Skip to main content

Quick intro

This operation is for user-based authorizations only.

The authorization endpoint conforms to section 3.1 of RFC 6749 The OAuth 2.0 Authorization Framework.


The request for an authorization code conforms to section 4.1.1. of RFC 6749.  The following query parameters must be included in the authorization endpoint URI:

response_type MandatoryFixed value: code
client_idMandatoryAs obtained from register client operation.
redirect_uriMandatoryAfter completing its interaction with the resource owner, the
   authorization server directs the resource owner's user-agent back to
   the client.  The authorization server redirects the user-agent to the
   client's redirection endpoint previously established with the
   authorization server during the client registration process or when
   making the authorization request.
stateMandatoryAn opaque value used by the client to maintain state between the request and callback.  The authorization server includes this value when redirecting the user-agent back to the client. The parameter is used for preventing cross-site request forgery


The receipt of an authorization request triggers the PCA™ Identity and Access Manager to redirect the user to the PRODA authorization endpoint.

If the user is successfully authenticated with PRODA, then the PCA™ Identity and Access Manager (PRODA relying party) will receive a PRODA signed JWT that includes the PRODA issued identifier for the user

If the user is:

  • Not authenticated by PRODA, or
  • The user’s PRODA id is not linked to an existing PCAUser

the PCA™ Identity and Access Manager responds with an “access denied” error response as defined in section of RFC 6749.


The PCA™ Identity and Access Manager:

  • Generates an authorisation code and responds to the client in accordance with 4.1.2. of RFC 6749.
  • Links the authorisation code to the PCAUser
  • Saves the PRODA signed JWT in the prodaIdToken attribute of the PCAUser
  • Sends the authorization code to the ClientSystem’s registered endpoint (via a browser redirect) along with the state parameter that was provided in the authorisation request

Trade marks of the Australian Digital Health Agency: 
Provider Connect Australia™, Helping healthcare providers stay connected™

PCA logo
PCA logo

On this page