/authorize
Start an interactive authorization request and issue an authorization code after login.
Audience: Developers
Read this page when constructing browser redirects into TokenIDP.
Prerequisites
- Registered Application
- Redirect URI configured in the Application
- PKCE code challenge and
state
Method
GET /authorize
Authentication Requirements
- End-user login is interactive.
- No bearer token is required before the redirect.
- TokenIDP requires
response_type=codeand PKCE parameters.
Parameters
| Name | Required | Description |
|---|---|---|
client_id | Yes | Application identifier |
redirect_uri | Yes | Must match a registered redirect URI |
response_type | Yes | Must be code |
scope | Yes | Space-delimited scopes |
state | Recommended | CSRF correlation value |
code_challenge | Yes | PKCE challenge |
code_challenge_method | Yes | Use S256 |
Working Example
Example Request
GET /authorize?client_id=portal-spa&redirect_uri=https%3A%2F%2Fportal.example.com%2Fcallback&response_type=code&scope=openid%20profile%20email%20offline_access%20orders.read&state=9d4f8dd1&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256 HTTP/1.1
Host: id.example.comExample Success Response
HTTP/1.1 302 Found
Location: https://portal.example.com/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=9d4f8dd1Error Responses
400 Bad RequestwithMissing required OAuth parameters.400 Bad RequestwithOnly response_type=code is supported.400 Bad RequestwithMissing PKCE parameters.400 Bad Requestwhen the authorization context is invalid or the Tenant context mismatches
Common Pitfalls
- Using a redirect URI variant that differs by path, port, or trailing slash.
- Omitting
state. - Failing to persist the PKCE verifier through the browser round trip.
Troubleshooting Tips
- If the endpoint fails before login, inspect the query string first.
- If the callback includes an unexpected Tenant result, verify the user session belongs to the same Tenant as the pre-authorization context.