Get Discovery Using GET
This endpoint is used with browser redirection only. Trying to access it via GET HTTP call will fail. It discovers the user's Identity Provider (IdP) and sends the user to the IdP login page.
This is the starting point of the OAuth 2.0 flow to authenticate end users from your application. This authorization endpoint must be used by clients to authenticate users and obtain an authorization code. To use this endpoint, your application must be registered as an OAuth 2.0 client with CSP and have the 'authorization_code' grant type enabled.
Access Policy
Role | User Accounts | Service Accounts (Client Credentials Applications) |
---|---|---|
Anonymous | ✔️ | ✔️ |
This is the identifier of the OAuth 2.0 client that was registered with the Cloud Services Platform (CSP).
Specifies the callback endpoint in your application that will receive the authorization code. When sending the redirect_uri as a URL parameter it has to be URL encoded.
A random string that your application generates and that will be sent back as a parameter during the URI redirection.
The organization id
The list of scopes separated by a space and is URL encoded. Scope parameter can be used to request different scopes. The requested scope must not include any scope not originally granted. If omitted, the returned scopes will be the ones originally granted.
A random value generated by the client and supplied in the authentication request that enables replay protection when present. The client should enforce protection against replay attacks by ensuring it is presented only once. The provided value will be returned in the id_token.
The challenge generated from 'code_verifier'. Used to secure authorization code grants via Proof Key for Code Exchange (PKCE) from a native client. Required if performing a PKCE request. For more information, refer the PKCE RFC at https://tools.ietf.org/html/rfc7636.
The method used to encode the 'code_verifier' for the 'code_challenge' parameter. Only the 'S256' value is supported currently. Required if performing a PKCE request. For more information, refer the PKCE RFC at https://tools.ietf.org/html/rfc7636.
Specifies whether the Authorization server prompts the end user for re-authentication.
login
Specifies to the Authorization server about the login identifier the end user might use to log in. When supplied, the discovery will be skipped, as if the value was entered by the user.
Important:
1. If the user is already logged in with a different account than the provided login_hint it's value will be ignored.
2. The login_hint must be in a valid email format, otherwise, it will be ignored.
The validity in seconds for the access token. If a value lower than the client's accessTokenValiditySeconds is provided, the provided accessTokenValiditySeconds value will be used. Else if an invalid value, a value higher than the client's accessTokenValiditySeconds, or no value is provided, then the client's accessTokenValiditySeconds will be used. For example if the client's default accessTokenValiditySeconds is 5 minutes ie 300 seconds, to get a token with only one minute validity provide accessTokenValiditySeconds as 60.
The validity in seconds for the refresh token. If a value lower than the client's refreshTokenValiditySeconds is provided, the provided refreshTokenValiditySeconds value will be used. Else if an invalid value, a value higher than the client's refreshTokenValiditySeconds, or no value is provided, then the client's refreshTokenValiditySeconds will be used. For example if the client's default refreshTokenValiditySeconds is 30 minutes ie 1800 seconds, to get a token with one hour validity provide refreshTokenValiditySeconds as 3600.
The maximum number of groups allowed in the ID token. If the value provided is lower than the client's registered "maxGroupsInIdToken", the provided value will be used, else if an invalid value, a value higher than the client's "maxGroupsInIdToken", or no value is provided, then the client's "maxGroupsInIdToken" will be used.This is only relevant if the client has registered groups related scopes such as "group_names", 'group_ids", 'grpn://..." or 'grpid://...".
The human readable label for the refresh token. It is an optional parameter that allows the caller to specify a label for a refresh token, to avoid displaying the refresh token value to the end user.
OK
The requested resource could not be found
{
"cspErrorCode": "string",
"message": "string",
"errorCode": "string",
"requestId": "string",
"moduleCode": 0,
"statusCode": 0
}
cspErrorCode
message
errorCode
requestId
moduleCode
statusCode
The user has sent too many requests
"CspErrorResponse Object"
cspErrorCode
message
errorCode
requestId
moduleCode
statusCode
An unexpected error has occurred while processing the request
"CspErrorResponse Object"
cspErrorCode
message
errorCode
requestId
moduleCode
statusCode
curl -H 'Authorization: <value>' https://{api_host}/csp/gateway/discovery?client_id=value&redirect_uri=value&state=v