Skip to content
Connect2id

Authorisation session

1. Introduction

A key highlight of the Connect2id server is its authorisation session web interface. Enterprises and system integrators will appreciate its power to handle just about any business requirement, using a total of just three RESTful calls.

What are the defining features of the authorisation session API?

  • It binds a login / consent UI at the OAuth 2.0 authorisation endpoint. The web interface neatly decouples the UI from the Connect2id server, freeing customers to design and implement the UI in any language and framework deemed appropriate, and host it independently from the server.

  • Enables simple plugin of arbitrary authentication methods, such as LDAP, hardware tokens, X.512 certificates and biometrics.

  • If required, also enables simple plugin of arbitrary logic and rule engines to fit the business needs for resolving and deciding on the OAuth 2.0 scope values and OpenID Connect claims of the issued authorisations, applying explicit and / or implicit consent.

  • Zero service downtime is required for updates and changes of the login / consent UI, authentication methods and authorisation logic.

Use of the authorisation session API can be compared to the MVC pattern. It first decodes the raw OpenID Connect authentication request, then guides the login / consent UI to perform the necessary steps to complete the authorisation request:

  • It prompts the UI to (re)authenticate the end-user, if required. This can occur if the end-user browser / device has no established session with the Connect2id server or their session cookie has expired, or if the requesting application needs an upgraded authentication strength (ACR).

  • Presents a prompt with the requested OAuth 2.0 scope values and OpenID Connect claims. It helpfully marking those scope values and claim names that have been remembered as previously consented by the end-user. Also included are the registered details of the client application, such as ID, name, logo, description and other information. The UI can then prompt the end-user for their consent, or call upon some business logic for that or in addition to that.

The authorisation session API also enables programmatic setting of the access token encoding, lifetime and refresh option.

Access to the authorisation session API is protected by means of a long-lived token. The token must be passed with each HTTP request in the Authorization header:

Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

Additional details are found in the authorisation endpoint configuration reference.

2. Web API overview

Resources
Representations Errors

3. Resources

3.1 /authz-sessions/rest/v1/

3.1.1 POST

Starts a new authorisation session with the Connect2id server.

The login / consent UI at the OAuth 2.0 authorisation endpoint should start a new authorisation session upon receiving a new OpenID Connect authentication request from the client application.

The POST request can produce four possible response types:

  • Authentication prompt – Prompts the UI to authenticate the end-user. Indicated by a 200 status code and a "type":"auth" member of the JSON object representing the authentication prompt.

  • Consent prompt – Prompts the UI to obtain the end-user’s consent for the requested OAuth 2.0 scope values and OpenID Connect claims. Indicated by a 200 status code and a "type":"consent" member of the JSON object representing the consent prompt.

  • Redirection – Prompts the UI to redirect the user agent (browser) back to the client application. Indicated by a 302 status code. The redirection URI, containing the encoded OAuth 2.0 / OpenID Connect response, is found in the Location header value.

  • Authorisation error without redirection – Notifies the UI that the submitted OAuth 2.0 / OpenID Connect request has failed; the user agent (browser) cannot or should not be redirected back to the client application. Indicated by a 220 status code.

Header parameters:

  • Authorization Must specify the configured bearer access token for this web API.

  • Content-Type Must be set to application/json.

Query parameters:

  • [ ajax = false ] {true|false} Optional parameter, causes the HTTP redirection response to be given a status code of 204 instead of 302. Intended for browser / Ajax - based test / development web clients of the authorisation session API.

Body:

Success:

  • Code: 200

  • Content-Type: application/json

  • Body: {object} A JSON object representation of an authentication prompt or a consent prompt. The two prompts can be differentiated by their type value. The identifier of the newly created authorisation session is found in the sid member.

Redirection:

  • Code: 302 (204 if the ajax query parameter was true).

  • Location: The URI to which the user agent (browser) should be redirected, containing the encoded OpenID Connect authentication success / error response in the query / fragment string.

Authorisation error without redirection:

  • Code: 220

  • Content-Type: application/json

  • Body: {object} A JSON object detailing the authorisation request error. The user agent (browser) cannot or should not be redirected back to the client application.

