Authorization Endpoint)
https://oa.dnc.global/authorize
Request
Here are some examples:
PHP
- 'response_type' => 'code',
- 'client_id' => 'chemin_openid',
- 'state' => $oauth_state,
- 'scope' => 'openid profile',
- );
- $authorization_endpoint = 'https://oa.dnc.global/authorization';
SPIP
- include_spip('inc/headers');
- $oauth_state = session_get('oauth_state');
- $url = "http://oa.dnc.global/authorize?response_type=code&client_id=chemin_openid&scope=openid profile&redirect_uri=http://chemindeleau.com/callback_openid.php&state=$oauth_state";
- redirige_par_entete($url);
Notes:
To obtain an identity token, the scope must include "openid". Otherwise, the answer will be identical to that of the OAuth 2.0 protocol, and will therefore only include the access token.
To obtain a Refresh Token, the scope must have "offline_access".
Although the "standard" indicates that the redirect_uri parameter is mandatory, it can be omitted if the client application has been registered with only one return address.
If the client application has been registered with multiple return addresses, the redirect_uri parameter is required, and must be one of them.
It is possible to add to the URL any useful parameter, such as a session identifier. These will be retransmitted into the body of the answer, almost completely.
Before it can interact in an OpenID Connect stream, the author must register the client application on the OAuthSD with the parameters expected by OpenID Connect.
It is the responsibility of the client application to ensure the good form and security of the values transmitted by the URL parameters.
End User Authentication
At the call of the authorization endpoint:
the OAuthSD server redirects the user-agent to the authentication page(s) (we stay in the domain of the authorization server).
the end user authenticates in this page (the identifiers are therefore confined to the server).
the server posts the authorization code to the redirection endpoint.
Back to the client application
If successful, the server redirects the browser to the redirection endpoint in the client application (HTTP header code 302). This URI is defined by the author of a client application when it is registered on this server. See: OpenID Connect : Lier une application cliente au serveur OAuthSD.
The code and state parameters are passed in the URL. Example:
http://chemindeleau.com/callback_openid.php?code=3159339c2f1326f9fa128e161b8387feca690b65&state=98b3027139f7cb3be4a885d7c81b41bb
It is the responsibility of the client application to ensure its security vis-à-vis the values transmitted by the URL parameters.
Error situations
Refer to: API OpenID Connect : Point d’extrémité d’autorisation (Authorization Endpoint).