not asking what's the difference between these two, but what is recommended since everyone is moving towards OpenID Connect? 2> Does Onelogin supports AngularJS? I don't see any documentation for onelogin API with AngularJS & Node See Here … I was looking into Onelogin for SSO. We have applications written in .NET, AngularJS + Node. None of these applications are mobile applications. After going through their documentation I have few …

  • 4
    Votes

    A: SAML for Native Mobile Apps(Android and IOS)

    Answered Apr 02 2018

    session you've established with an SSO provider) between native apps that also support SAML the same way. https://spin.atomicobject.com/2016/09/01/sharing-web-data-wkwebview/ Basically, if you do this, you'll also be supporting SSO on mobile via SAML (or OpenID Connect, if you go that route) …

  • 3
    Votes

    A: Does OneLogin support client session management via OIDC?

    Answered Nov 16 2018

    https://openid.net/specs/openid-connect-session-1_0.html: 2.1. OpenID Provider Discovery Metadata These OpenID Provider Metadata parameters MUST be included in the Server's discovery … responses when Session Management and Discovery are supported: check_session_iframe ... end_session_endpoint ... I don't see these metadata parameters in the OneLogin discovery metadata, so it looks like Session Management is not supported. …

  • 2
    Votes

    A: How to Validate an Access Token for OAuth2 + PCKE flow

    Answered Apr 25 2019

    returned from the auth code flow https://developers.onelogin.com/openid-connect/api/authorization-code-grant worked, and the access_token only returned {"active":false} after it expired. Make sure you are not setting the Authorization header, and only set your client_id in the payload. … I'm using OIDC with PKCE, and I managed to call the https://openid-connect.onelogin.com/oidc/token/introspection endpoint with a token retrieved via the authorization code flow: $ curl -i -d "token …

  • 1
    Votes

    A: XMLHttpRequest has been blocked by CORS policy - https://openid-connect-eu.onelogin.com/oidc/token

    Answered May 23 2019

    , which is documented here: https://developers.onelogin.com/openid-connect/api/id-token OneLogin also has sample code for this: https://github.com/onelogin/onelogin-oidc-node/tree/master/2.%20Implicit%20Flow … Javascript prevents POST calls to other domains at the browser level unless they are expressly permitted by the service (and OneLogin doesn't permit this, for security reasons) I'll add that doing …

Loading...