OIDC Relying Party Endpoints
OIDC Relying Party Endpoints
This topic describes the OIDC Relying Party endpoints.
Authorization
Request Parameters
| Parameter | Presence | Description |
|---|---|---|
| scope | Required | Must be openid. |
response_type | Required | Implicit Flow (IF): Must be id_token or id_token token. Authorization Code Flow (ACF): Must be code. Hybrid Flow (HF): Must be code id_token or code token or code id_token token. |
| client_id | Required | Identifies client to the server. Relying Parties table must have client entry identified by (tenant_id, client_id). |
| redirect_uri | Required | URL to send response. Must match redirect_uri of the client entry in database. |
| state | Recommended | Opaque value used to maintain state between the request and the response (callback). |
| response_mode | Optional | Mechanism to be used for returning response (callback). If present, must be fragment, query, or form_post. |
| nonce | Implicit Flow (IF): Required Authorization Code Flow (ACF): Optional
| String value used to associate a Client session with an ID Token, and to mitigate replay attacks. |
| display | Optional | Not supported and ignored (now). |
| prompt | Optional | login and consent (if configured) are supported. none and select_account are not supported (now) and presence will produce an error. |
| max_age | Optional | Not supported and ignored. |
| ui_locales | Optional | Not supported and ignored. |
| login_hint | Optional | Identify authenticating user (subject). |
| acr_values | Optional | Single entry may specify authentication policy. Similar to SAML format: urn:rsa:names:tc:oidc:ac:classes:spec:<policy_name>. |
| claims | Optional | List of claims to be provided in response id_token. Each claim should have definition (mapping to IS property in ia_oidc_relying_party_claims table). Claims without mapping will be ignored. |
| code_challenge | ACF/HF: Optional | A challenge derived from the code_verifier. The challenge to be verified at token_endpoint. |
| code_challenge_method | ACF/HF: Optional | A method used to derive code_challenge. Only S256 is supported. |
Response Parameters
| Parameter | Presence | Description |
|---|---|---|
| access_token | Optional | Provided for IF only if response_type contains token. |
token_type | Optional | Provided for IF only if response_type contains token. |
| expires_in | Optional | Provided for IF only if response_type contains token. |
| code | ACF: Required | Provided for ACF only. |
| id_token | IF: Required | Provided for IF only. |
| state | Optional | Supported and provided conditionally (upon request). |
id_token (IDToken)
| Parameter | Presence | Description |
|---|---|---|
| iss | Required | issuer_uri. |
sub | Required | Authentication subject. |
| aud | Required | Client issuer_uri. |
| exp | Required | Token expiration time. |
| iat | Required | Token issuance time. |
| auth_time | Required | Authentication time. |
| nonce | Optional | Supported and provided conditionally (on request). |
| acr | Optional | Single entry identifies policy if it was requested in 'acr_values' of request. Otherwise, assurance level of user authentication. |
| amr | Optional | Not supported and not provided. |
| azp | Optional | Not supported and not provided. |
| <claims> | Optional | Claims requested in request and essential claims specified in ia_oidc_relying_party_claims table for the client. |
Token
Request Parameters
| Parameter | Presence | Description |
|---|---|---|
| grant_type | Required | Must be autorization_code. |
code | Required | The code was obtained from response at the authorization endpoint. |
| redirect_uri | Required | The response location where the authorization was sent. This value must match the redirect_uri submitted at authorization endpoint. |
| code_verifier | Optional | Opaque value used to derive code_challenge submitted at authorization endpoint. |
Response Parameters
| Parameter | Presence | Description |
|---|---|---|
| access_token | Required | Provided. |
token_type | Required | Provided: bearer. |
| expires_in | Required | Provided. Access token is valid for 300 seconds. |
| code | Not applicable | |
| id_token | Required | Provided. |
| state | Not applicable |
Endpoint
Well-known URI registry - https://<tenant>/oidc-fe/.well-known/openid-configuration
Example, tenant - demo.auth.example.com
Related Articles
Authentication for the Cloud Administration APIs Number of Views How to fix overlapping external Identity Sources in AM 7.1 or later Number of Views RSA MFA Agent 2.3.3 for Microsoft Windows Installation and Administration Guide Number of Views Silent install does not complete creates log file with error code Number of Views RSA MFA Agent 2.3.4 for Microsoft Windows Installation and Administration Guide Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Downloading RSA Authentication Manager license files or RSA Software token seed records RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8 Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU
Don't see what you're looking for?
