diff --git a/_pages/oidc/authorization.md b/_pages/oidc/authorization.md index 13fafefb..215cf04c 100644 --- a/_pages/oidc/authorization.md +++ b/_pages/oidc/authorization.md @@ -86,149 +86,149 @@ In an **unsuccessful authorization**, the URI will contain the parameters `error

Authorization

-

- The authorization endpoint handles authentication and authorization of a user. - To present the Login.gov authorization page to a user, direct them to the - /openid_connect/authorize. View an example for private_key_jwt or PKCE in the side panel. -

-

Request Parameters

- -
-
-

acr_values

-
-
-

- The Authentication Context Class Reference requests can be used to specify the type of service level or the AAL (Authentication Assurance Level) for the user. These and the scope determine which user attributes will be available in the user info response. -

-

- Multiple values can be joined with a space (before being URI-escaped in the final URL). -

-
+

+ The authorization endpoint handles authentication and authorization of a user. + To present the Login.gov authorization page to a user, direct them to the + /openid_connect/authorize. View an example for private_key_jwt or PKCE in the side panel. +

+

Request Parameters

+ +
+
+

acr_values

-
-
- {% include accordion.html content=service_levels accordion_id="service_level_accordion" title="Type of Service Level" id="service_level" %} - {% include accordion.html content=aal_values accordion_id="aal_accordion" title="Authentication Assurance (AAL) Values" id="aal_values" %} - {% include accordion.html content=deprecated_values accordion_id="deprecated_accordion" title="Deprecated Service Values" id="deprecated_values" %} -
+
+

+ The Authentication Context Class Reference requests can be used to specify the type of service level or the AAL (Authentication Assurance Level) for the user. These and the scope determine which user attributes will be available in the user info response. +

+

+ Multiple values can be joined with a space (before being URI-escaped in the final URL). +

+
+
+
+
+ {% include accordion.html content=service_levels accordion_id="service_level_accordion" title="Type of Service Level" id="service_level" %} + {% include accordion.html content=aal_values accordion_id="aal_accordion" title="Authentication Assurance (AAL) Values" id="aal_values" %} + {% include accordion.html content=deprecated_values accordion_id="deprecated_accordion" title="Deprecated Service Values" id="deprecated_values" %} +
+
+
+
+

client_id

+
+
+

Also known as the issuer, this is the unique identifier for the client. This will be registered with the Login.gov IdP in advance.

+
+
+
+
+

prompt

+
+
+

This must be select_account

-
+
+
+
+

response_type

+
+
+

This must be code

+
+
+
+
+

redirect_uri

+
+
+

The URI Login.gov will redirect to after a successful authorization.

+
+
+
+
-

client_id

+

scope

-

Also known as the issuer, this is the unique identifier for the client. This will be registered with the Login.gov IdP in advance.

+

A space-separated string of the scopes being requested. (Keep in mind the blank space “ “ should be encoded with “+”.) The authorization page will display the list of attributes being requested from the user. Applications should aim to request the fewest user attributes and smallest scope needed.

+

OIDC requests MUST contain the openid scope value.

-
+
+
+ {% include accordion.html content=scope_possible_values accordion_id="scope_accordion" id="scope_possible_values" title="Possible Values" %} +
+
+
+
+
-

prompt

+

state

-

This must be select_account

+

A unique value, at least 22 characters in length, used for maintaining state between the request and the callback. This value will be returned to the client on a successful authorization.

-
+
+
+
-

response_type

+

nonce

-

This must be code

+

A unique value, at least 22 characters in length, used to verify the integrity + of the id_token and mitigate + replay attacks.

+

This value should include per-session state and be unguessable by attackers. This value will be present in the + id_token of the token endpoint response, + where clients will verify that the nonce claim value is equal to the value of the nonce parameter sent in the authentication request.

+

Read more about nonce implementation in the spec.

-
+
+
+
-

redirect_uri

+

locale

optional
-

The URI Login.gov will redirect to after a successful authorization.

-
-
-
-
-
-

scope

-
-
-

A space-separated string of the scopes being requested. (Keep in mind the blank space “ “ should be encoded with “+”.) The authorization page will display the list of attributes being requested from the user. Applications should aim to request the fewest user attributes and smallest scope needed.

-

OIDC requests MUST contain the openid scope value.

-
-
-
-
- {% include accordion.html content=scope_possible_values accordion_id="scope_accordion" id="scope_possible_values" title="Possible Values" %} -
-
-
-
-
-
-

state

-
-
-

A unique value, at least 22 characters in length, used for maintaining state between the request and the callback. This value will be returned to the client on a successful authorization.

-
+

If you know that a user would prefer one of our alternative language translations (currently Spanish or French), you can include the locale parameter to specify the language Login.gov should use (either ES for Spanish or FR for French).

-
-
-
-

nonce

-
-
-

A unique value, at least 22 characters in length, used to verify the integrity - of the id_token and mitigate - replay attacks.

-

This value should include per-session state and be unguessable by attackers. This value will be present in the - id_token of the token endpoint response, - where clients will verify that the nonce claim value is equal to the value of the nonce parameter sent in the authentication request.

-

Read more about nonce implementation in the spec.

-
-
-
-
-
-
-

locale

optional -
-
-

If you know that a user would prefer one of our alternative language translations (currently Spanish or French), you can include the locale parameter to specify the language Login.gov should use (either ES for Spanish or FR for French).

-
-
-
-
-
-
- JWT Request - {% include snippets/oidc/auth/jwt.md %} -
-
-
- {{ authorization_response | markdownify }} - Next step: Token -
-
-
- - -
- {% include snippets/oidc/auth/success.md %} -
- -
+
+
+ JWT Request + {% include snippets/oidc/auth/jwt.md %} +
+
+
+ +
+
+ {{ authorization_response | markdownify }} + Next step: Token +
+
+
+ + +
+ {% include snippets/oidc/auth/success.md %} +
+
- Next step: Token
+ Next step: Token