Authorization Endpoint Parameters
Request parameters
| Parameter | Required | Description |
|---|---|---|
| acr_values | no | Space seperated string with special requests from the client. See below. |
| client_id | yes | The unique id of the requesting client. |
| code_challange | no, but required for client configured for PKCE. | |
| code_challenge_method | ||
| login_hint | no | Hint of the username. Could be used if the client asks for username before redirecting. |
| max_age | no | Specifies how much time (in seconds) that is allowed to been passed since user singed in. See Force re-authentication of user. |
| nonce | no | A random string value used to mitigate replay attacks by associating the client session with the ID token. |
| prompt | no | “none”, “login”, “consent”, “select_account” or “create”. Indicates how the client wants that Authway handles the request. |
| redirect_uri | yes | The callback URL the client wants to re-direct to. |
| request | no | |
| request_uri | no | |
| response_mode | ||
| response_type | yes | |
| scope | yes | A space separated string of scopes that the client wants access to. |
| sso_token | no | A non-standardized parameters to enable some extra single-sign-on scenarios. |
| state | no | A random value that will be passed back to the client. Can be used to keep track of a session or to prevent unsolicited flows. |
| ui_locales | no | End-User’s preferred languages, represented as a space-separated list of language tag values, ordered by preference. For instance, the value “sv-SE en” represents a preference for Swedish as spoken in Sweden, then English (without a region designation). |
acr_values parameters
The acr_values parameters are passed as “parameter:value” and if multiple parameters are passed they should be seperated with a space. For example:
tenant:priv idp:bankid| Parameter | Description |
|---|---|
| idp | The unique identifier of the sign-in method to use. See Control authentication method from the client. |
| tenant | The unique identifier of an owner (tenant) that the user must belong to. See Only allow users from specific tenant |
| impersonate | Trigger the flow to impersonate another user. See Impersonate a user. |
| mfa | Require the user to be authenticated with MFA. See Require MFA. |
Custom request parameters
It is possible for the client to pass additional parameters in the request. Thoose parameters will not be handled by the Authorization Server in any way, but they will be returned as is in the response.
If the client for example want to have a custom tag parameter in the response, it can be added to the request like this:
/connect/authorize?client_id=…&redirect_uri=mycallbackurl&response_type=..&scope=…&code_challenge=…&code_challenge_method=…&response_mode=…&nonce=…&state=…&tag=my_value
The response will then include the tag parameter unmodified (ordering of the parameters are not guaranteed):
mycallbackurl?code=…&scope=…&state=…&session_state=…&iss=…&tag=my_value