API ReferenceOAuth 2.1 / OIDC
Authorization Endpoint
Initiate the OAuth 2.1 authorization code flow with PKCE to obtain an authorization code.
Endpoint
GET /oauth2/authBase URL: https://api-id.avnology.net
Authentication: None (user authenticates interactively)
Initiates an OAuth 2.1 authorization code flow. The user is redirected to the Avnology ID login page, and after authentication and consent, redirected back to your redirect_uri with an authorization code.
PKCE (code_challenge) is required for all clients (OAuth 2.1 mandate).
Request
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
response_type | string | Yes | Must be code |
client_id | string | Yes | Your OAuth application's client ID |
redirect_uri | string | Yes | Must exactly match a registered redirect URI |
scope | string | Yes | Space-separated scopes (e.g., openid profile email) |
state | string | Recommended | Random string for CSRF protection |
code_challenge | string | Yes | Base64url-encoded SHA-256 hash of code_verifier |
code_challenge_method | string | Yes | Must be S256 |
nonce | string | No | Random value for ID token replay protection |
prompt | string | No | none, login, or consent |
login_hint | string | No | Pre-fill the email field |
organization_id | string | No | Restrict to a specific organization |
Example Request
# Step 1: Generate PKCE values
CODE_VERIFIER=$(openssl rand -base64 32 | tr -d '=/+' | cut -c1-43)
CODE_CHALLENGE=$(echo -n "$CODE_VERIFIER" | openssl dgst -sha256 -binary | base64 | tr -d '=' | tr '/+' '_-'
Response
Success -- Redirect with Authorization Code
After the user authenticates and consents, the browser is redirected to:
https://app.acme.com/callback?code=auth_code_abc123def456&state=<your_state>Error -- Redirect with Error
https://app.acme.com/callback?error=access_denied&error_description=The+user+denied+the+request&state=<your_state>| Error | Description |
|---|---|
invalid_request | Missing or invalid parameter |
unauthorized_client | Client not authorized for this grant type |
access_denied | User denied consent |
unsupported_response_type | Must be code |
invalid_scope | Requested scope is invalid |
server_error | Internal error |
Complete PKCE Flow
JavaScript
import crypto from 'crypto';
function generatePKCE() {
const verifier = crypto.randomBytes(32).toString('base64url');
const challenge = crypto.createHash('sha256').update(verifier).
Python
import secrets
import hashlib
import base64
from urllib.parse import urlencode
def generate_pkce():
verifier = secrets.token_urlsafe(32)
digest
Go
func buildAuthorizationURL(clientID, redirectURI string, scopes []string) (authURL, codeVerifier, state string) {
verifierBytes :=
Available Scopes
| Scope | Description |
|---|---|
openid | Required for OIDC. Returns an ID token. |
profile | User's name, username, avatar |
email | User's email and verification status |
phone | User's phone and verification status |
offline_access | Returns a refresh token |
admin:users:read | Read user management APIs |
admin:users:write | Write user management APIs |
admin:orgs:read | Read organization APIs |
admin:orgs:write | Write organization APIs |
admin:permissions:read | Read permission APIs |
admin:permissions:write | Write permission APIs |
Related
- Token Endpoint -- exchange the code for tokens
- Revoke Token -- revoke a token
- Device Authorization -- for CLI/IoT devices
- SDK:
client.oauth.buildAuthorizationUrl()(TypeScript)