Errors:

Example POST request to start an authorisation session with the Connect2id server, specifying the query string of the received OpenID Connect authentication request; the subject (end-user) session identifier (SID) is omitted, indicating a browser session cookie has not been found:

POST /authz-sessions/rest/v1/ HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
Content-Type: application/json

{
  "query"   : "response_type=code&scope=openid%2020email&client_id=s6BhdR&state=af0ifjsldkj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb"
}

Example response, citing the identifier of the newly created authorisation session (sid) and prompting the UI to authenticate the present end-user (e.g. by checking their username / password credentials):

HTTP/1.1 200 OK
Content-Type: application/json

{
  "type"           : "auth",
  "sid"            : "g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE",
  "display"        : "popup",
  "select_account" : false
}

3.2 /authz-sessions/rest/v1/{sid}

3.1.1 GET

Returns the original request parameters of the specified authorisation session.

Path parameters:

  • sid {string} The authorisation session identifier (SID).

Header parameters:

Success:

  • Code: 200

  • Content-Type: application/json

  • Body: {object} A JSON object representation of the authorisation session.

Errors:

Example request:

GET /authz-sessions/rest/v1/g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

Example response, citing the key parameters of the OpenID Connect request that was used to create the authorisation session; the sub_sid member refers to the subject session of the end-user:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "auth_req" : { "response_type" : "code id_token",
                 "client_id"     : "8cc2043",
                 "redirect_uri"  : "https://client.example.org/cb",
                 "scope"         : [ "openid", "email" ],
                 "state"         : "af0ifjsldkj",
                 "nonce"         : "8dfqxd90pa_",
                 "display"       : "popup",
                 "ui_locales"    : [ "es", "en" ] },
  "sub_sid"  : "g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE"
}

3.1.2 PUT

Updates an authorisation session with the required details, which can be the subject identity details, or the consent details. Once these are submitted the OpenID Connect authentication / OAuth 2.0 authorisation is completed.

The PUT request can produce two possible response types:

  • Consent prompt – Prompts the UI to obtain the end-user’s consent for the requested OAuth 2.0 scope values and OpenID Connect claims. Indicated by a 200 status code and a "type":"consent" member of the JSON object representing the consent prompt.

  • Redirection – Prompts the UI to redirect the user agent (browser) back to the client application. Indicated by a 302 status code. The redirection URI, containing the encoded OAuth 2.0 / OpenID Connect response, is found in the Location header value.

Path parameters:

  • sid {string} The authorisation session identifier (SID).

Header parameters:

  • Authorization Must specify the configured bearer access token for this web API.

  • Content-Type Must be set to application/json.

Query parameters:

  • [ ajax = false ] {true|false} Optional parameter, causes the HTTP redirection response to be given a status code of 204 instead of 302. Intended for browser / Ajax - based test / development web clients of the authorisation session API.

Body:

  • A JSON object representation of one of the following:

Success:

  • Code: 200

  • Content-Type: application/json

  • Body: {object} A JSON object representation of a consent prompt.

Redirection:

  • Code: 302 (204 if the ajax query parameter was true).

  • Location: The URI to which the user agent (browser) should be redirected, containing the encoded OpenID Connect authentication success / error response in the query / fragment string.

Errors:

Example request to submit the details for the subject session, such as the end-user ID and the authentication properties, so the UI can proceed to the consent step.

PUT /session-store/rest/v1/g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

{
  "sub"       : "alice",
  "auth_time" : 12345678,
  "acr"       : "urn:c2id:acr:mfa",
  "amr"       : [ "ldap", "token" ]
}

