Home > OpenID Connect OAuth Server dedicated > Develop > OpenID Connect > OpenID Connect : Get an authorization for the client application

OpenID Connect : Get an authorization for the client application

As part of the Authorization Code Flow, the end-user’s user-agent (usually a web browser) is redirected to the Authorization Endpoint , to allow it to identify itself and grant permissions to the client application.
If successful, the user-agent will be redirected to Endpoint Token with an authorization code.

Authorization Endpoint)

https://oa.dnc.global/authorize

Request

Here are some examples:
PHP

  1.     $data = array(
  2.         'response_type' => 'code',
  3.         'client_id' => 'chemin_openid',
  4.         'state' =>  $oauth_state,
  5.         'scope' => 'openid profile',
  6.     );
  7.  
  8. $authorization_endpoint = 'https://oa.dnc.global/authorization';
  9.  
  10. $authorization_endpoint .= '?' . http_build_query($data);
  11.     header('Location: ' . $authorization_endpoint);
  12.     exit();

Download

SPIP

  1.     include_spip('inc/headers');
  2.    
  3.     $oauth_state = session_get('oauth_state');
  4.     $url = "http://oa.dnc.global/authorize?response_type=code&client_id=chemin_openid&scope=openid profile&redirect_uri=http://chemindeleau.com/callback_openid.php&state=$oauth_state";
  5.    
  6. redirige_par_entete($url);

Download

Notes:
- To obtain an identity token, the scope must include "openid". Otherwise, the answer will be identical to that of the OAuth 2.0 protocol, and will therefore only include the access token.
- To obtain a Refresh Token, the scope must have "offline_access".
- Although the "standard" indicates that the redirect_uri parameter is mandatory, it can be omitted if the client application has been registered with only one return address.
- If the client application has been registered with multiple return addresses, the redirect_uri parameter is required, and must be one of them.
- It is possible to add to the URL any useful parameter, such as a session identifier. These will be retransmitted into the body of the answer, almost completely.
- Before it can interact in an OpenID Connect stream, the author must register the client application on the OAuthSD with the parameters expected by OpenID Connect.
- It is the responsibility of the client application to ensure the good form and security of the values ​​transmitted by the URL parameters.

End User Authentication

At the call of the authorization endpoint:
- the OAuthSD server redirects the user-agent to the authentication page(s) (we stay in the domain of the authorization server).
- the end user authenticates in this page (the identifiers are therefore confined to the server).
- the server posts the authorization code to the redirection endpoint.

Back to the client application

If successful, the server redirects the browser to the redirection endpoint in the client application (HTTP header code 302). This URI is defined by the author of a client application when it is registered on this server. See: OpenID Connect : Lier une application cliente au serveur OAuthSD.

The code and state parameters are passed in the URL. Example:

http://chemindeleau.com/callback_openid.php?code=3159339c2f1326f9fa128e161b8387feca690b65&state=98b3027139f7cb3be4a885d7c81b41bb

It is the responsibility of the client application to ensure its security vis-à-vis the values transmitted by the URL parameters.

Error situations

Refer to: API OpenID Connect : Point d’extrémité d’autorisation (Authorization Endpoint).