The authorize endpoint can be used to request tokens or authorization codes via the browser. This process typically involves authentication of the end-user.
client_id identifier of the client (required).
scope one or more registered scopes (required)
resource one or more registered API resources. If multiple resources are posted, a token request must be made later for each resource. The purpose of this parameter is to simplify requesting tokens with single audiences.
request instead of providing all parameters as individual query string parameters, you can provide a subset or all of them as a JWT. It is also supported to include an “authorization_details” object in this JWT for information such as organization number or detailed information about the current end-user context. The JWT should be signed with the private key used for client authentication.
redirect_uri must exactly match one of the allowed redirect URIs for that client (required)
response_type
code requests an authorization code. Code flow.
code id_token requests an authorization code and identity token. Hybrid flow.
id_token requests an identity token. Implicit flow. DEPRECATED. Not allowed for new client configurations.
token requests an access token. Implicit flow. DEPRECATED. Not allowed for new client configurations.
id_token token requests an identity token and an access token. Implicit flow. DEPRECATED. Not allowed for new client configurations.
code id_token token requests an authorization code, identity token and access token. DEPRECATED. Not allowed for new client configurations.
response_mode
form_post sends the token response as a form post instead of a fragment encoded redirect (optional)
state HelseID will echo back the state value on the token response, this is for round tripping state between client and provider, correlating request and response and CSRF/replay protection. (recommended)
nonce HelseID will echo back the nonce value in the identity token, this is for replay protection)
Required for identity tokens via implicit grant.
prompt
none no UI will be shown during the request. If this is not possible (e.g. because the user has to sign in or consent) an error is returned
login the login UI will be shown, even if the user is already signed-in and has a valid session
code_challenge sends the code challenge for PKCE
code_challenge_method
plain indicates that the challenge is using plain text (not recommended)
S256 indicates the the challenge is hashed with SHA256
ui_locales gives a hint about the desired display language of the login UI
nb-nonorwegian bokmål (default)
en-usenglish
max_age if the user’s logon session exceeds the max age (in seconds), the home realm will be show
on_behalf_of the organization number of the organization reponsible for the current authentication. If using ID-porten, this information passed on to them and will be added to the total authentication count for the organization.
test_pid use this pid (fødselnummer) when logging into the TestIDP. Only used when the chosen IDP is the TestIDP
test_hpr_numberuse this HPR number when logging into the TestIDP. Only used when the chosen IDP is the TestIDP
test_security_leveluse this security level when logging into the TestIDP. Only used when the chosen IDP is the TestIDP
acr_values allows passing in additional authentication related information. The following values are supported::
idp:name_of_idp bypasses the home realm screen and forwards the user directly to the selected identity provider (if allowed per client configuration)
buypass redirects directly to Buypass
commfides-javafri redirects directly to Commfides
commfides-java redirects directly to Commfides login based on java applet
amr:name_of_idp_at_idporten bypasses the home realm screen at ID-porten and forwards the user to the selected identity provider. You do not need to use idp:name_of_idp if this is set - the user will be forwarded to ID-porten.
amr:minid forward user to MinID
amr:bankid forward user to BankID
amr:bankidmobil forward user to BankID på mobil
amr:buypass forward user to Buypass
amr:commfides forward user to Commfides
...
Dokumentet er flyttet hit. Se også bruken av PAR-endepunktet.
This document has been moved to here. Also, have a look at the use of the PAR Endpoint.