Get Discovery Using GET

This is the identifier of the OAuth 2.0 client that was registered with the Cloud Services Platform (CSP).

Specifies the callback endpoint in your application that will receive the authorization code. When sending the redirect_uri as a URL parameter it has to be URL encoded.

A random string that your application generates and that will be sent back as a parameter during the URI redirection.

The link to the organization trying to access. If not provided, the user's default organization link will be used. Requires to be in the format: /csp/am/api/orgs/{orgId} where {orgId} refers to the organization id. Deprecated, use orgId parameter instead

orgId

The list of scopes separated by a space and is URL encoded. Scope parameter can be used to request different scopes. The requested scope must not include any scope not originally granted. If omitted, the returned scopes will be the ones originally granted.

A random value generated by the client and supplied in the authentication request that enables replay protection when present. The client should enforce protection against replay attacks by ensuring it is presented only once. The provided value will be returned in the id_token.

The challenge generated from 'code_verifier'. Used to secure authorization code grants via Proof Key for Code Exchange (PKCE) from a native client. Required if performing a PKCE request. For more information, refer the PKCE RFC at https://tools.ietf.org/html/rfc7636.

The method used to encode the 'code_verifier' for the 'code_challenge' parameter. Only the 'S256' value is supported currently. Required if performing a PKCE request. For more information, refer the PKCE RFC at https://tools.ietf.org/html/rfc7636.

Specifies whether the Authorization server prompts the end user for re-authentication.

Specifies to the Authorization server about the login identifier the end user might use to log in. When supplied, the discovery will be skipped, as if the value was entered by the user.
Important:
1. If the user is already logged in with a different account than the provided login_hint it's value will be ignored.
2. The login_hint must be in a valid email format, otherwise, it will be ignored.

The validity in seconds for the access token. If a value lower than the client's accessTokenValiditySeconds is provided, the provided accessTokenValiditySeconds value will be used. Else if an invalid value, a value higher than the client's accessTokenValiditySeconds, or no value is provided, then the client's accessTokenValiditySeconds will be used. For example if the client's default accessTokenValiditySeconds is 5 minutes ie 300 seconds, to get a token with only one minute validity provide accessTokenValiditySeconds as 60.

The validity in seconds for the refresh token. If a value lower than the client's refreshTokenValiditySeconds is provided, the provided refreshTokenValiditySeconds value will be used. Else if an invalid value, a value higher than the client's refreshTokenValiditySeconds, or no value is provided, then the client's refreshTokenValiditySeconds will be used. For example if the client's default refreshTokenValiditySeconds is 30 minutes ie 1800 seconds, to get a token with one hour validity provide refreshTokenValiditySeconds as 3600.

The maximum number of groups allowed in the ID token. If the value provided is lower than the client's registered "maxGroupsInIdToken", the provided value will be used, else if an invalid value, a value higher than the client's "maxGroupsInIdToken", or no value is provided, then the client's "maxGroupsInIdToken" will be used.This is only relevant if the client has registered groups related scopes such as "group_names", 'group_ids", 'grpn://..." or 'grpid://...".

The human readable label for the refresh token. It is an optional parameter that allows the caller to specify a label for a refresh token, to avoid displaying the refresh token value to the end user.