/oauth2/bc-authorize

The /oauth2/bc-authorize endpoint is the backchannel authorization endpoint for OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0.

Use this endpoint to initiate backchannel authorization with the resource owner with the following flow:

Backchannel request grant (OpenID Connect)

Specify the realm in the request URL; for example:

https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/bc-authorize

The endpoint supports the following parameters:

Parameter Description Required

Parameter	Description	Required
`client_assertion`⁽¹⁾	A signed JSON Web Token (JWT) to use as client credentials.	Yes, for JWT profile authentication
`client_assertion_type`	The type of assertion, `client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer`.	Yes, for JWT profile authentication
`client_id`	Uniquely identifies the application making the request.	Yes
`client_secret`	The password for a confidential client.	Yes, when authenticating with Form parameters (HTTP POST)

client_assertion⁽¹⁾

A signed JSON Web Token (JWT) to use as client credentials.

Yes, for JWT profile authentication

client_assertion_type

The type of assertion, client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer.

Yes, for JWT profile authentication

client_id

Uniquely identifies the application making the request.

Yes

client_secret

The password for a confidential client.

Yes, when authenticating with Form parameters (HTTP POST)

⁽¹⁾ The endpoint requires a signed JWT with these claims:

Claim Description Example

Claim	Description	Example
`acr_values`	A string identifying the mechanism for the end user to provide authorization.	`"acr_values": "push"`
`aud`	A string or array of strings indicating the intended audience of the JWT. Must include the authorization server OAuth 2.0 endpoint.	`"aud": "https://<tenant-env-fqdn>/am/oauth2"`
`binding_message`	A short (100 character max.) string message to display to the user when obtaining authorization. For push notification, messages must: Begin with a letter, number, or punctuation mark. Not include line breaks or control characters.	`"binding_message": "Allow ExampleBank to transfer £50 from 'Main' to 'Savings'? (EB-0246326)"`
`exp`	The expiration time in seconds since January 1, 1970 UTC. An expiration time more than 30 minutes in the future causes a `JWT expiration time is unreasonable` error message.	`"exp": 1675681183`
`id_token_hint`	An ID token identifying the principal and subject of the JWT (the end user). Required when not using `login_hint`.	`"id_token_hint": "<id-token>"`
`iss`	The unique identifier of the JWT issuer; must match the client ID in the application profile.	`"iss": "myCIBAClient"`
`login_hint`	A string identifying the principal and subject of the JWT (the end user). Required when not using `id_token_hint`.	`"login_hint": "a0325ea4-9d9b-4056-931b-ab64704cc3da"`
`scope`	A string holding a space-separated list of the requested scopes; must include `openid`.	`"scope": "openid profile"`

acr_values

A string identifying the mechanism for the end user to provide authorization.

"acr_values": "push"

aud

A string or array of strings indicating the intended audience of the JWT. Must include the authorization server OAuth 2.0 endpoint.

"aud": "https://<tenant-env-fqdn>/am/oauth2"

binding_message

A short (100 character max.) string message to display to the user when obtaining authorization.

For push notification, messages must:

Begin with a letter, number, or punctuation mark.
Not include line breaks or control characters.

"binding_message": "Allow ExampleBank to transfer £50 from 'Main' to 'Savings'? (EB-0246326)"

exp

The expiration time in seconds since January 1, 1970 UTC. An expiration time more than 30 minutes in the future causes a JWT expiration time is unreasonable error message.

"exp": 1675681183

id_token_hint

An ID token identifying the principal and subject of the JWT (the end user).

Required when not using login_hint.

"id_token_hint": "<id-token>"

iss

The unique identifier of the JWT issuer; must match the client ID in the application profile.

"iss": "myCIBAClient"

login_hint

A string identifying the principal and subject of the JWT (the end user).

Required when not using id_token_hint.

"login_hint": "a0325ea4-9d9b-4056-931b-ab64704cc3da"

scope

A string holding a space-separated list of the requested scopes; must include openid.

"scope": "openid profile"

PingOne Advanced Identity Cloud

/oauth2/bc-authorize