Auth Code Flow pt. 1
The Authorization Code Flow is the most secure and preferred method to authenticate users via OpenId Connect.
This is the first of two requests that need to be made to complete the flow.
In the first step you will redirect the user to the url described below, the user will be authenticated and then redirected back to your site with an authorization code.
In the second step you will make another request to exchange the authorization code for an access token.
For more detail about the Authorization Code Flow see our Developer Overview for OpenID Connect.
Resource URL
https://<subdomain>.onelogin.com/oidc/2/auth?client_id=<client id>&redirect_uri=<redirect uri>&response_type=code&scope=openidResource Parameter
subdomain required string |
Set to the e.g. |
Request Parameter
client_id required string |
The OneLogin generated Client ID for your OpenID Connect app. |
redirect_uri required string |
The redirect uri that is registered with OneLogin for this OpenId Connect app. |
response_type required string |
Set to “code” |
scope required string |
Requires at least “openid”. Add “profile” and/or “groups” to get additional user information returned in the The “offline_access” scope is not supported on this grant type and will return an error if provided. |
nonce string |
A secure random string that is used by the OpenID provider to protect against replay attacks. |
state string |
A random string that is returned on success and can be used to verify the call and protect against cross site scripting attacks. |
acr_values string |
If this optional parameter is set to |
code_challenge_method string |
Set this to S256. Required when Token Endpoint Authentication Method is set to none (PKCE). |
|
code_challenge string |
A Base64 Url Encoded SHA256 hash of a string that you will be required to send as code_verifier when making the second request in the Auth Code Flow. Required when Token Endpoint Authentication Method is set to none (PKCE). |
|
prompt string |
Optional. If used must be set to one of the following:
|
|
login_hint string |
Optional. Set this to the user’s username or email to prepopulate the username field of the OneLogin login screen. |
|
resource string |
Optional. When API Authorization is configured, specify the API Resource Identifier here to generate a customized Access Token that can be used for authorizing access to apis and api gateways. e.g. resource=https://api.example.com/contacts |
|
ui_locales string |
Optional. Add this parameter at the end of a request to specify language. To enable this, go to your OneLogin admin portal > Settings > Account Settings > Localization > Additional Languages and check the approriate languages. We support the following languages: cs-CZ, da, de, en, es, fr, hu-HU, it, ja, ko, ms-MY, nl, pl-PL, pt, ru-RU, sk-SK, th-TH, tr-TR, vi-VN, zh, zh-TW. UI_Locales will override browser and user settings for language. If a language is specified that does not exist we will fall back to the english. If the language for the region does not exist then we will fall back to the language we do support. If more than one language is provided then we will use them in priority order from left to right. UI_locales will only control the language for the login page, and will not change the portal or profile. |
How to hash and encode a code_challenge
This example shows how to use Node.js to define a code_verifier and then hash and encode that value to represent a code_challenge.
const crypto = require('crypto')
const base64url = require('base64url')
var code_verifier = 'helloworld';
var code_challenge = base64url.encode(crypto.createHash('sha256').update(code_verifier).digest());
Sample Response
- 302 Redirect
- 400 Bad Request
- 401 Unauthorized
If the request parameters are valid a 302 redirect will occur to the registered redirect_uri with the following query parameters appended.
Success - User is authenticated
The authorization code is returned with a 10 minute expiry time.
?code=M2QyYWU2OGQtNDAxNi00NzQyLTlhYzktMDRmNTY0ZTIyNTZifFPdOVT...&state=61c07cd68b0c65a0e9a35bf6c4f472f4Error - Invalid Response Type
?error=unsupported_response_type&error_description=response_type%20not%20supportedError - Missing the scope parameter
?error=invalid_request&error_description=missing%20required%20parameter(s)%20scopeError - Prompt=none and the user was not authenticated
?error=login_required&error_description=End-User%20authentication%20is%20requiredError - invalid_scope - some of requested scopes are not on the allow-list
This indicates that you have supplied scopes that are not official OIDC scopes or not defined as part of an API Authorization Server.
?error=invalid_scope&error_description=some%20of%20requested%20scopes%20are%20not%20whitelistedMissing the redirect_uri
{
"error": "invalid_request",
"error_description": "missing required parameter(s). (redirect_uri)"
}{
"error": "invalid_request",
"error_description": "Authentication Failed"
}{
"error": "invalid_request",
"error_description": "Access is unauthorized"
}Response Elements
code |
Use this authorization code to start a new session and obtain an access_token. |
state |
The state parameter provided in the initial request to help prevent cross site scripting attacks |
Postman Collection
- Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.
Have a Question?
Found a problem or a bug? Submit a support ticket.
Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.
Have a product idea or request? Share it with us in our Ideas Portal.