Download OpenAPI specification:Download
OpenID Connect (OIDC) extends the authentication and authorization mechanisms of OAuth 2.0 with identity-focused security features like ID tokens and user profiles. Mosaic supports an OIDC-based integration option for hosted login using secure FIDO2 WebAuthn biometrics, and social providers like Google, Facebook, Apple, and LINE.
Decoupled authentication flows are supported using Client-Initiated Backchannel Authentication (CIBA) or using the OAuth Device Flow for input-limited devices.
client_id required | string Client ID for which authentication is requested. For pushed authorization requests (PAR), the client ID should match the ID of the client that initiated the PAR flow. | ||||||||||||||||||
redirect_uri | string Required for authorization code flow. URI to redirect to upon completion of the authentication flow. This is the server GET endpoint used to call the token endpoint, and should accept | ||||||||||||||||||
scope | string Required for authorization code flow. Scope of the requested access. Used to request specific user details like email. Must include | ||||||||||||||||||
loginType | string Deprecated For authorization code flow. Authentication method to be used for this process, where | ||||||||||||||||||
response_type | string Default: "code" Required for authorization code flow. Response type requested for the authentication flow. | ||||||||||||||||||
prompt | string For authorization code flow. Space-delimited, case-sensitive list of string values that specifies whether the Authorization Server prompts the end-user for reauthentication and consent.
| ||||||||||||||||||
nonce | string For authorization code flow. A random value that is included in the authentication request from the client (e.g. browser) to mitigate replay attacks. It will be added to the id_token and the backend service should only accept id_tokens that include the same nonce value as the one included in the original request. | ||||||||||||||||||
state | string For authorization code flow. An opaque string that is used to maintain state between the request and the callback. It will be added to the redirect URI as a query parameter, which should be validated by your server to protect against cross-site request forgery (CSRF) attacks | ||||||||||||||||||
code_challenge | string A hashed value of the 'code_verifier' required for PKCE | ||||||||||||||||||
code_challenge_method | string The hashing mechanism used to transform a code_verifier into the code_challenge in PKCE flows, must be 'S256' | ||||||||||||||||||
resource | string For authorization code flow. Resource URI the authentication request is attempting to access, which is reflected in the audience ( | ||||||||||||||||||
claims | string For authorization code flow. A stringified object used to request additional claims in the ID token, such as roles, permissions, and other user profile data. The structure is per the OIDC Standard. For supported claims and how to request custom claims, see the ID Token Reference. Note: You should stringify the value. Example: claims={"id_token":{"roles":null}} | ||||||||||||||||||
acr_values | string For authorization code flow. Requested ACR values, specified as a space-separated string. The
| ||||||||||||||||||
createNewUser | boolean Default: false For authorization code flow. Indicates if a new user should be created if one doesn't already exist (or associated with the app if the user isn't already). Public sign up must be enabled for this application. | ||||||||||||||||||
login_hint | string For authorization code flow. Hint for the user's login identifier for WebAuthn login. Example: login_hint=user@acme.com | ||||||||||||||||||
custom_message | string For authorization code flow. Custom message to present on the consent screens for WebAuthn login, which provides authentication context details. Example: custom_message=Welcome to Acme | ||||||||||||||||||
ui_locales | string For authorization code flow. Preferred languages for the user interface for WebAuthn login, specified as a space-separated list of language tag values [RFC5646], ordered by preference. | ||||||||||||||||||
org_id | string For authorization code flow. Organization ID, used for member login in B2B scenarios | ||||||||||||||||||
request_uri | string Required for PAR flow. The URI returned by the PAR request. The request_uri value is bound to the client that sent the PAR authorization request. |
Redirects with authentication result.
{- "message": "Bad request",
- "error_code": 400
}
Start a backchannel authentication process (See CIBA spec). The request can either be used to obtain a direct link (for example, to embed in a QR code) or to send the user a link by SMS or email. When opened, this link will initiate an authentication process. The request returns the authentication request ID that will be used to complete the process on the authenticating device (by calling /auth/backchannel/complete
) and obtain the token. If the link channel was specified, the response will also include the link.
The authentication request has been accepted
client_id=string&client_secret=string&scope=openid&login_hint=string&binding_message=string&requested_expiry=600&request_context=%7B%22channel%22%3A%20%22email%22%2C%20%22login_hint_type%22%3A%20%22email%22%2C%20%22custom_message%22%3A%20%22click%20on%20the%20following%20link%20to%20approve%20the%20access%3A%20%22%7D
{- "auth_req_id": "string",
- "expires_in": 600
}
Initiate the device flow (See OAuth 2.0 Device Authorization Grant (RFC 8628)). This call returns a user code and verification URI for the user to approve or deny access on a separate device. Additionally, a device code is provided to obtain the token.
