PingOne Advanced Identity Cloud


The /oauth2/bc-authorize endpoint is the backchannel authorization endpoint for OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0.

Use this endpoint to initiate backchannel authorization with the resource owner with the following flow:

Specify the realm in the request URL; for example:


The endpoint supports the following parameters:

Parameter Description Required


A signed JSON Web Token (JWT) to use as client credentials.

Yes, for JWT profile authentication


The type of assertion, client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer.

Yes, for JWT profile authentication


Uniquely identifies the application making the request.



The password for a confidential client.

Yes, when authenticating with Form parameters (HTTP POST)

(1) The endpoint requires a signed JWT with these claims:

Claim Description Example


A string identifying the mechanism for the end user to provide authorization.

"acr_values": "push"


A string or array of strings indicating the intended audience of the JWT. Must include the authorization server OAuth 2.0 endpoint.

"aud": "https://<tenant-env-fqdn>/am/oauth2"


A short (100 character max.) string message to display to the user when obtaining authorization.

For push notification, messages must:

  • Begin with a letter, number, or punctuation mark.

  • Not include line breaks or control characters.

"binding_message": "Allow ExampleBank to transfer £50 from 'Main' to 'Savings'? (EB-0246326)"


The expiration time in seconds since January 1, 1970 UTC. An expiration time more than 30 minutes in the future causes a JWT expiration time is unreasonable error message.

"exp": 1675681183


An ID token identifying the principal and subject of the JWT (the end user).

Required when not using login_hint.

"id_token_hint": "<id-token>"


The unique identifier of the JWT issuer; must match the client ID in the application profile.

"iss": "myCIBAClient"


A string identifying the principal and subject of the JWT (the end user).

Required when not using id_token_hint.

"login_hint": "a0325ea4-9d9b-4056-931b-ab64704cc3da"


A string holding a space-separated list of the requested scopes; must include openid.

"scope": "openid profile"

Copyright © 2010-2024 ForgeRock, all rights reserved.