/oauth2/bc-authorize
The /oauth2/bc-authorize
endpoint is the backchannel authorization endpoint as used by OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0 draft-02. Use this endpoint to initiate backchannel authorization with the resource owner when using the following flow:
Backchannel Request Grant (OpenID Connect)
You must compose the path to the backchannel authorization endpoint addressing the specific realm where the authorization request ID will be issued. For example, https://openam.example.com:8443/openam/oauth2/realms/root/realms/subrealm1/bc-authorize
.
The endpoint supports the following parameters:
client_id
Specifies the client ID unique to the application making the request.
Required: Yes.
client_secret
Specifies the password of the private client making the request. Do not use in conjunction with the
cnf_key
parameter.Required: A form of password or credentials is required for confidential clients. However, the use of the
client_secret
parameter depends on the client authentication method used. For more information, see OAuth 2.0 Client Authentication.client_assertion
Specifies the signed JWT that the client uses as a credential when using the JWT bearer client authentication method.
For more information, see OAuth 2.0 Client Authentication.
Required: Yes, when using the JWT bearer client authentication method.
client_assertion_type
Specifies the type of assertion when the client is authenticating to the authorization server using JWT bearer client authentication. Do not use with other client authentication methods.
Set it to
urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
.For more information, see OAuth 2.0 Client Authentication.
Required: Yes, when using the JWT bearer client authentication method.
The endpoint requires a signed JWT that contains the following parameters:
- aud
Specifies a string or an array of strings that is the intended audience of the JWT. Must be set to the authorization server's OAuth 2.0 endpoint, for example:
"aud": "http://openam.example.com:8080/openam/oauth2"
- exp
Specifies the expiration time of the JWT in Unix time.
Providing a JWT with an expiry time greater than 30 minutes causes AM to return a
JWT expiration time is unreasonable
error message.- iss
Specifies the unique identifier of the JWT issuer.
The identifier must match the client ID of the OAuth 2.0 client in AM, for example myCIBAClient.
- login_hint
Specifies the principal who is the subject of the JWT. It should be a string that identifies the resource owner.
Tip
You can provide a previously obtained ID token in a property named id_token_hint as the hint for determining the resource owner, rather than a string.
- scope
Specifies a space-separated list of the requested scopes. Must include the
openid
scope.- acr_values
Specifies an identifier that maps to the authentication mechanism AM uses to obtain authorization from the end user.
- binding_message
Specifies a message delivered to the user when obtaining authorization.
Should be a short (100 characters or fewer), description of the operation the end user is authorizing, and should include an identifier to match the authorization request to the client that initiated the request.
Note
If the binding message is sent using push notifications, the following additional limitations apply to the value:
Must begin with a letter, number, or punctuation mark.
Must not include line breaks or control characters.
For example:
Allow ExampleBank to transfer £50 from your 'Main' account to your 'Savings' account? (EB-0246326)