Authorize

The VMware Identity Services tenant ID

Specifies the callback endpoint in your application that will receive the authorization code. It must match the redirect_uri defined in your OAuth2.0 client registration in VMware Identity Manager. When sending the redirect_uri as a URL parameter it has to be URL encoded.

This is the identifier of the OAuth 2.0 client that was registered in VMware Identity Manager.

Specifies how the application should receive the authorization response. Supported response_type: 'code', 'id_token', 'id_token token', 'code id_token', 'code token', 'code id_token token'.

A random string that your application generates and that will be sent back as a parameter during the URI redirection.

Optional list of scopes separated by a space and is URL encoded. The scopes must be equivalent or a subset of the scopes defined in the OAuth2.0 client. Scopes that doesn't match any of the scopes defined in the OAuth2.0 client will be ignored. If omitted or empty, the scopes defined in the OAuth2.0 client will be used.

Specifies the user's domain. If this parameter is specified, the login screen will skip the domain selection page. This can be used when it is known that a single domain is used or the domain information can be inferred automatically (from the username for example). This is a VMware Identity Manager optional parameter and is not in the OAuth 2.0 specification.

Specifies the user's login. In case your application already knows what user is going to login, and VMware Identity Manager will have to pass this user to a third-party IdP, then adding this parameter will send the username as part of the SAML request. This is a VMware Identity Manager optional parameter and is not in the OAuth 2.0 specification.

Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. This is a optional parameter prescribed in OpenID Connect specification.

String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case sensitive string.

Specifies whether to prompt the user for re-authentication or consent. Supported prompt values:'login' - Redirects the user to authenticate regardless if they have already authenticated or not. 'none' - Returns a response with error code 'login_required' when the user is not authenticated.

Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated.

Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. On Vmware Identity Manager currently we support only single authentication method and if multiple authentication methods are provided, only the first one will be considered, others will be rejected.