Skip to content

Implicit Grant Authorization

When the user accesses the third-party application, the third-party application initiates an authorization login request to BambooCloud IDaaS. After the user enters username and password and is authenticated, BambooCloud IDaaS redirects to the third-party application with the access token access_token and ID token id_token.

Request Description

http
GET https://{your_domain}/api/v1/oauth2/authorize

Request Parameters

ParameterNameRequiredExampleDescription
response_typeAuthorization typeRequiredid_tokenFixed value: id_token
client_idApplication identifierRequiredRqB2HiHC9N676qAclientid assigned to the third-party application after access is approved.
redirect_uriCallback addressOptionalhttp://oidcdemo.bccastle.com
/demo/index.jsp
Callback address after authorization.
Must match the trusted domain filled in when registering the application.
Note that the URL needs to be URL-encoded.
stateState codeOptional15924362Client-side state value. Used to prevent CSRF attacks.
It will be returned unchanged in the callback after successful authorization.
Please check the binding between the user and the state.
scopeScopeRequiredopenidMust contain a scope parameter with value openid
response_modeResponse modeOptionalfragmentDefault value fragment, optional query

Request Example

https://{your_domain}/api/v1/oauth2/authorize?response_type=id_token&client_id={client_id}&redirect_uri=http://oidcdemo.bccastle.com/demo/index.jsp&state=15924362&scope=openid&state=15924362

Response Example

Success response example

json
HTTP Status: 302 REDIRECT
{redirect_uri}/#id_token=eyJHRwczovL2...u8mPI5Z96IQ&state=15924362t*#access_token=NObiIMkOvBgHIo8&token_type=Bearer&expires_in=6285&scope=openid&state=15924362

User has not authorized the application

json
HTTP Status: 302 REDIRECT
https://{your_domain}/authentication/UnauthorizedUser.html

Missing client_id parameter

json
HTTP Status: 400 BAD REQUEST 
{
    "error": "invalid_request",
    "error_description": "Missing client_id"
}

Incorrect client_id parameter

json
HTTP Status: 400 BAD REQUEST 
{
    "error": "invalid_request",
    "error_description": "client_id parameter is error"
}

response_type parameter name or value error

json
HTTP Status: 400 BAD REQUEST 
{
    "error": "unsupported_response_type",
    "error_description": "Unsupported response types: [xxx]"
}

Incorrect redirect_uri parameter

json
HTTP Status: 400 BAD REQUEST
{ 
    "error": "invalid_request",
    "error_description": "Invalid redirect: xxx does not match one of the registered values."
}

Incorrect scope parameter

json
HTTP Status: 302 
{redirect_uri}?error=invalid_scope&error_description=Invalid scope: xxx&state=123456

Response Parameters

If the user logs in and authorizes successfully, the browser will redirect to the specified callback address, appending the Authorization Code and the original state value to the redirect_uri.

ParameterNameRequiredExampleDescription
access_tokenAuthorization tokenRequiredNObiKQS-cn8AWnZyIMkOvBgHIo8Returned as a URL fragment, not a query parameter.
token_typeToken typeRequiredBearerFixed: Bearer
expires_inAccess token validity periodRequired7199Validity period of the access ticket returned by the authorization server. Note: the validity period is in seconds.
id_tokenID TokenRequiredeyJhbGciOiJSUzI1NiIsImtp....
scopeAuthorization scopeRequiredopenid
stateApplication state codeOptional15924362Client-side state value. Used by third-party applications to prevent CSRF attacks; returned unchanged in the callback after successful authorization.

BambooCloud IDaaS Open Platform