Authorize is a standard endpoint that triggers authentication of an end-user via one of the IDP options, followed by authorization in terms of consent handling. Authorization information is then returned in the response to the requesting OIDC Client. The Authorize endpoint does in any case trigger a series of re-directs, eventually returning to the requesting OIDC Client at a
redirect_uri specified by the client. For security reasons only pre-registered redirect URIs are allowed. Note that BankID OIDC only supports the Authorization Code Flow. We recommend checking out the getting started guide for how to initialize an authentication request and handle the response. See message flow details for a detailed overview of the authorization code flow in BankID OIDC.
For native mobile apps, we (and RFC-8252) recommend the use of either opening the authentication flows in external browsers or in app-browser tabs such as Safari View Controller (iOS) and Chrome Custom Tabs (Android).
Other applicable http error code if redirect uri is missing, invalid or mismatching
The recommended practice for merchants is to use the Authorize URL from openid-configuration rather than hardcoding the below URL value.
|List of scope values specifying what kind of resources (dataset) the OIDC Client requests access to. The value |
Note: Other response types such as "id_token", "id_token token" and "code token" was previously supported.
|Unique ID (arbitrary string) for the OIDC Client in question. This is created as part of the provisioning process.|
|Redirect URI to which the Authorize response will be sent. This URI must exactly match one of the Redirect URI values for the OIDC Client pre-registered at the OpenID Provider|
|Opaque value used to maintain state between the request and the callback. It is strongly recommended that merchants provide this value to mitigate Cross-Site Request Forgery.|
The response mode to be used for returning parameters from the Authorization Endpoint via
|String value used to associate a ODIC Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token|
|May be used to set a language preference for GUI handling. The default GUI experience supports 'nb' (Norsk Bokmål) and 'en' (English). If |
|Support for the standardized values |
Requests use of specific Identity provider (IDP), or any IDP at a given Level of Assurance (Authentication Context Class Reference) or above. A selector dialogue is shown to the enduser if more than one IDP option meet the required minimum level. Note that this parameter has no effect if the
This parameter may be used to specify the use of any particularly named IDP (Authentication Method Reference) along with any pre-configuration for the designated IDP. Note that this parameter has no effect if the
See further details on login_hint support for each of the supported IDPs.
The display parameter allows Clients to adjust the user interface displayed to end-users to make it more consistent with the device type and viewport size.
|JWT value for an ID Token previously issued by the OIDC Provider used as a hint about the enduser's authenticated session with the OIDC provider. Note that this parameter has precedence before both |
|request||This parameter may be used to group and send several query parameters as one. The standard specifies guidelines how to use it. BankID OIDC supports both plaintext and encrypted request objects. Encrypted and signed objects are in certain cases possible. If the request parameter contains personal information it should be encrypted, see details in Signing and encryption. The request_uri parameter is not yet supported.|
Note that the following set of standard parameters is currently not supported by the OpenID Connect Provider from BankID:
Authorization Code flow
If the authentication was successful, the response contains a
code parameter that may be used to retrieve an ID token and Access token from the token endpoint. If the authentication was unsuccessful, an
error, and potentially an
error_description, will be returned. See authentication error response for more details. The response may also contain a
state parameter if it was specified when initiating the authentication.
|The state parameter should be used by the merchant to correlate the initial request and the callback response. It will only be included if provided in the initial request.|
|BankID OIDC does not support session management, but this parameter may still be included in the response. It should be ignored by merchants.|
|A short-lived, one time use code that is used to retrieve the ID, Access and Refresh tokens using the token endpoint.|