Obtain PKCE Authorization Code
When a user accesses a third-party application, the third-party application uses code_challenge to initiate an authorization login request to Zhuyun IDaaS. After the user enters their username and password and successfully authenticates, Zhuyun IDaaS will redirect to the third-party application, carrying the authorization code parameter.
# Request Description
GET https://{your_domain}/api/v1/oauth2/authorize
# Request Example
GET https://{your_domain}/api/v1/oauth2/authorize?response_type=code&client_id={client_id}&redirect_uri=http://oidcdemo.bccastle.com/demo/index.jsp&state=15924362&code_challenge=5qa69AH8v3r33rVuTGjZalHcz
EqMsXYvllXXL8zXorM&code_challenge_method=S256&scope=openid
# Request Parameters
| Parameter Name | Chinese Name | Required | Example Value | Description |
|---|---|---|---|---|
| response_type | Authorization Type | Required | code | This value is fixed as 'code' |
| client_id | Application Identifier | Required | RqB2HJtkz6iH76qA | The clientid assigned to the third-party application after applying for access. |
| redirect_uri | Callback Address | Optional | http://oidcdemo.bccastle.com /demo/index.jsp | The callback address after successful authorization must match the trusted domain registered during application setup. It is recommended to set it as the application's homepage or user center. Note that the URL needs to be URLEncoded. |
| state | Client-side State Code | Optional | 15924362 | A state value from the client side. Used by the third-party application to prevent CSRF attacks. It will be returned unchanged in the callback after successful authorization. Please strictly follow the process to check the binding between the user and the state parameter. |
| scope | Scope | Required | openid | openid |
| code_challenge | PKCE Challenge Code | Required | 5qa69AMsXYvllXorM | The application randomly generates a string of 43-128 characters and performs URL-Safe Base64 encoding. The result is used as the code_verifier. This string is then hashed using SHA256 and URL-Safe Base64 encoded. The result is used as the code_challenge. |
| code_challenge_method | PKCE Challenge Code Encryption Method | Required | S256 | Fixed value S256 |
# Return Examples
Correct return example
HTTP Status: 302 REDIRECT
{redirect_uri}?code=stRWlW&state=15924362
Error prompt for user not authorizing the application
HTTP Status: 302 REDIRECT
https://{your_domain}/authentication/UnauthorizedUser.html
Missing client_id parameter
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_request",
"error_description": "Missing client_id"
}
Incorrect client_id parameter
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_request",
"error_description": "client_id parameter is error"
}
Incorrect response_type parameter name or value
HTTP Status: 400 BAD REQUEST
{
"error": "unsupported_response_type",
"error_description": "Unsupported response types: xxx"
}
Incorrect redirect_uri parameter
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_request",
"error_description": "Invalid redirect: xxx does not match one of the registered values."
}
Incorrect scope parameter
HTTP Status: 302
{redirect_uri}?error=invalid_scope&error_description=Invalid scope: xxx&state=123456
Missing code_challenge parameter
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_request",
"error_description": "Miss code_challenge"
}
Incorrect code_challenge_method parameter
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_request",
"error_description": "Unsupported code_challenge_method: xxx"
}
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# Return Parameters
If the user successfully logs in and authorizes, they will be redirected to the specified callback address, with the Authorization Code and the original state value appended after the redirect_uri address.
| Parameter Name | Chinese Name | Required | Example Value | Description |
|---|---|---|---|---|
| code | Authorization Code | Required | stRWlW | The authorization code returned by the authorization server to the application after the user logs in and authorizes. Note: This code will expire after 5 minutes and can only be used once within its validity period. |
| state | Application-side State Code | Optional | 15924362 | The state value from the client side. Used by third-party applications to prevent CSRF attacks, and will be returned unchanged during the callback after successful authorization. |
I am ready. Please provide the Markdown content you need translated.