Table of Contents |
---|
...
Parameter | Description | Example |
---|---|---|
response_mode | Informs the OpenID Provider of the mechanism to be used for returning parameters from the endpoint. See the value of the "response_modes_supported" key in the openid-configuration for available values. | response_mode=query |
nonce | String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. | nonce=abefb10d2b1b |
display | Specifies how the OpenID Provider displays the authentication and consent user interface pages to the end-user. NOTE: This parameter will have limited support and only be defined per service/domain/customer. | display=page |
prompt | Specifies whether the OpenID Provider prompts the end-user for reauthentication and consent. This parameter may be useful for services running in an SSO scenario and authentication should be forced. The value may be a space separated list. Available values are:
| prompt=login consent |
max_age | Not currently in use. | |
ui_locales | A space-separated list of the end-user's preferred language and scripts tag values, ordered by preference. The tags should be according to Tags for Identifying Languages. | ui_locales=nb-NO en-US |
id_token_hint | ID Token previously issued by the OpenID Provider being passed as a hint about the end-user's current or past authenticated session with the client. | id_token_hint=<ID Token JWT> |
login_hint | Hint to the OpenID Provider about the login identifier the end-user might use to log in (if necessary). The hit may e.g. be the users phone number, email or Buypass ID. | login_hint=someuserid |
acr_values ✋ This open standard request parameter is ignored by Buypass. | Space-separated string that specifies the acr values that the OpenID Provider is being requested to use for processing this authentication request. In short: this value describes the clients requirements (represented as an agreed value) for the level of assurance/authentication it requires. The values can e.g. be values like 1,2 or 3 or something like the eIDAS assurance levels: low, substantial and high. NOTE: This parameter will have limited support and only be defined per service/domain/customer. See also Authentication methods and levels 💡 Even if the request parameter acr_values is ignored the value returned in the acr claim in the ID token will always be "acr": "eidas-loa-high". Level high is the only level offered by Buypass at present. | acr_values=1 2 |
amr_values ✋ This open standard request parameter is ignored by Buypass. | Space-separated string that specifies the amr values that the OpenID Provider should use when selecting authentication methods. In short this value enables dynamic control of the authentication methods to be used in this session. The values can e.g. be values like "sc", "mobile" etc. The values are defined as part of the Security Domain. See https://tools.ietf.org/html/rfc8176 for standardised values. NOTE: This parameter will have limited support and only be defined per service/domain/customer. | amr_values=sc, mobile |
bp_idp_hint | This parameter will give the possibility to access the Fido2 authentication-dialog directly for a User connected to an organisation issuing Buypass ID Fido2 for their employees. Requirements:
💡 If both the parameters bp_idp_hint and bp_amr_values are requested - see explanation below. | bp_idp_hint=buypass |
bp_amr_values | Singel …. which should be use when selecting a specific authentication ID-instrument from Buypass.This parameter will give the possibility to select authentication method. By requesting an authentication method, the end user will be redirected directly to the chosen method and the menu options will disappear. Values: sc, mobile or pwd_otp
Requirements:
💡 The input value is NOT returned in the amr or the bp_amr claim in the ID-token. 💡 If both the parameters bp_idp_hint and bp_amr_values are requested the parameter bp_idp_hint will have priority. If tenantID given is not known or invalid the bp_idp_hint parameter is ignored and the parameter in bp_amr_values taken into account. If authenticator value given is not known or invalid the end user will be presented the full menu and need to choose authenticator himself. | bp_amr_values=sc |
Example request
Example authentication request
...