--- title: /oauth2/bc-authorize description: The /oauth2/bc-authorize endpoint is the backchannel authorization endpoint for OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0. component: pingoneaic page_id: pingoneaic:am-oauth2:oauth2-bc-authorize-endpoint canonical_url: https://docs.pingidentity.com/pingoneaic/am-oauth2/oauth2-bc-authorize-endpoint.html keywords: ["OAuth 2.0", "Endpoints", "Authorization", "REST API"] page_aliases: ["oauth2-guide:oauth2-bc-authorize-endpoint.adoc"] section_ids: request_parameters: Request parameters responses: Responses --- # /oauth2/bc-authorize The `/oauth2/bc-authorize` endpoint is the backchannel authorization endpoint for [OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html). Use this endpoint to initiate backchannel authorization with the resource owner with the following flow: * Backchannel request grant ([OpenID Connect](../am-oidc1/openid-connect-backchannel-request-flow.html)) Specify the realm in the request URL; for example: ```none https:///am/oauth2/realms/root/realms/alpha/bc-authorize ``` ## Request parameters The endpoint supports the following parameters: | Parameter | Description | Required | | ----------------------- | ---------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | | `client_assertion`(1) | A signed JSON Web Token (JWT) to use as client credentials. | Yes, for [JWT profile](client-auth-jwt.html) authentication | | `client_assertion_type` | The type of assertion, `client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer`. | Yes, for [JWT profile](client-auth-jwt.html) authentication | | `client_id` | Uniquely identifies the application making the request. | Yes | | `client_secret` | The password for a confidential client. | Yes, when authenticating with [Form parameters (HTTP POST)](client-auth-form.html) | (1) The endpoint requires a signed JWT with these claims: | Claim | Description | Example | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `acr_values` | A string identifying the mechanism for the end user to provide authorization. | `"acr_values": "push"` | | `aud` | A string or array of strings indicating the intended audience of the JWT. Must include the authorization server OAuth 2.0 endpoint including port number 443. | `"aud": "https://:443/am/oauth2/realms/root/realms/alpha"` | | `binding_message` | A short (100 character max.) string message to display to the user when obtaining authorization.For push notification, messages must:- Begin with a letter, number, or punctuation mark. - **Not** include line breaks or control characters. | `"binding_message": "Allow ExampleBank to transfer £50 from 'Main' to 'Savings'? (EB-0246326)"` | | `exp` | The expiration time in seconds since January 1, 1970 UTC. An expiration time more than 30 minutes in the future causes a `JWT expiration time is unreasonable` error message. | `"exp": 1761066489` To generate a value just under 30 minutes in the future, run the following command in a Unix or Linux shell: $ echo $(($(date -u +%s) + 1799)) | | `iss` | The unique identifier of the JWT issuer; must match the client ID in the application profile. | `"iss": "myCIBAClient"` | | `login_hint` | A string identifying the principal and subject of the JWT (the end user). | `"login_hint": "a0325ea4-9d9b-4056-931b-ab64704cc3da"` | | `scope` | A string holding a space-separated list of the requested scopes; must include `openid`. | `"scope": "openid profile"` | ## Responses | HTTP status | Description | | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `200 OK` | Success. The response body contains a JSON object with `auth_req_id` (the backchannel authentication request identifier), `expires_in`, and optionally `interval`. For example:```json { "auth_req_id": "auth-req-id", "expires_in": 600, "interval": 2 } ``` | | `4xx` | Standard OAuth 2.0 error JSON object including `error` (typically `invalid_request`, `invalid_client`, and so on) and `error_description` (human-readable explanation of what failed). For example:```json { "error": "invalid_request", "error_description": "Request must have a 'request' parameter the value of which must be a signed jwt" } ``` |