Get Discovery Using GET

Get Discovery Using GET

This endpoint is used with browser redirection only. Trying to access it via GET HTTP call will fail. It discovers the user's Identity Provider (IdP) and sends the user to the IdP login page.
This is the starting point of the OAuth 2.0 flow to authenticate end users from your application. This authorization endpoint must be used by clients to authenticate users and obtain an authorization code. To use this endpoint, your application must be registered as an OAuth 2.0 client with CSP and have the 'authorization_code' grant type enabled.

Access Policy

Role User Accounts Service Accounts (Client Credentials Applications)
Anonymous ✔️ ✔️
Request
URI
GET
https://{api_host}/csp/gateway/discovery
COPY
Query Parameters
string
client_id
Required

This is the identifier of the OAuth 2.0 client that was registered with the Cloud Services Platform (CSP).

string
redirect_uri
Required

Specifies the callback endpoint in your application that will receive the authorization code. When sending the redirect_uri as a URL parameter it has to be URL encoded.

string
state
Required

A random string that your application generates and that will be sent back as a parameter during the URI redirection.

string
orgId
Optional

The organization id

string
scope
Optional

The list of scopes separated by a space and is URL encoded. Scope parameter can be used to request different scopes. The requested scope must not include any scope not originally granted. If omitted, the returned scopes will be the ones originally granted.

string
nonce
Optional

A random value generated by the client and supplied in the authentication request that enables replay protection when present. The client should enforce protection against replay attacks by ensuring it is presented only once. The provided value will be returned in the id_token.

string
code_challenge
Optional

The challenge generated from 'code_verifier'. Used to secure authorization code grants via Proof Key for Code Exchange (PKCE) from a native client. Required if performing a PKCE request. For more information, refer the PKCE RFC at https://tools.ietf.org/html/rfc7636.

string
code_challenge_method
Optional

The method used to encode the 'code_verifier' for the 'code_challenge' parameter. Only the 'S256' value is supported currently. Required if performing a PKCE request. For more information, refer the PKCE RFC at https://tools.ietf.org/html/rfc7636.

string
prompt
Optional

Specifies whether the Authorization server prompts the end user for re-authentication.

prompt example
login
string
login_hint
Optional

Specifies to the Authorization server about the login identifier the end user might use to log in. When supplied, the discovery will be skipped, as if the value was entered by the user.
Important:
1. If the user is already logged in with a different account than the provided login_hint it's value will be ignored.
2. The login_hint must be in a valid email format, otherwise, it will be ignored.

integer
accessTokenValiditySeconds
Optional

The validity in seconds for the access token. If a value lower than the client's accessTokenValiditySeconds is provided, the provided accessTokenValiditySeconds value will be used. Else if an invalid value, a value higher than the client's accessTokenValiditySeconds, or no value is provided, then the client's accessTokenValiditySeconds will be used. For example if the client's default accessTokenValiditySeconds is 5 minutes ie 300 seconds, to get a token with only one minute validity provide accessTokenValiditySeconds as 60.

integer
refreshTokenValiditySeconds
Optional

The validity in seconds for the refresh token. If a value lower than the client's refreshTokenValiditySeconds is provided, the provided refreshTokenValiditySeconds value will be used. Else if an invalid value, a value higher than the client's refreshTokenValiditySeconds, or no value is provided, then the client's refreshTokenValiditySeconds will be used. For example if the client's default refreshTokenValiditySeconds is 30 minutes ie 1800 seconds, to get a token with one hour validity provide refreshTokenValiditySeconds as 3600.

integer
maxGroupsInIdToken
Optional

The maximum number of groups allowed in the ID token. If the value provided is lower than the client's registered "maxGroupsInIdToken", the provided value will be used, else if an invalid value, a value higher than the client's "maxGroupsInIdToken", or no value is provided, then the client's "maxGroupsInIdToken" will be used.This is only relevant if the client has registered groups related scopes such as "group_names", 'group_ids", 'grpn://..." or 'grpid://...".

string
label
Optional

The human readable label for the refresh token. It is an optional parameter that allows the caller to specify a label for a refresh token, to avoid displaying the refresh token value to the end user.


Authentication
This operation uses the following authentication methods.
Responses
200

OK

Operation doesn't return any data structure

404

The requested resource could not be found

Returns CspErrorResponse of type(s) application/json
{
    "cspErrorCode": "string",
    "message": "string",
    "errorCode": "string",
    "requestId": "string",
    "moduleCode": 0,
    "statusCode": 0
}
string
cspErrorCode
Optional

cspErrorCode

string
message
Optional

message

string
errorCode
Optional

errorCode

string
requestId
Optional

requestId

integer As int32 As int32
moduleCode
Optional

moduleCode

integer As int32 As int32
statusCode
Optional

statusCode


429

The user has sent too many requests

Returns CspErrorResponse of type(s) application/json
"CspErrorResponse Object"
string
cspErrorCode
Optional

cspErrorCode

string
message
Optional

message

string
errorCode
Optional

errorCode

string
requestId
Optional

requestId

integer As int32 As int32
moduleCode
Optional

moduleCode

integer As int32 As int32
statusCode
Optional

statusCode


500

An unexpected error has occurred while processing the request

Returns CspErrorResponse of type(s) application/json
"CspErrorResponse Object"
string
cspErrorCode
Optional

cspErrorCode

string
message
Optional

message

string
errorCode
Optional

errorCode

string
requestId
Optional

requestId

integer As int32 As int32
moduleCode
Optional

moduleCode

integer As int32 As int32
statusCode
Optional

statusCode


Code Samples
COPY
                    curl -H 'Authorization: <value>' https://{api_host}/csp/gateway/discovery?client_id=value&redirect_uri=value&state=v