client_id required | string Client ID for which authentication is requested. | ||||||||||||||
client_secret required | string Client secret. | ||||||||||||||
scope required | string Scope of the requested access. Used to request specific user details like email. Must include | ||||||||||||||
loginType | string Deprecated Authentication method to be used for this process, where | ||||||||||||||
acr_values required | string Requested ACR values, specified as a space-separated string. The
|
The authorization request has been accepted
client_id=string&client_secret=string&scope=openid&loginType=google-direct&acr_values=urn%3Atransmit%3Agoogle_direct
{- "device_code": "string",
- "user_code": "string",
- "verification_uri": "string",
- "verification_uri_complete": "string",
- "expires_in": 600
}
Retrieves tokens in various OIDC/OAuth flows. It's used to retrieve an ID token and user access token upon successful user authentication (for an authorization code flow), or to retrieve client access tokens for API authorization (in a client credentials flow).
client_id required | string Client ID for which authentication is requested. |
client_secret required | string Client secret. |
code required | string Authorization code received from a successful authentication flow. |
grant_type required | string Should be set to |
redirect_uri required | string Redirect URI passed in the authorization request. |
Returns user tokens
client_id=string&client_secret=string&code=string&grant_type=authorization_code&redirect_uri=string
{- "access_token": "string",
- "id_token": "string",
- "expires_in": 3600,
- "scope": "string",
- "token_type": "string",
- "refresh_token": "string"
}
Revoke a specific refresh token, making it no longer valid and forcing the user to re-authenticate if they need a new one.
Token revoked successfully
client_id=string&client_secret=string&token=string&token_type_hint=access_token
{- "message": "Bad request",
- "error_code": 400
}
Logs out the user by terminating all their sessions for this tenant. See OIDC RP-Initiated Logout
client_id | string Recommended. Client ID initiating the logout request. If not passed, our default logout success page will be shown instead. |
id_token_hint | string Previously issued ID Token passed as a hint about the user's current authenticated session with the client. |
post_logout_redirect_uri | string Recommended. URI to which the user should be redirected after the logout has been performed. If not passed, our default logout success page will be shown instead. |
state | string Opaque value used to maintain state between the logout request and the post logout redirect URI (which will receive it via the |
Returns HTML that when parsed by the browser, will finish the logout flow.
{- "message": "Bad request",
- "error_code": 400
}
Returns the signing key used to validate the signature of the authorization request (per OIDC spec)
{- "keys": [
- {
- "kty": "string",
- "use": "string",
- "kid": "string",
- "alg": "string",
- "e": "string",
- "n": "string"
}
]
}
Get all metadata for the OIDC server, including paths to relevant endpoints. (see OIDC spec)
{- "message": "Something went wrong - Internal server error",
- "error_code": 500
}
Pushed authorization request (PAR) is a secure way to initiate the authorization flow. All parameters are sent in the body of the request (see OAuth 2.0 Pushed Authorization Requests RFC).
client_id required | string Client ID for which authentication is requested. |
client_secret required | string Client secret. |
redirect_uri required | string URI to redirect to upon completion of the authentication flow. This is the server GET endpoint used to call the token endpoint, and should accept |
response_type required | string Response type requested for the authentication flow. |
scope | string Scope of the requested access. Used to request specific user details like email. Must include |
prompt | string Space-delimited, case-sensitive list of string values that specifies whether the Authorization Server prompts the end-user for reauthentication and consent. |
nonce | string A random value that is included in the authentication request from the client (e.g. browser) to mitigate replay attacks. It will be added to the id_token and the backend service should only accept id_tokens that include the same nonce value as the one included in the original request. |
state | string An opaque string that is used to maintain state between the request and the callback. It will be added to the redirect URI as a query parameter, which should be validated by your server to protect against cross-site request forgery (CSRF) attacks |
resource | string Resource URI the authentication request is attempting to access, which is reflected in the audience ( |
claims | string A stringified object used to request additional claims in the ID token, such as roles, permissions, and other user profile data. The structure is per the OIDC Standard. For supported claims and how to request custom claims, see the ID Token Reference. Note: You should stringify the value. |
acr_values | string Requested ACR values, specified as a space-separated string. The |
createNewUser | boolean Default: false Indicates if a new user should be created if one doesn't already exist (or associated with the app if the user isn't already). Public sign up must be enabled for this application. |
login_hint | string Hint for the user's login identifier for WebAuthn login. |
custom_message | string Custom message to present on the consent screens for WebAuthn login, which provides authentication context details. |
ui_locales | string Preferred languages for the user interface for WebAuthn login, specified as a space-separated list of language tag values [RFC5646], ordered by preference. |
org_id | string Organization ID, used for member login in B2B scenarios |
The request has been accepted
client_id=string&client_secret=string&redirect_uri=string&response_type=code&scope=openid&prompt=none&nonce=string&state=string&resource=string&claims=string&acr_values=mfa&createNewUser=false&login_hint=string&custom_message=Welcome%20to%20Acme&ui_locales=string&org_id=string
{- "request_uri": "string",
- "expires_in": 60
}