Example response prompting the UI to obtain the end-user’s consent to log into “Example App” and authorise access to her email:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "type"       : "consent",
  "sid"        : "g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE",
  "display"    : "popup",
  "sub_session : { "sid"           : "9yLXidrzk91r3BCpJeF1Vrf_aza4oNe-EdNkaXBa1iw",
                   "sub"           : "alice",
                   "auth_time"     : 12345678,
                   "creation_time" : 12345678,
                   "acr"           : "urn:c2id:acr:mfa",
                   "amr"           : [ "ldap", "token" ],
                   "max_life"      : 20160,
                   "auth_life"     : 1440,
                   "max_idle"      : 15 },
  "client"     : { "client_id"        : "8cc2043",
                   "application_type" : "web"
                   "name"             : "Example App",
                   "uri"              : "http://app.example.com"},
  "scope"      : { "new"       : [ "openid", "email" ],
                   "consented" : [ ] },
  "claims"     : { "new"       : { "essential" : [ "email", "email_verified" ],
                                   "voluntary" : [ ] },
                   "consented" : { "essential" : [ ],
                                   "voluntary" : [ ] } }
}

3.1.3 DELETE

Denies the authorisation request. This request can made in response to the end-user pressing a button to deny login or authorisation to the client application.

Produces a redirection URI with an encoded access_denied OAuth 2.0 error which the UI can use to send the user agent (browser) back to the client application.

Path parameters:

  • sid {string} The authorisation session identifier (SID).

Header parameters:

Query parameters:

  • [ ajax = false ] {true|false} Optional parameter, causes the HTTP redirection response to be given a status code of 204 instead of 302. Intended for browser / Ajax - based test / development web clients of the authorisation session API.

Redirection:

  • Code: 302 (204 if the ajax query parameter was true).

  • Location: The URI to which the user agent (browser) should be redirected, containing the encoded access_denied OAuth 2.0 error response in the query / fragment string.

Errors:

Example request to deny login or authorisation:

DELETE /authz-sessions/rest/v1/Vcg62csZGqGufdeth1eK1HlFqWKkVRmP3YBT5cTl7s0 HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

Example response, the Location header specifies the redirection URI with the encoded Auth 2.0 access_denied error:

HTTP/1.1 302 Found
Location: https://client.example.com/cb?error=access_denied&state=xyz

4. Representations

4.1 Authorisation session start request

Specifies the OpenID Connect authentication request received at the OAuth 2.0 authorisation endpoint (the login UI) and the identifier of the subject (end-user) session with the Connect2id server, if such exists.

JSON object members:

Example JSON object for an authorisation session start request, detailing the OpenID Connect query string and the subject session identifier (SID) obtained from a browser cookie:

{
  "query"   : "response_type=code&scope=openid%2020email&client_id=s6BhdR&state=af0ifjsldkj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb",
  "sub_sid" : "9yLXidrzk91r3BCpJeF1Vrf_aza4oNe-EdNkaXBa1iw"
}

If no session cookie is found the sub_sid is omitted:

{
  "query"   : "response_type=code&scope=openid%2020email&client_id=s6BhdR&state=af0ifjsldkj&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb"
}

4.2 Authentication prompt

Prompts the UI to (re)authenticate the present end-user. May specify required authentication methods (amr), strength (acr) and other parameters.

JSON object members:

  • type {string} Set to auth. Used to differentiate this prompt from a consent prompt.

  • sid {string} The authorisation session identifier, used to refer to the authorisation session in subsequent requests. Not be confused with the subject (end-user) session identifier.

  • display {“page”|“popup”|“touch”|“wap”} The end-user display time.

  • [ ui_locales ] {string array} The end-user’s preferred UI locales, by order of preference, omitted if not specified.

  • [ required_sub ] {string} The required subject (end-user) to authenticate, omitted if not specified.

  • [ login_hint ] {string} Optional hint to the UI about the login identifier the end-user might use to log in (if necessary). This hint can be used by a client application if it first asks the end-user for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered Identity Provider. The use of this parameter is left to the Identity Provider’s discretion.

  • [ acr ] {object} The requested Authentication Context Class Reference (ACR), omitted if not specified: * [ essential ] {string array} The essential ACRs, ordered by preference, omitted if not specified. * [ voluntary ] {string array} The voluntary ACRs, ordered by preference, omitted if not specified.

  • select_account {true|false} If true the UI should prompt the end-user to select a user account. This enables an end-user who has multiple accounts with the Identity Provider to select amongst the multiple accounts that they might have current sessions for.

