See openid-connect Menu

Implicit Flow


Use this API to authenticate a user as part of the OpenID Connect Implicit Flow and generate an ID Token for the user.

While the Implicit Flow is still a valid option for Single Page Apps it is now considered best practice to use the Auth Code Flow + PKCE.

For more detail about the Implicit Flow see our Developer Overview for OpenID Connect.

Resource URL

https://<subdomain>.onelogin.com/oidc/2/auth?client_id=<client id>&redirect_uri=<redirect uri>&response_type=id_token&scope=openid

Resource Parameter

subdomain

required

string

Set to the subdomain of your OneLogin instance.

e.g. oidc-sample where the instance is https://oidc-sample.onelogin.com

Request Parameter

client_id

required

string

The OneLogin generated Client ID for your OpenID Connect app.

redirect_uri

required

string

The redirect uri that is registered with OneLogin for this OpenId Connect app. Note that there is a 10 minute delay when updating the allowed redirect_uri list via the admin portal.

response_type

required

string

Set to “id_token token”

scope

required

string

Requires at least “openid”.

Add “profile” and/or “groups” to get additional user information returned in the id_token and User Info endpoint.

nonce

required

string

A secure random string that is used by the OpenID provider to protect against replay attacks. It will be returned as part of the JWT ID Token and should be used to validate the authenticity of the token.

state

string

A random string that is returned on success and can be used to verify the call and protect against cross site scripting attacks.

acr_values

string

If this optional parameter is set to onelogin:nist:level:1:re-auth the user will be forced to re-authenticate regardless of their current session state. This value will also be returned in the acr claim of the ID Token.

prompt

string

Optional. If used must be set to one of the following:

  • login - The user will be prompted with a login dialog.
  • none - The user will not be prompted with a login dialog. If they do not have a current session a login_required error will be returned.

login_hint

string

Optional. Set this to the user’s username or email to prepopulate the username field of the OneLogin login screen.

resource

string

Optional. When API Authorization is configured, specify the API Resource Identifier here to generate a customized Access Token that can be used for authorizing access to apis and api gateways.

e.g. resource=https://api.example.com/contacts

Sample Response

If the request parameters are valid a 302 redirect will occur to the registered redirect_uri with the following query parameters appended.

Success - Providing the id_token is validated

#id_token=xxxxxx.xxxxxxxxxxxx.xxxxxxxxxx&state=aff55f6cf1d50e75988db51fe7746546

Error - Invalid Response Type

?error=unsupported_response_type&error_description=response_type%20not%20supported

Error - Missing the scope parameter

?error=invalid_request&error_description=missing%20required%20parameter(s)%20scope

Error - Prompt=none and the user was not authenticated

?error=login_required&error_description=End-User%20authentication%20is%20required

Missing the nonce

{
    "error": "invalid_request",
    "error_description": "missing required parameter(s). (nonce)"
}

Missing the redirect_uri

{
    "error": "invalid_request",
    "error_description": "missing required parameter(s). (redirect_uri)"
}

Invalid redirect_uri

{
    "error": "redirect_uri_mismatch",
    "error_description": "redirect_uri did not match any client's registered redirect_uri"
}

Invalid client_id

{
    "error": "invalid_client",
    "error_description": "client is invalid",
    "state": "61c07cd68b0c65a0e9a35bf6c4f472f4"
}

Response Elements

id_token A JWT containing user information and nonce for validation
state The state parameter provided in the initial request to help prevent cross site scripting attacks

ID Token Sample

{
  "sub": "35666371",
  "email": "styler@onelogin.com",
  "preferred_username": "sally",
  "name": "Sally Tyler",
  "updated_at": 1523577359,
  "given_name": "Sally",
  "family_name": "Tyler",
  "groups": [
    "Admin Role",
    "User Role",
    "Custom Roll"
  ],
  "acr": "onelogin:nist:level:1:re-auth",
  "at_hash": "UnQAjiMVu7OhJYPHRNbhQA",
  "rt_hash": "ZUK9M1zLqc4O1XIGVZ8cng",
  "aud": "78d1d040-20c9-0136-5146-067351775fae92920",
  "exp": 1523577359,
  "iat": 1523570159,
  "iss": "https://acme.onelogin.com/oidc/2"
}

Postman Collection

Replace sample variables indicated by {{ }} with your actual values.

Download for the OpenId Connect API


Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.