See openid-connect Menu

Get Authorization Code


Use this API to start a new session using an authorization code that gets returned as part of the OpenId Connect Authentication Flow.

For more detail about the Authentication Flow see our Developer Overview for OpenID Connect.

Resource URL

https://<subdomain>.onelogin.com/oidc/auth?client_id=<client id>&redirect_uri=<redirect uri>&response_type=code&scope=openid

Resource Parameter

subdomain

required

integer

Set to the subdomain of your OneLogin instance.

e.g. oidc-sample where the instance is https://oidc-sample.onelogin.com

redirect_uri

required

string

The redirect uri that is registered with OneLogin for this OpenId Connect app.

response_type

required

string

Set to “code”

scope

required

string

Set to “openid”

nonce

string

A secure random string that is used by the OpenID provider to protect against replay attacks.

state

string

A random string that is returned on success and can be used to verify the call and protect against cross site scripting attacks.

Sample Response

If the request parameters are valid a 302 redirect will occur to the registered redirect_uri with the following query parameters appended.

Success - User is authenticated

?code=M2QyYWU2OGQtNDAxNi00NzQyLTlhYzktMDRmNTY0ZTIyNTZifFPdOVT...&state=61c07cd68b0c65a0e9a35bf6c4f472f4

Error - Invalid Response Type

?error=unsupported_response_type&error_description=response_type%20not%20supported

Error - Missing the scope parameter

?error=invalid_request&error_description=missing%20required%20parameter(s)%20scope

Missing the redirect_uri

{
    "error": "invalid_request",
    "error_description": "missing required parameter(s). (redirect_uri)"
}
{
    "error": "invalid_request",
    "error_description": "Authentication Failed"
}
{
    "error": "invalid_request",
    "error_description": "Access is unauthorized"
}

Response Elements

code Use this authorization code to start a new session and obtain an access_token.
state The state parameter provided in the initial request to help prevent cross site scripting attacks

Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.