  • [ sub_session ] {object} A JSON object representation of the current subject (end-user) session, omitted if none.

Example authentication prompt, with all fields defined:

{
  "type"           : "auth",
  "sid"            : "g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE",
  "display"        : "popup",
  "ui_locales"     : [ "es", "en" ],
  "required_sub"   : "alice",
  "login_hint"     : "alice@wonderland.net",
  "acr"            : { "essential" : [ "urn:c2id:acr:mfa" ] },
  "select_account" : false,
  "sub_session     : { "sid"           : "9yLXidrzk91r3BCpJeF1Vrf_aza4oNe-EdNkaXBa1iw",
                       "sub"           : "alice",
                       "auth_time"     : 12345678,
                       "acr"           : "urn:c2id:acr:basic",
                       "amr"           : [ "ldap" ],
                       "creation_time" : 1234567,
                       "max_life"      : 20160,
                       "auth_life"     : 1440,
                       "max_idle"      : 15,
                       "data"          : { "name"  : "Alice Adams",
                                           "email" : "alice@wonderland.net" } }
}

Example minimal authentication prompt:

{
  "type"           : "auth",
  "sid"            : "g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE",
  "display"        : "popup",
  "select_account" : false
}

Prompts the UI to obtain the end-user’s consent for the specified OAuth 2.0 scope values and OpenID Connect claims.

JSON object members:

  • type {string} Set to consent. Used to differentiate this prompt from an authentication prompt.

  • sid {string} The authorisation session identifier, used to refer to the authorisation session in subsequent requests. Not be confused with the subject (end-user) session identifier.

  • display {“page”|“popup”|“touch”|“wap”} The end-user display type.

  • [ ui_locales ] {string array} The end-user’s preferred UI locales, by order of preference, omitted if not specified.

  • [ sub_session ] {object} A JSON object representation of the current subject (end-user) session.

  • client {object} A JSON object representation of the registered details for the requesting client:

    • client_id {string} The identifier of the client application.

    • application_type {“web”|“native”} The client application type.

    • [ name ] {string} Optional name of the client application to be presented to the end-user. May use language tags (BCP47).

    • [ uri ] {string} Optional URI of the home page of the client application to be presented to the end-user in a followable fashion. May use language tags (BCP47).

    • [ logo_uri ] {string} Optional logo of the client application to be presented to the end-user. May use language tags (BCP47).

    • [ policy_uri ] {string} Optional URI of a page describing how the end-user profile data will be used by the client application, to be presented to the end-user in a followable fashion. May use language tags (BCP47).

    • [ tos_uri ] {string} Optional URI of a page describing the client application’s terms of service, to be presented to the end-user in a followable fashion. May use language tags (BCP47).

    • [ scope ] {string array} Optional OAuth 2.0 scope values that the client application may request. These values are set at client registration; their semantics and treatment is service specific and can also be ignored.

  • scope {object} A JSON object representing the requested OAuth 2.0 scope values, grouped into two sets:

    • new {string array} A string array of scope values requested for the first time, empty array if none.

    • consented {string array} A string array of scope values for which the Connect2id server has previously recorded the end-user’s consent, empty array if none.

  • claims {object} A JSON object representing the requested OpenID Connect claims:

    • new {object} A JSON object representing the claims requested for the first time, grouped into two sets:

      • essential {string array} Those marked as essential, empty array if none.

      • voluntary {string array} Those marked as voluntary, empty array if none.

    • consented {object} A JSON object representing the claims for which the Connect2id server has previously recorded the end-user’s consent, grouped into two sets:

      • essential {string array} Those marked as essential, empty array if none.

      • voluntary {string array} Those marked as voluntary, empty array if none.

    • [ locales ] {string array} The requested claims locales, omitted if not specified.

