The Authorization Endpoint performs Authentication of the End-User. This is done by sending the User Agent to the Identify OAuth 2.0 authorization server's Authorization Endpoint for Authentication and Authorization, using request parameters defined by OAuth 2.0 and additional parameters and parameter values defined by OpenID Connect.
Identify OAuth 2.0 supports the authorization request's "max_age" parameter as specified in https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
The "max_age" parameter specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by Identify. If the elapsed time is greater than this the max_age value, the client MUST attempt to actively re-authenticate the End-User.
When max_age is used, the returned access token and ID token MUST include an auth_time claim value. Auth_time in id token is a JSON number value representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time that the id token is issued.
The prompt parameter specifies whether the Identify Server prompts the End-User for reauthentication and consent. The defined values are:
- none: The possible workflows are:
- If End-user is not already authenticated in yet, the login_required error would be responded.
- If End-user is already authenticated but its corresponding client is not configured with appropriate consents, the interaction_required error would be responded.
- If End-user is already authenticated with appropriate consents, but id_token_hint is missing, the login will be proceeded successfully.
- If End-user is already authenticated with appropriate consents, but id_token_hint is invalid, the login_required error would be responded.
- login: The Identify server prompts the End-User for reauthentication even if he has already authenticated.
- consent: The Identify server prompts the End-User for consent before returning information to the Client. If it cannot obtain consent, it returns a consent_required error.
request and request_uri parameter
You can visit here to see how it works.
The whr parameter specifies what Identity Provider the OAuth 2.0/OIDC application would like to use. You can visit here to know how it works.
Note: You need to add the Whr paramater Home Realm Discovery rule on the Choose the HRD rules and the order that you want them to run dropdown list found on the Home Ream Discovery tab of the OAuth 2.0/OIDC application.
Enhance authentication request improvement
We revoke all issued tokens when its authorization code is re-used
As clarified on the specification, all the authorization code must be disallowed to be used more than one time. Otherwise, all the tokens (both access token and related refresh token) will be revoked.
In addition, the Identify userinfo endpoint will reject the request if it is submitted with a revoked access_token.