Quick intro
This operation is for user-based authorizations only.
The authorization endpoint conforms to section 3.1 of RFC 6749 The OAuth 2.0 Authorization Framework.
Request
The request for an authorization code conforms to section 4.1.1. of RFC 6749. The following query parameters must be included in the authorization endpoint URI:
| Parameter | Cardinality | Details |
|---|---|---|
| response_type | Mandatory | Fixed value: code |
| client_id | Mandatory | As obtained from register client operation. |
| redirect_uri | Mandatory | After completing its interaction with the resource owner, the authorization server directs the resource owner's user-agent back to the client. The authorization server redirects the user-agent to the client's redirection endpoint previously established with the authorization server during the client registration process or when making the authorization request. |
| state | Mandatory | An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The parameter is used for preventing cross-site request forgery |
Response
The receipt of an authorization request triggers the PCA™ Identity and Access Manager to redirect the user to the PRODA authorization endpoint.
If the user is successfully authenticated with PRODA, then the PCA™ Identity and Access Manager (PRODA relying party) will receive a PRODA signed JWT that includes the PRODA issued identifier for the user
If the user is:
- Not authenticated by PRODA, or
- The user’s PRODA id is not linked to an existing PCAUser
the PCA™ Identity and Access Manager responds with an “access denied” error response as defined in section 4.1.2.1. of RFC 6749.
else
The PCA™ Identity and Access Manager:
- Generates an authorisation code and responds to the client in accordance with 4.1.2. of RFC 6749.
- Links the authorisation code to the PCAUser
- Saves the PRODA signed JWT in the prodaIdToken attribute of the PCAUser
- Sends the authorization code to the ClientSystem’s registered endpoint (via a browser redirect) along with the state parameter that was provided in the authorisation request
