/oauth2/bc-authorize

The /oauth2/bc-authorize endpoint is the backchannel authorization endpoint as used by OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0 draft-02. Use this endpoint to initiate backchannel authorization with the resource owner when using the following flow:

Backchannel Request Grant (OpenID Connect)

You must compose the path to the backchannel authorization endpoint addressing the specific realm where the authorization request ID will be issued. For example, https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/bc-authorize.

The endpoint supports the following parameters:

client_id

Specifies the client ID unique to the application making the request.

Required: Yes.

client_secret

Specifies the password of the private client making the request. Do not use in conjunction with the cnf_key parameter.

Required: A form of password or credentials is required for confidential clients. However, the use of the client_secret parameter depends on the client authentication method used. For more information, see OAuth 2.0 Client Authentication.

client_assertion

Specifies the signed JWT that the client uses as a credential when using the JWT bearer client authentication method.

For more information, see OAuth 2.0 Client Authentication.

Required: Yes, when using the JWT bearer client authentication method.

client_assertion_type

Specifies the type of assertion when the client is authenticating to the authorization server using JWT bearer client authentication. Do not use with other client authentication methods.

Set it to urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer.

For more information, see OAuth 2.0 Client Authentication.

Required: Yes, when using the JWT bearer client authentication method.

The endpoint requires a signed JWT that contains the following parameters:

aud

Specifies a string or an array of strings that is the intended audience of the JWT. Must be set to the authorization server's OAuth 2.0 endpoint, for example:

"aud": "http://openam.example.com:8080/openam/oauth2"

exp

Specifies the expiration time of the JWT in Unix time.

Providing a JWT with an expiry time greater than 30 minutes causes AM to return a JWT expiration time is unreasonable error message.

iss

Specifies the unique identifier of the JWT issuer.

The identifier must match the client ID of the OAuth 2.0 client in AM, for example myCIBAClient.

login_hint

Specifies the principal who is the subject of the JWT. It should be a string that identifies the resource owner.

Tip

You can provide a previously obtained ID token in a property named id_token_hint as the hint for determining the resource owner, rather than a string.

scope

Specifies a space-separated list of the requested scopes. Must include the openid scope.

acr_values

Specifies an identifier that maps to the authentication mechanism AM uses to obtain authorization from the end user.

binding_message

Specifies a message delivered to the user when obtaining authorization.

Should be a short (100 characters or fewer), description of the operation the end user is authorizing, and should include an identifier to match the authorization request to the client that initiated the request.

Note

If the binding message is sent using push notifications, the following additional limitations apply to the value:

Must begin with a letter, number, or punctuation mark.
Must not include line breaks or control characters.

For example:

Allow ExampleBank to transfer £50 from your 'Main' account to your 'Savings' account? (EB-0246326)