Introduction

Authorization within web applications and other applications is typically done by requesting an OAuth / OIDC token. In order to initiate that process, an authentication request can be started. This is typically handled by an OIDC library.

Authentication Request

A simple example could look like this

https://server.example.com/connect/authorize?
    response_type=code
    &client_id=s6BhdRkqt3
    &scope=openid%20profile%20email
    &state=af0ifjsldkj
    &nonce=AF453ADF234ASF2

An in detail documentation off the possible parameters can be found in the OIDC specification.

Parameters

Parameter	Example	Value

Parameter	Example	Value
`scope`	oidc email profile	The requested scopes that define what data will be available to the client.
`response_type`	code	Impacts the OIDC flow. `id_token` requests an identity token `token` requests an access token `id_token token` requests an identity token and an access token `code` requests an authorization code `code id_token` requests an authorization code and identity token `code id_token token` requests an authorization code, identity token and access token
`client_id`	01d084c3a2a44043b28934d6a9dde00d	The identifier of the client.
`redirect_uri`	https://my.application.ch/signing-oidc	Where the user will be redirected to after a successful authentication.
`state`	4af227e317634c2e8000e4cb3a67ddf4	Opaque value to contain the state. The authentication server will send that state back to the client.
`response_mode`	form_post	Impacts the return mode of the request. The following response types are supported: `query` `fragement` `form_post` Note: From a security point of view, `form_post` is to be favored!
`nonce`	fbf6481c19244b9581fd1df815f719ef	String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
`prompt`	login	Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. `none` no UI will be shown during the request. If this is not possible (e.g. because the user has to sign in or consent) an error is returned `login` the login UI will be shown, even if the user is already signed-in and has a valid session
`max_age`	90	Maximum Authentication Age in seconds.
`ui_locales`	de	Determinates the UI language.
`id_token_hint`	e79d58a3a157447294869651cc5ec877	ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client.
`login_hint`	username	Can indicate the user that needs to authenticate.
`acr_values`	`urn:coreone:authentication:loa:user:max`	See the Quality of Authentication (QoA) \| ACR Values