Example consent prompt, with all fields defined:

{
  "type"       : "consent",
  "sid"        : "g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE",
  "display"    : "popup",
  "ui_locales" : [ "es", "en" ],
  "sub_session : { "sid"           : "9yLXidrzk91r3BCpJeF1Vrf_aza4oNe-EdNkaXBa1iw",
                   "sub"           : "alice",
                   "auth_time"     : 12345678,
                   "acr"           : "urn:mace:incommon:iap:silver",
                   "amr"           : [ "mfa" ]
                   "creation_time" : 1234567,
                   "max_life"      : 20160,
                   "auth_life"     : 1440,
                   "max_idle"      : 15,
                   "data"          : { "name"  : "Alice Adams",
                                       "email" : "alice@wonderland.net" } },
  "client"    : { "client_id"        : "8cc2043",
                  "application_type" : "web",
                  "name"             : "My Web Store",
                  "name#es"          : "Mi tienda virtual",
                  "uri"              : "http://my-web-store.com",
                  "uri#es"           : "http://my-web-store.com/es",
                  "logo_uri"         : "http://my-web-store.com/logo.jpg",
                  "logo_uri#es"      : "http://my-web-store.com/es/logo.jpg",
                  "policy_uri"       : "http://my-web-store.com/privacy-policy.html",
                  "policy_uri#es"    : "http://my-web-store.com/es/privacy-policy.html",
                  "tos_uri"          : "http://my-web-store.com/tos.html",
                  "tos_uri#es"       : "http://my-web-store.com/es/tos.html",
                  "scope"            : [ "openid", "email" ] },
  "scope"     : { "new"       : [ "app:write" ],
                  "consented" : [ "openid", "profile", "email" ] },
  "claims"    : { "new"       : { "essential" : [ ],
                                  "voluntary" : [ ] },
                  "consented" : { "essential" : [ "name", "email" ],
                                  "voluntary" : [ "website", "birthdate", "phone_number" ] },
                  "locales"   : [ "es", "en" ] }
}

Example JSON object, with the minimum amount of fields defined:

{
  "type"       : "consent",
  "sid"        : "g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE",
  "display"    : "popup",
  "sub_session : { "sid"           : "9yLXidrzk91r3BCpJeF1Vrf_aza4oNe-EdNkaXBa1iw",
                   "sub"           : "alice",
                   "auth_time"     : 12345678,
                   "creation_time" : 1234567,
                   "max_life"      : 20160,
                   "auth_life"     : 1440,
                   "max_idle"      : 15 },
  "client"     : { "client_id"        : "8cc2043",
                   "application_type" : "web" },
  "scope"      : { "new"       : [ "openid" ]
                   "consented" : [ ] },
  "claims"     : { "new"       : { "essential" : [ ],
                                   "voluntary" : [ ] },
                   "consented" : { "essential" : [ ],
                                   "voluntary" : [ ] } }
}

Specifies the consented OAuth 2.0 scope values and OpenID Connect claims. The Connect2id server will use it to construct an authorisation record with the required ID, access and refresh token parameters for the given subject and client application.

JSON object members:

  • scope {string array} The consented OAuth 2.0 scope values. These may be a subset of the originally requested values, or include additional ones. If consent is given should at least contain the openid scope value.

  • [ audience ] {string array} Optional parameter specifying an explicit audience for the issued access token. The audience should be represented as one or more client identifiers.

  • [ claims ] {string array} The names of the consented OpenID Connect claims, with optional language tags (BCP47). These may be a subset of the originally requested claims, or include additional ones.

  • [ preset_claims ] {object} Optional JSON object specifying additional preset OpenID Connect claims to include in the ID token and / or the UserInfo response:

    • [ id_token ] Preset claims to include in the ID token, omitted or empty JSON object if none.

    • [ userinfo ] Preset claims to include in the UserInfo response, omitted or empty JSON object if none.

  • [ long_lived = true ] {true|false} Long-lived authorisation flag. If true identifies a long-lived authorisation that is persisted and may optionally allow issue of a refresh token. If false the authorisation is transient and will be deleted as soon as the access token associated with it expires. Defaults to true if not specified.

  • [ issue_refresh_token = true ] {true|false} Issue-refresh-token flag. Applies only to long-lived (persisted) authorisations. If true a refresh token will be issued along with the access token. Defaults to true if not specified.

