/
Authentication Request

Authentication Request

Owned by Silvan Grüter
Last updated: 25. Feb 2025 by Valentin Bürgler
2 min read

Introduction

Authorization within web applications and other applications is typically done by requesting an OAuth / OIDC token. In order to initiate that process, an authentication request can be started. This is typically handled by an OIDC library.

Authentication Request

A simple example could look like this

https://server.example.com/connect/authorize? response_type=code &client_id=s6BhdRkqt3 &scope=openid%20profile%20email &state=af0ifjsldkj &nonce=AF453ADF234ASF2

An in detail documentation off the possible parameters can be found in the OIDC specification.

Parameters

Parameter

Example

Value

Parameter

Example

Value

scope

oidc email profile

The requested scopes that define what data will be available to the client.

response_type

code

Impacts the OIDC flow.

id_token requests an identity token

token requests an access token

id_token token requests an identity token and an access token

code requests an authorization code

code id_token requests an authorization code and identity token

code id_token token requests an authorization code, identity token and access token

client_id

01d084c3a2a44043b28934d6a9dde00d

The identifier of the client.

redirect_uri

https://my.application.ch/signing-oidc

Where the user will be redirected to after a successful authentication.

state

4af227e317634c2e8000e4cb3a67ddf4

Opaque value to contain the state. The authentication server will send that state back to the client.

response_mode

form_post

Impacts the return mode of the request. The following response types are supported:

  • query

  • fragement

  • form_post

Note: From a security point of view, form_post is to be favored!

nonce

fbf6481c19244b9581fd1df815f719ef

String value used to associate a Client session with an ID Token, and to mitigate replay attacks.

prompt

login

Space delimited, case sensitive list of ASCII string values that specifies whether the authentication provider prompts the End-User for registration, reauthentication, account selection, or consent.

Supported values:

  • none: No UI will be shown during the request. If this is not possible (e.g. because the user has to sign in or consent) an error is returned. Sending “none” alongside any other prompt will also result in an error.

  • login: The login UI will be shown, even if the user is already signed-in and has a valid session

  • select_account: Allows the user to select an account if he has multiple accounts associated with the authentication provider

  • consent: Ask the user to consent even if the scope has been granted previously

  • create: Ask the authentication provider to show the registration page first. If “create” is received alongside another prompt, an error is returned.

Unsupported values will be ignored.

max_age

90

Maximum Authentication Age in seconds.

ui_locales

de

Determinates the UI language.

id_token_hint

e79d58a3a157447294869651cc5ec877

ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client.

login_hint

username

Can indicate the user that needs to authenticate.

acr_values

urn:coreone:authentication:loa:user:max

See the Quality of Authentication (QoA) | ACR Values

Related content

© ITSENSE AG. Alle Rechte vorbehalten. ITSENSE und CoreOne sind eingetragene Marken der ITSENSE AG.