/oauth2/bc-authorize
The /oauth2/bc-authorize endpoint is the backchannel authorization endpoint for
OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0.
Use this endpoint to initiate backchannel authorization with the resource owner with the following flow:
- 
Backchannel request grant (OpenID Connect) 
Specify the realm in the request URL; for example:
https://<tenant-env-fqdn>/am/oauth2/realms/root/realms/alpha/bc-authorizeThe endpoint supports the following parameters:
| Parameter | Description | Required | 
|---|---|---|
| A signed JSON Web Token (JWT) to use as client credentials. | Yes, for JWT profile authentication | |
| The type of assertion,  | Yes, for JWT profile authentication | |
| Uniquely identifies the application making the request. | Yes | |
| The password for a confidential client. | Yes, when authenticating with Form parameters (HTTP POST) | 
(1) The endpoint requires a signed JWT with these claims:
| Claim | Description | Example | 
|---|---|---|
| 
 | A string identifying the mechanism for the end user to provide authorization. | 
 | 
| 
 | A string or array of strings indicating the intended audience of the JWT. Must include the authorization server OAuth 2.0 endpoint. | 
 | 
| 
 | A short (100 character max.) string message to display to the user when obtaining authorization. For push notification, messages must: 
 | 
 | 
| 
 | The expiration time in seconds since January 1, 1970 UTC.
An expiration time more than 30 minutes in the future causes a  | 
 | 
| 
 | An ID token identifying the principal and subject of the JWT (the end user). Required when not using  | 
 | 
| 
 | The unique identifier of the JWT issuer; must match the client ID in the application profile. | 
 | 
| 
 | A string identifying the principal and subject of the JWT (the end user). Required when not using  | 
 | 
| 
 | A string holding a space-separated list of the requested scopes; must include  | 
 |