id_token
. See below for details./.well-known/openid-configuration
Fetches the OpenID Connect discovery document.
method_not_allowed
: HTTP method is not allowed. Only GET and OPTIONS may be used/authorize
Redirect your users to this page to begin the sign-in flow.
Parameter | Type | Description |
---|---|---|
response_type | string | Must be code for authorization code flow, id_token for implicit flow, or a space-separated combination of code , id_token , and token for hybrid flow. We generally recommend using the authorization code or implicit flows. |
scope | string | Space-separated list of the requested OIDC scopes. Must include openid , and may optionally include email and profile . |
client_id | string | The Client ID of your app. Get this from the Developer Portal. |
redirect_uri | string | URL the user will be redirected to after authentication. Must match one of your app’s configured redirect_uris . |
Parameter | Type | Description |
---|---|---|
state | string | An opaque value used to maintain state between the request and the callback. |
nonce | string | Required when using the implicit flow. Used to prevent replay attacks. Should be randomly generated for each sign-in, and checked to ensure it’s unchanged after the callback. |
response_mode | string | Determines how the authorization code, ID token, and/or access token are returned. Must be one of query , fragment , or form_post . query is only supported for the authorization code flow. Defaults to query for authorization code flow, and fragment for all others. |
required
: A necessary attribute was not set. Required attributes are: response_type scope client_id redirect_uri
invalid_redirect_uri
: The provided redirect URI is invalid. Ensure you’ve set the correct redirect_uri
in the Developer Portal./token
Exchanges an authorization code for an id_token
for the given user.
Parameter | Type | Description |
---|---|---|
code | string | The authorization code to exchange. |
grant_type | string | The type of grant to exchange. Must be authorization_code . |
redirect_uri | string | The same redirect URI used in the /authorize request. |
method_not_allowed
: HTTP method is not allowed. Only POST and OPTIONS may be usedinvalid_content_type
: The provided content type is invalid, only application/x-www-form-urlencoded
is supportedunauthenticated
: The provided authorization token is invalid, try checking your credentialsinvalid_grant_type
: The provided grant type is invalid, only authorization_code
is supportedrequired
: A necessary attribute was not set. Required attributes are: code
invalid_grant
: The authorization code was invalid, and may be expired. Try generating a new code via /authorize
token
as one of your response_types
for the /authorize
endpoint, you’ll receive an OAuth2 access token. Typically an access token would allow you to perform certain actions on a user’s behalf, but there are no actions to perform for a user in this case.
You can retrieve the same information about a user with an access token as you’d receive in an ID token. While we support this functionality for broader compatibility, we generally recommend using the authorization code or implicit flows, rather than the hybrid flow.
The endpoints below are only used with an OAuth2 access token.
/introspect
Validates the given access token is active for the user.
Authorization
header contains the word “Basic ”, followed by a base64 encoding of the “client_id:client_secret” values. You obtain your client_id (also called app_id) and client_secret from the Developer Portal.Parameter | Type | Description |
---|---|---|
token | string | The access token to validate. |
method_not_allowed
: HTTP method is not allowed. Only POST may be usedinvalid_content_type
: The provided content type is invalid, only application/x-www-form-urlencoded
is supportedrequired
: A necessary attribute was not set. Required attributes are: token
unauthenticated
: The authorization header is missing, please pass the Bearer authorization tokeninvalid_token
: The authorization token was invalid, and may be expired. Try generating a new token via /token
/userinfo
Retrieves all user information, based on the approved scopes, with the given access token.
Authorization
header contains the word “Bearer ”, followed by the access token returned from the /token
endpoint.method_not_allowed
: HTTP method is not allowed. Only GET, POST, and OPTIONS may be usedunauthenticated
: The authorization header is missing, please pass the Bearer authorization tokeninvalid_token
: The authorization token was invalid, and may be expired. Try generating a new token via /token