Skip to content

Get PKCE Authorization Code

When the user accesses the third-party application, the third-party application uses code_challenge to initiate an authorization login request to BambooCloud IDaaS. After the user enters username and password and is authenticated, BambooCloud IDaaS redirects to the third-party application with the authorization code parameter.

Request Description

http
GET https://{your_domain}/api/v1/oauth2/authorize

Request Example

http
GET https://{your_domain}/api/v1/oauth2/authorize?response_type=code&client_id={client_id}&redirect_uri=http://oauthdemo.bccastle.com/demo/index.jsp&state=15924362&code_challenge=5qa69AH8v3r33rVuTGjZalHczEq<br>MsXYvllXXL8zXorM&code_challenge_method=S256

Request Parameters

ParameterNameRequiredExampleDescription
response_typeAuthorization typeRequiredcodeFixed value: code
client_idApplication identifierRequiredRqB2HJtkz6iH76qAclientid assigned to the third-party application after access is approved.
redirect_uriCallback addressOptionalhttp://oauthdemo.bccastle.com
/demo/index.jsp
Callback address after successful authorization. Must match the trusted domain filled in when registering the application. It is recommended to set it to the application homepage or user center. Note that the URL needs to be URL-encoded.
stateApplication state codeOptional15924362Client-side state value. Used by third-party applications to prevent CSRF attacks; returned unchanged in the callback after successful authorization. Please strictly follow the process to check the binding between the user and the state parameter.
scopeScopeOptionalget_user_infoFixed value: get_user_info
code_challengePKCE challengeRequired5qa69AMsXYvllXorMThe application randomly generates a string of 43-128 characters and URL-Safe Base64 encodes it as the code_verifier. The string is then SHA256 hashed and URL-Safe Base64 encoded as the code_challenge.
code_challenge_methodPKCE challenge methodRequiredS256Fixed value: S256

Response Example

Success response example

http
HTTP Status: 302 REDIRECT
http://oauthdemo.bccastle.com/demo/index.jsp?code=stRWlW&state=15924362

Missing client_id parameter

json
HTTP Status: 400 BAD REQUEST 
{
    "error": "invalid_request",
    "error_description": "Missing client_id"
}

Incorrect client_id parameter

json
HTTP Status: 400 BAD REQUEST 
{  
    "error": "invalid_request",  
    "error_description": "client_id parameter is error"
}

response_type parameter name or value error

json
HTTP Status: 400 BAD REQUEST 
{ 
    "error": "unsupported_response_type", 
    "error_description": "Unsupported response types: [xxx]"
}

Incorrect redirect_uri parameter

json
HTTP Status: 400 BAD REQUEST 
{  
    "error": "invalid_request", 
    "error_description": "Invalid redirect: https://www.baidu.com does not match one of the registered values."
}

Incorrect scope parameter

json
HTTP Status: 302 
{redirect_uri}?error=invalid_scope&error_description=Invalid scope: xxx&state=123456

Missing code_challenge parameter

json
HTTP Status: 400 BAD REQUEST
{
	"error": "invalid_request",
	"error_description": "Miss code_challenge"
}

Incorrect code_challenge_method parameter

json
HTTP Status: 400 BAD REQUEST 
{
	"error": "invalid_request",
	"error_description": "Unsupported code_challenge_method: xxx"
}

Response Parameters

If the user logs in and authorizes successfully, the browser will redirect to the specified callback address, appending the Authorization Code and the original state value to the redirect_uri.

ParameterNameRequiredExampleDescription
codeAuthorization codeRequiredstRWlWAuthorization code returned by the authorization server to the application after the user logs in and authorizes. Note: this code is valid for 5 minutes and can only be used once within the validity period.
stateApplication state codeOptional15924362Client-side state value. Used by third-party applications to prevent CSRF attacks; returned unchanged in the callback after successful authorization.

BambooCloud IDaaS Open Platform