Get PKCE Authorization Code
When the user accesses the third-party application, the third-party application uses code_challenge to initiate an authorization login request to BambooCloud IDaaS. After the user enters username and password and is authenticated, BambooCloud IDaaS redirects to the third-party application with the authorization code parameter.
Request Description
GET https://{your_domain}/api/v1/oauth2/authorizeRequest Example
GET https://{your_domain}/api/v1/oauth2/authorize?response_type=code&client_id={client_id}&redirect_uri=http://oidcdemo.bccastle.com/demo/index.jsp&state=15924362&code_challenge=5qa69AH8v3r33rVuTGjZalHcz<br>EqMsXYvllXXL8zXorM&code_challenge_method=S256&scope=openidRequest Parameters
| Parameter | Name | Required | Example | Description |
|---|---|---|---|---|
| response_type | Authorization type | Required | code | Fixed value: code |
| client_id | Application identifier | Required | RqB2HJtkz6iH76qA | clientid assigned to the third-party application after access is approved. |
| redirect_uri | Callback address | Optional | http://oidcdemo.bccastle.com /demo/index.jsp | Callback address after successful authorization. Must match the trusted domain filled in when registering the application. It is recommended to set it to the application homepage or user center. Note that the URL needs to be URL-encoded. |
| state | Application state code | Optional | 15924362 | Client-side state value. Used by third-party applications to prevent CSRF attacks; returned unchanged in the callback after successful authorization. Please strictly follow the process to check the binding between the user and the state parameter. |
| scope | Scope | Required | openid | openid |
| code_challenge | PKCE challenge | Required | 5qa69AMsXYvllXorM | The application randomly generates a string of 43-128 characters and URL-Safe Base64 encodes it as the code_verifier. The string is then SHA256 hashed and URL-Safe Base64 encoded as the code_challenge. |
| code_challenge_method | PKCE challenge method | Required | S256 | Fixed value: S256 |
Response Example
Success response example
HTTP Status: 302 REDIRECT
{redirect_uri}?code=stRWlW&state=15924362User has not authorized the application
HTTP Status: 302 REDIRECT
https://{your_domain}/authentication/UnauthorizedUser.htmlMissing client_id parameter
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_request",
"error_description": "Missing client_id"
}Incorrect client_id parameter
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_request",
"error_description": "client_id parameter is error"
}response_type parameter name or value error
HTTP Status: 400 BAD REQUEST
{
"error": "unsupported_response_type",
"error_description": "Unsupported response types: xxx"
}Incorrect redirect_uri parameter
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_request",
"error_description": "Invalid redirect: xxx does not match one of the registered values."
}Incorrect scope parameter
HTTP Status: 302
{redirect_uri}?error=invalid_scope&error_description=Invalid scope: xxx&state=123456Missing code_challenge parameter
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_request",
"error_description": "Miss code_challenge"
}Incorrect code_challenge_method parameter
HTTP Status: 400 BAD REQUEST
{
"error": "invalid_request",
"error_description": "Unsupported code_challenge_method: xxx"
}Response Parameters
If the user logs in and authorizes successfully, the browser will redirect to the specified callback address, appending the Authorization Code and the original state value to the redirect_uri.
| Parameter | Name | Required | Example | Description |
|---|---|---|---|---|
| code | Authorization code | Required | stRWlW | Authorization code returned by the authorization server to the application after the user logs in and authorizes. Note: this code expires after 5 minutes and can only be used once within the validity period. |
| state | Application state code | Optional | 15924362 | Client-side state value. Used by third-party applications to prevent CSRF attacks; returned unchanged in the callback after successful authorization. |