Implicit Grant Authorization
When the user accesses the third-party application, the third-party application initiates an authorization login request to BambooCloud IDaaS. After the user enters username and password and is authenticated, BambooCloud IDaaS redirects to the third-party application with the access token access_token and ID token id_token.
Request Description
http
GET https://{your_domain}/api/v1/oauth2/authorizeRequest Parameters
| Parameter | Name | Required | Example | Description |
|---|---|---|---|---|
| response_type | Authorization type | Required | id_token | Fixed value: id_token |
| client_id | Application identifier | Required | RqB2HiHC9N676qA | clientid assigned to the third-party application after access is approved. |
| redirect_uri | Callback address | Optional | http://oidcdemo.bccastle.com /demo/index.jsp | Callback address after authorization. Must match the trusted domain filled in when registering the application. Note that the URL needs to be URL-encoded. |
| state | State code | Optional | 15924362 | Client-side state value. Used to prevent CSRF attacks. It will be returned unchanged in the callback after successful authorization. Please check the binding between the user and the state. |
| scope | Scope | Required | openid | Must contain a scope parameter with value openid |
| response_mode | Response mode | Optional | fragment | Default value fragment, optional query |
Request Example
https://{your_domain}/api/v1/oauth2/authorize?response_type=id_token&client_id={client_id}&redirect_uri=http://oidcdemo.bccastle.com/demo/index.jsp&state=15924362&scope=openid&state=15924362Response Example
Success response example
json
HTTP Status: 302 REDIRECT
{redirect_uri}/#id_token=eyJHRwczovL2...u8mPI5Z96IQ&state=15924362t*#access_token=NObiIMkOvBgHIo8&token_type=Bearer&expires_in=6285&scope=openid&state=15924362User has not authorized the application
json
HTTP Status: 302 REDIRECT
https://{your_domain}/authentication/UnauthorizedUser.htmlMissing client_id parameter
json
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_request",
"error_description": "Missing client_id"
}Incorrect client_id parameter
json
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_request",
"error_description": "client_id parameter is error"
}response_type parameter name or value error
json
HTTP Status: 400 BAD REQUEST
{
"error": "unsupported_response_type",
"error_description": "Unsupported response types: [xxx]"
}Incorrect redirect_uri parameter
json
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_request",
"error_description": "Invalid redirect: xxx does not match one of the registered values."
}Incorrect scope parameter
json
HTTP Status: 302
{redirect_uri}?error=invalid_scope&error_description=Invalid scope: xxx&state=123456Response Parameters
If the user logs in and authorizes successfully, the browser will redirect to the specified callback address, appending the Authorization Code and the original state value to the redirect_uri.
| Parameter | Name | Required | Example | Description |
|---|---|---|---|---|
| access_token | Authorization token | Required | NObiKQS-cn8AWnZyIMkOvBgHIo8 | Returned as a URL fragment, not a query parameter. |
| token_type | Token type | Required | Bearer | Fixed: Bearer |
| expires_in | Access token validity period | Required | 7199 | Validity period of the access ticket returned by the authorization server. Note: the validity period is in seconds. |
| id_token | ID Token | Required | eyJhbGciOiJSUzI1NiIsImtp.... | |
| scope | Authorization scope | Required | openid | |
| state | Application state code | Optional | 15924362 | Client-side state value. Used by third-party applications to prevent CSRF attacks; returned unchanged in the callback after successful authorization. |