Product Introduction

Overview

Strengths

Use Cases

Purchase Guide

Operation Guide

User pool management

User management

Application management

Authentication management

Audit management

Custom settings

Development Guide

Overview

Access via Authentication API

Get User Information

Update User Information

Modify User Password

Reset User Password

Get Token

Get JWT Public Key

Refresh Token

Revoke Token

Get OpenID Provider Configuration

API Documentation

History

Introduction

API Category

Making API Requests

User Management APIs

Data Sync APIs

Audit Management APIs

Data Types

Error Codes

FAQs

Features

Billing

CIAM Policy

Data Processing And Security Agreement

PKCE Authorization Code Mode

Focus Mode

Font Size

Last updated: 2023-12-22 11:42:07

API Description
The user (browser) can be redirected to this API address for login. Customer Identity Access Management (CIAM) will redirect the user to the authentication page for login authentication. After login, CIAM redirects the user to the address specified by the redirect_uri parameter.
If the user is already logged in, CIAM will redirect the user to redirect_uri.
Note: 
According to the best security practices of the OAuth protocol, this API uses the Proof Key for Code Exchange (PKCE) authorization code mode.
The application system's Redirect URI used in the sample request is https://example.com/callback.
Supported Applications
Web applications, single-page applications (SPA), and mobile applications.
Request Method
GET
Request Path
/oauth2/authorize
Sample Requests
GET /oauth2/authorize?scope=openid&client_id=TENANT_CLIENT_ID&redirect_uri=https%3A%2F%2FTENANT.APP.DOMAIN%2Flogin%2Foauth2%2Fcode%2FTENANT_APP_ID&response_type=code&state=MOCK_STATE&code_challenge_method=S256&code_challenge=MOCK_CODE_CHALLENGE&auth_source_id=MOCK_USERNAME_PASSWORD_AUTH_SOURCE_ID HTTP/1.1
Host: sample.portal.tencentciam.com
Request Parameters
Parameter
Optional
Description
scope
false
Fixed value: openid.
client_id
false
The client_id of the application. Go to the application management page and select the application, and then click Application Configuration to find the Client ID.
redirect_uri
false
The redirected address after authorization. This should be the same as the address configured on the console.
response_type
false
Fixed value: code.
state
true
A string randomly generated by the application, which will be returned by the server to the application as an HTTP response parameter. To prevent cross-site request forgery (CSRF) attacks, we recommend that you use this parameter.
code_challenge_method
false
Algorithm for calculating the PKCE code_challenge. Only S256 is supported.
code_challenge
false
PKCE code_challenge . For more information about the calculation method, see RFC 7636.
auth_source_id
true
The ID of the authentication source for login. If this parameter is not specified, the default login page is displayed.
Sample Success Responses
The user is not logged in, and the default login page for authentication is displayed.
HTTP/1.1 302 Found
Location: https://sample.portal.tencentciam.com/portal/login?p_state=MOCK_LOGIN_PORTAL_STATE
The user is logged in, and is redirected to the application callback address with the authorization code and state parameter carried.
HTTP/1.1 302 Found
Location: https://example.com/callback?code=DVtNBg5XGqeu2IytLi6WOWwfh7pRc5jqI8vUb2K8k_2OryR2OsYN3260DwhlTDqEMtUSD1XN6gNuRDjYQ25nJX6H8MzfpIxJHIoi0tdtkXfRpV1ELhmw7behuwYraTlC&state=MOCK_STATE
Note: 
 After the code parameter is returned in the application callback address, the API for getting the Token via PKCE mode should be called to get the Access Token and ID Token for login.
Sample Error Responses
The client_id parameter is missing or incorrect.
HTTP/1.1 400 Bad Request
The redirect_uri parameter does not match the sign-up information.
HTTP/1.1 400 Bad Request
The response_type parameter is missing or incorrect.
HTTP/1.1 400 Bad Request
The code_challenge_method parameter is not supported.
HTTP/1.1 302 Found
Location: https://example.com/callback?error=invalid_request&error_description=OAuth%202.0%20Parameter:%20code_challenge_method&error_uri=https://datatracker.ietf.org/doc/html/rfc7636%23section-4.4.1&state=MOCK_STATE
﻿

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

tencent cloud

Customer Identity and Access Management

PKCE Authorization Code Mode

API Description

Supported Applications

Request Method

Request Path

Sample Requests

Request Parameters

Sample Success Responses

Sample Error Responses

Help and Support

Parameter	Optional	Description
scope	false	Fixed value: `openid`.
client_id	false	The `client_id` of the application. Go to the application management page and select the application, and then click Application Configuration to find the Client ID.
redirect_uri	false	The redirected address after authorization. This should be the same as the address configured on the console.
response_type	false	Fixed value: `code`.
state	true	A string randomly generated by the application, which will be returned by the server to the application as an HTTP response parameter. To prevent cross-site request forgery (CSRF) attacks, we recommend that you use this parameter.
code_challenge_method	false	Algorithm for calculating the PKCE code_challenge. Only `S256` is supported.
code_challenge	false	PKCE `code_challenge` . For more information about the calculation method, see RFC 7636.
auth_source_id	true	The ID of the authentication source for login. If this parameter is not specified, the default login page is displayed.