Permalink
Fetching contributors…
Cannot retrieve contributors at this time
47 lines (34 sloc) 3.37 KB

Parameters Forwarding

The {project_name} initial authorization endpoint request has support for various parameters. Most of the parameters are described in OIDC specification. Some parameters are added automatically by the adapter based on the adapter configuration. However, there are also a few parameters that can be added on a per-invocation basis. When you open the secured application URI, the particular parameter will be forwarded to the {project_name} authorization endpoint.

For example, if you request an offline token, then you can open the secured application URI with the scope parameter like:

http://myappserver/mysecuredapp?scope=offline_access

and the parameter scope=offline_access will be automatically forwarded to the {project_name} authorization endpoint.

The supported parameters are:

  • scope - Use a space-delimited list of scopes. A space-delimited list typically references Client scopes defined on particular client. Note that the scope openid will be always be added to the list of scopes by the adapter. For example, if you enter the scope options address phone, then the request to {project_name} will contain the scope parameter scope=openid address phone.

  • prompt - {project_name} supports these settings:

    • login - SSO will be ignored and the {project_name} login page will be always shown, even if the user is already authenticated

    • consent - Applicable only for the clients with Consent Required. If it is used, the Consent page will always be displayed, even if the user previously granted consent to this client.

    • none - The login page will never be shown; instead the user will be redirected to the application, with an error if the user is not yet authenticated. This setting allows you to create a filter/interceptor on the application side and show a custom error page to the user. See more details in the specification.

  • max_age - Used only if a user is already authenticated. Specifies maximum permitted time for the authentication to persist, measured from when the user authenticated. If user is authenticated longer than maxAge, the SSO is ignored and he must re-authenticate.

  • login_hint - Used to pre-fill the username/email field on the login form.

  • kc_idp_hint - Used to tell {project_name} to skip showing login page and automatically redirect to specified identity provider instead. More info in the Identity Provider documentation.

Most of the parameters are described in the OIDC specification. The only exception is parameter kc_idp_hint, which is specific to {project_name} and contains the name of the identity provider to automatically use. For more information see the Identity Brokering section in {adminguide_name}.

Warning
If you open the URL using the attached parameters, the adapter will not redirect you to {project_name} if you are already authenticated in the application. For example, opening http://myappserver/mysecuredapp?prompt=login will not automatically redirect you to the {project_name} login page if you are already authenticated to the application mysecredapp . This behavior may be changed in the future.