/oauth2/bc-authorize
The /oauth2/bc-authorize endpoint is the backchannel authorization endpoint for
OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0.
Use this endpoint to initiate backchannel authorization with the resource owner with the following flow:
-
Backchannel request grant (OpenID Connect)
Specify the realm in the request URL; for example:
https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/bc-authorizeThe endpoint supports the following parameters:
| Parameter | Description | Required |
|---|---|---|
A signed JSON Web Token (JWT) to use as client credentials. |
Yes, for JWT profile authentication |
|
The type of assertion, |
Yes, for JWT profile authentication |
|
Uniquely identifies the application making the request. |
Yes |
|
The password for a confidential client. |
Yes, when authenticating with Form parameters (HTTP POST) |
(1) The endpoint requires a signed JWT with these claims:
| Claim | Description | Example | ||
|---|---|---|---|---|
|
A string identifying the mechanism for the end user to provide authorization. |
|
||
|
A string or array of strings indicating the intended audience of the JWT. Must include the authorization server OAuth 2.0 endpoint including port number 443. |
|
||
|
A short (100 character max.) string message to display to the user when obtaining authorization. For push notification, messages must:
|
|
||
|
The expiration time in seconds since January 1, 1970 UTC.
An expiration time more than 30 minutes in the future causes a |
|
||
|
The unique identifier of the JWT issuer; must match the client ID in the application profile. |
|
||
|
A string identifying the principal and subject of the JWT (the end user). |
|
||
|
A string holding a space-separated list of the requested scopes; must include |
|