The Authorization-Endpoint shows an page to the User with the requested scopes. The user must authorize the application before the user is returned to the Client application.


You can get the URL for the Authorization-Endpoint when editing the OAuth-Client.


The following scopes can be requested.

Name Description
identify User-ID, Username and Avatar
openid Same as identify, but used for OpenID Connect. Will also return an JWT Token at the Token Endpoint, if reponse_type code was choosen
email Email-address of the user
profile Profile-Information of the user

Request Format

The following parameters are required:

Name Description
client_id your application’s client id
scope the scopes you want to request, space-delimited

The following parameters are optional:

Name Description
redirect_uri Your redirect_uri, urlencoded. Default: the one saved with the OAuth Client
response_type code will return authorization code, token will return access token (if implicit grant is allowed), id_token will return JWT-Token (if implicit grant is allowed). Default: code
state a custom state from your application. Please see next chapter for using this param for security purposes
nonce a custom random value from your application, which will be included in an ID Token
code_challenge For PKCE, as stated in RFC7636
code_challenge_method For PKCE, as stated in RFC7636. S256 or plain, defaults to plain if parameter omitted

State and Security

The state param can be used to prevent CSRF and Clickjacking vulnerabilities. state is sent in the authorization request and returned back in the response and should be a value that binds the user’s request to their authenticated state. For example, state could be a hash of the user’s session cookie, or some other nonce that can be linked to the user’s session. When a user begins an authorization flow on the client, a state is generated that is unique to that user’s request. This value is stored somewhere only accessible to the client and the user, i.e. protected by the same-origin policy. When the user is redirected, the state parameter is returned. The client validates the request by checking that the state returned matches the stored value. If they match, it is a valid authorization request. If they do not match, it’s possible that someone intercepted the request or otherwise falsely authorized themselves to another user’s resources, and the request should be denied. While the use of the state parameter is not required, it is highly recommend that you implement it for the security of your own applications and data.

Example Request

Example Request for authorization code:

Example Request for access token (Implicit Grant type must be enabled for your OAuth Client):

Example Request for JWT token (Implicit Grant type must be enabled for your OAuth Client):

Response Format

As response, the user is redirected to your application, explicit to your given redirect_uri. The code or token are added as parameter to the URL.

Example Response

Example Response for access token:

Example Reponse for Access Token (Implicit Flow):

Example Response for JWT Token (Implicit Flow):


The returned JWT Token has three sections: header, payload and the signature.

The header contains the used algorithm and token type. Currently, only the HS256 algorithm is supported.

  "typ": "JWT",
  "alg": "HS256"

The payload contains the following data (for scope identify / openid and email):

  "iss": "",
  "aud": "1307734008",
  "iat": 1569161429,
  "nbf": 1569161369,
  "exp": 1569163229,
  "sub": 1,
  "name": "root",
  "nonce": "e4a17ae2bd26b09bad86b902e990a252",
  "scope": "openid email",
  "email": ""

The payload will never contain the profile information, even if it was requested. The Email-address is only contained if scope email was requested. You can use the User-API to request the profile information, by passing the JWT-Token as access token.

The last part of the JWT Token is the signature. As key, the JWT-Secret of your OAuth-Client is used. So you can use the JWT-Secret to prove the signature. Also, the parts like iss, iat, nbf and exp should be checked by your application.