  • [ access_token ] {object} Optional access token settings, overriding the default configuration:

Example authorisation confirmation, as JSON object:

{
  "scope"               : [ "openid", "profile", "email", "app:admin" ],
  "audience"            : [ "http://app1.example.com", "http://app2.example.com" ],
  "claims"              : [ "name", "email", "email_verified" ],
  "preset_claims"       : { "id_token" : { "login_ip"  : "185.7.248.1",
                                           "login_geo" : { "long" : "37.3956",
                                                           "lat"  : "-122.076" } },
                            "userinfo" : { "groups" : [ "admin", "audit" ] } },
  "long_lived"          : true,
  "issue_refresh_token" : true,
  "access_token"        : { "lifetime" : 600,
                            "encoding" : "SELF_CONTAINED" }
}

4.5 Authorisation session

Specifies the request parameters for the authorisation session.

JSON object members:

  • auth_req {object} A JSON object representing the original OpenID Connect authentication request parameters:

    • response_type {string} The OAuth 2.0 response type.

    • client_id {string} The client identifier.

    • redirect_uri {string} The redirection URI.

    • scope {string array} The requested scope values.

    • [ state ] {string} The state parameter, omitted if not specified.

    • [ nonce ] {string} The nonce, omitted if not specified.

    • [ display ] {string} The end-user display type, omitted if not specified.

    • [ ui_locales ] {string array} The end-user’s preferred UI locales, by order of preference, omitted if not specified.

    • [ claims ] {object} The OpenID Connect claims parameter, omitted if not specified.

    • [ claims_locales ] {string array} The end-user’s preferred claims locales, by order of preference, omitted if not specified.

  • [ sub_sid ] {string }The subject (end-user) session identifier, omitted if none is currently associated with the authorisation session.

Example authorisation session, as JSON object:

{
  "auth_req" : { "response_type" : "code id_token",
                 "client_id"     : "8cc2043",
                 "redirect_uri"  : "https://client.example.org/cb",
                 "scope"         : [ "openid", "email" ],
                 "state"         : "af0ifjsldkj",
                 "nonce"         : "8dfqxd90pa_",
                 "display"       : "popup",
                 "ui_locales"    : [ "es", "en" ] },
  "sub_sid"  : "g6f5K6Kf6EY11zC00errCf64yLtg9lLANAcnXQk2xUE"
}

4.6 Authorisation error without redirection

Indicates an OAuth 2.0 / OpenID Connect authorisation error. The user agent (browser) cannot or should not be redirected back to the client application.

JSON object members:

  • error {string} The error code.

  • [ error_description ] {string} Optional human readable error description.

Example error for an OpenID Connect request that is missing the redirect_uri parameter:

{
  "error"             : "invalid_request",
  "error_description" : "Missing \"redirect_uri\" parameter"
}

5. Errors

400 Bad Request

Invalid or malformed request.

Example:

HTTP/1.1 400 Bad Request
Content-Type: application/json

{
  "error"             : "invalid_request",
  "error_description" : "Bad request: Invalid JSON: Unexpected token foo at position 3."
}

401 Unauthorized

The request was denied due to an invalid or missing bearer access token.

Example:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer
Content-Type: application/json

{
  "error"             : "missing_token",
  "error_description" : "Unauthorized: Missing Bearer access token"
}

404 Not Found

The requested resource doesn’t exist.

Example:

HTTP/1.1 404 Not Found
Content-Type: application/json

{
  "error"             : "authz_not_found",
  "error_description" : "Not found: Authorization not found"
}

500 Internal Server Error

An internal server error has occurred. Check the Connect2id server logs for details.

Example:

HTTP/1.1 500 Internal Server Error
Content-Type: application/json

{
  "error"             : "server_error",
  "error_description" : "Internal server error: Something bad happened",
  "stack"             : "Exception in thread...",
  "note"              : "See the server logs for additional details"
}

Was this helpful?

Rate limit reached. Try again after a minute.
Last updated:
Direct authorisation →