PingOne Advanced Identity Cloud

/oauth2/bc-authorize

The /oauth2/bc-authorize endpoint is the backchannel authorization endpoint for OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0.

Use this endpoint to initiate backchannel authorization with the resource owner with the following flow:

Specify the realm in the request URL; for example:

https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/bc-authorize

Request parameters

The endpoint supports the following parameters:

Parameter Description Required

client_assertion(1)

A signed JSON Web Token (JWT) to use as client credentials.

Yes, for JWT profile authentication

client_assertion_type

The type of assertion, client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer.

Yes, for JWT profile authentication

client_id

Uniquely identifies the application making the request.

Yes

client_secret

The password for a confidential client.

Yes, when authenticating with Form parameters (HTTP POST)

(1) The endpoint requires a signed JWT with these claims:

Claim Description Example

acr_values

A string identifying the mechanism for the end user to provide authorization.

"acr_values": "push"

aud

A string or array of strings indicating the intended audience of the JWT. Must include the authorization server OAuth 2.0 endpoint including port number 443.

"aud": "https://<tenant-env-fqdn>:443/am/oauth2/realms/root/realms/alpha"

binding_message

A short (100 character max.) string message to display to the user when obtaining authorization.

For push notification, messages must:

  • Begin with a letter, number, or punctuation mark.

  • Not include line breaks or control characters.

"binding_message": "Allow ExampleBank to transfer £50 from 'Main' to 'Savings'? (EB-0246326)"

exp

The expiration time in seconds since January 1, 1970 UTC. An expiration time more than 30 minutes in the future causes a JWT expiration time is unreasonable error message.

"exp": 1761066489

To generate a value just under 30 minutes in the future, run the following command in a Unix or Linux shell:

$ echo $(($(date -u +%s) + 1799))

iss

The unique identifier of the JWT issuer; must match the client ID in the application profile.

"iss": "myCIBAClient"

login_hint

A string identifying the principal and subject of the JWT (the end user).

"login_hint": "a0325ea4-9d9b-4056-931b-ab64704cc3da"

scope

A string holding a space-separated list of the requested scopes; must include openid.

"scope": "openid profile"

Responses

HTTP status Description

200 OK

Success. The response body contains a JSON object with auth_req_id (the backchannel authentication request identifier), expires_in, and optionally interval. For example:

{
  "auth_req_id": "auth-req-id",
  "expires_in": 600,
  "interval": 2
}

4xx

Standard OAuth 2.0 error JSON object including error (typically invalid_request, invalid_client, and so on) and error_description (human-readable explanation of what failed). For example:

{
  "error": "invalid_request",
  "error_description": "Request must have a 'request' parameter the value of which must be a signed jwt"
}