Simplified Authorization Code Authentication
When a user accesses a third-party application, the third-party application initiates an authorization login request to Zhuyun IDaaS. After the user successfully authenticates by entering their username and password, Zhuyun IDaaS will redirect to the third-party application, carrying the access token access_token and the ID token id_token.
# Request Description
GET https://{your_domain}/api/v1/oauth2/authorize
# Request Parameters
| Parameter Name | Chinese Name | Required | Example Value | Description |
|---|---|---|---|---|
| response_type | Authorization Type | Required | id_token | This value must be fixed as id_token. |
| client_id | Application Identifier | Required | RqB2HiHC9N676qA | The clientid assigned to the third-party application after registration. |
| redirect_uri | Callback URL | Optional | http://oidcdemo.bccastle.com /demo/index.jsp | The callback URL after authorization. Must be consistent with the trusted domain registered for the application. Note: The URL needs to be URLEncoded. |
| state | State Code | Optional | 15924362 | Client-side state value. Used to prevent CSRF attacks. Will be returned as-is in the callback after successful authorization. Please verify the binding between the user and the state. |
| scope | Scope | Required | openid | Must include a scope parameter with the value openid. |
| response_mode | Response Mode | Optional | fragment | Default value is fragment. Optional value is query. |
# Request Example
https://{your_domain}/api/v1/oauth2/authorize?response_type=id_token&client_id={client_id}&redirect_uri=
http://oidcdemo.bccastle.com/demo/index.jsp&state=15924362&scope=openid&state=15924362
# Response Example
Correct Response Example
HTTP Status: 302 REDIRECT
{redire*ct_uri}\#id_token=eyJHRwczovL2...u8mPI5Z96IQ&state=15924362t*#access_token=NObiIMkOvBgHIo8&token_type=Bearer&expires_in=6285&scope=openid&state=15924362
Error Prompt for Unauthorized User
HTTP Status: 302 REDIRECT
https://{your_domain}/authentication/UnauthorizedUser.html
Missing client_id parameter
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_request",
"error_description": "Missing client_id"
}
Incorrect client_id parameter
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_request",
"error_description": "client_id parameter is error"
}
Incorrect response_type parameter name or value
HTTP Status: 400 BAD REQUEST
{
"error": "unsupported_response_type",
"error_description": "Unsupported response types: [xxx]"
}
Incorrect redirect_uri parameter
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_request",
"error_description": "Invalid redirect: xxx does not match one of the registered values."
}
Incorrect scope parameter
HTTP Status: 302
{redirect_uri}?error=invalid_scope&error_description=Invalid scope: xxx&state=123456
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# Response Parameters
If the user successfully logs in and authorizes, they will be redirected to the specified callback address, with the Authorization Code and the original state value appended to the redirect_uri address.
| Parameter Name | Chinese Name | Required | Example Value | Description |
|---|---|---|---|---|
| access_token | Authorization Token | Required | NObiKQS-cn8AWnZyIMkOvBgHIo8 | Passed as a URL anchor parameter, not as a query parameter. |
| token_type | Token Type | Required | Bearer | Fixed as Bearer |
| expires_in | Validity Period of Authorization Token | Required | 7199 | The validity period of the access token returned by the authorization server to the application. Note: The validity period is in seconds. |
| id_token | ID Token | Required | eyJhbGciOiJSUzI1NiIsImtp.... | |
| scope | Authorization Scope | Required | openid | |
| state | Application-side Status Code | Optional | 15924362 | The state value from the client side. Used by third-party applications to prevent CSRF attacks, and will be returned as is upon successful authorization callback. |