/oauth2/bc-authorize
The /oauth2/bc-authorize
endpoint is the backchannel authorization endpoint for
OpenID Connect Client Initiated Backchannel Authentication Flow.
Use this endpoint to initiate backchannel authorization with the resource owner with the following flow:
-
Backchannel request grant (OpenID Connect)
Specify the realm in the request URL; for example:
https://openam.example.com:8443/openam/oauth2/realms/root/realms/alpha/bc-authorize
The endpoint supports the following parameters:
Parameter | Description | Required |
---|---|---|
A signed JSON Web Token (JWT) to use as client credentials. |
Yes, for JWT profile authentication |
|
The type of assertion, |
Yes, for JWT profile authentication |
|
Uniquely identifies the application making the request. |
Yes |
|
The password for a confidential client. |
Yes, when authenticating with Form parameters (HTTP POST) |
(1) The endpoint requires a signed JWT with these claims:
Claim | Description | Example |
---|---|---|
|
A string identifying the mechanism for the end user to provide authorization. |
|
|
A string or array of strings indicating the intended audience of the JWT. Must include the authorization server OAuth 2.0 endpoint. |
|
|
A short (100 character max.) string message to display to the user when obtaining authorization. For push notification, messages must:
|
|
|
The expiration time in seconds since January 1, 1970 UTC.
An expiration time more than 30 minutes in the future causes a |
|
|
An ID token identifying the principal and subject of the JWT (the end user). Required when not using |
|
|
The unique identifier of the JWT issuer; must match the client ID in the application profile. |
|
|
A string identifying the principal and subject of the JWT (the end user). Required when not using |
|
|
A string holding a space-separated list of the requested scopes; must include |
|