Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docs 3689 auth explorer update #10394

Merged
merged 16 commits into from
Apr 29, 2024
Merged

Docs 3689 auth explorer update #10394

merged 16 commits into from
Apr 29, 2024

Conversation

avanscoy
Copy link
Contributor

No description provided.

Amanda VS added 3 commits March 28, 2024 14:14
HRI update
Break out client grants
#Learn More standardization
Error pages into Markdown tables
Clean-up
Final markdown tables
addition of fapi to glossary for HRI entry
Amanda VS added 3 commits March 28, 2024 15:58
Duplicate Learn More
Fixes for the nav, flow files, updated error codes
Copy link

@edgarchirivella-okta edgarchirivella-okta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work on this!!

@@ -1,20 +1,20 @@
{
"default": false,
"resultVersion": 1,
"MD001": true,
"MD001": false,

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to keep these disabled globally instead of using <!-- markdownlint-disable MDXYZ--> in the affected files?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For Authentication API Explorer, yes. The errors I'm getting are because the tech is old and we don't have the resources or people to yet to update the experience completely. Once the Explorer is merged, I plan to go back and update this file ^

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand! Let's keep it like this, then

@@ -2,7 +2,7 @@

The Authentication API enables you to manage all aspects of user identity when you use Auth0. It offers endpoints so your users can log in, sign up, log out, access APIs, and more.

The API supports various identity protocols, like <dfn data-key="openid">[OpenID Connect](/protocols/oidc)</dfn>, [OAuth 2.0](/protocols/oauth2), and <dfn data-key="security-assertion-markup-language">[SAML](/protocols/saml)</dfn>.
The API supports various identity protocols, like <dfn data-key="openid">[OpenID Connect](/protocols/oidc)</dfn>, <dfn data-key="oath2"> [OAuth 2.0](/protocols/oauth2)</dfn>, <dfn data-key="fapi">[FAPI](https://auth0.com/docs/secure/highly-regulated-identity#advanced-security-with-openid-connect-fapi-)</dfn> and <dfn data-key="security-assertion-markup-language">[SAML](/protocols/saml)</dfn>.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need the entire URL here instead of just the relative path, as in the other places?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank-you for catching this one ^

@@ -208,22 +208,11 @@ Once you have a verification code, use this endpoint to login the user with thei
| <dfn data-key="scope">`scope`</dfn> | Use `openid` to get an ID Token, or `openid profile email` to also include user profile information in the ID Token. |
| `redirect_uri` <br/><span class="label label-danger">Required</span> | A callback URL that has been registered with your application's **Allowed Callback URLs**. |


### Test with Authentication API Debugger

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's great to see references to the Authentication API Debugger removed 🙂

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes! I haven't heard if the Debugger has been fully deprecated or not, so I have a single reference in the intro for it.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not fully deprecated. There is an intention to deprecate it, but not a plan AFAIK.
What you did looks perfect to me: maintaining a reference to it but reducing the doc coverage to discourage new people from using it.

```

```javascript
var request = require("request");

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a bit nitpicky, I'd love to have const instead of var in the code examples. I think that var could transmit the image of being out of fashion, or not up-to-date with the current best practices, which may put off some people.

var is perfectly functional in any case, so this is totally optional, but using const would transmit a more "modern" feel.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@edgarchirivella-okta , these code samples weren't updated this round. Would I just replace var with const?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No problem! I understand that you just moved the code examples between files.

I don't think it's required now, this is something that could be included in the future project you have next quarter, if you have the time to include it 🙂

In these small examples, it would just be replacing var with const. There are some gotchas because they don't behave in the exact same way, but for these examples, replacing var with const would do. This is a very good explanation of the differences: https://www.freecodecamp.org/news/var-let-and-const-whats-the-difference/

In general, people try to use const first, and let only if the variable needs to be reassigned. var is only seen in older projects nowadays.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds perfect! I was talking to Daniel and David about the next project including a closer review of the flows and samples!

code: "AUTHORIZATION_CODE",
redirect_uri: "${account.callback}", } };

request(options, function (error, response, body) {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And related to the var comment above, I think that converting these examples to async/await could make us more approachable, because the devs learning Node and Javascript these days may not even be familiar with callbacks.

This has lower priority than the var comment above and I understand the pressure to merge this today, so this is just a suggestion for a future improvement.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have another larger project for the Explorer planned for next quarter, so this could absolutely be helpful!

Copy link

@edgarchirivella-okta edgarchirivella-okta Apr 29, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That sounds great! Thank you for that 😄 let's keep it with the callbacks here, then

> RESPONSE SAMPLE:

```JSON
HTTP/1.1 200 OK
Copy link

@edgarchirivella-okta edgarchirivella-okta Apr 26, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we remove the HTTP/1.1 line here too?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I checked with Session since these samples are very old. For this fragment, leaving the HTTP could help with error handling, so for this project, we'll leave them. Next quarter, I'll engage engineering to review the samples more closely.

```http
POST ${account.namespace}/oauth/par
Content-Type: 'application/x-www-form-urlencoded'
response_type=code|code id_token&
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is important that all example include

  • an audience param (optional)
  • an authorization_details param (optional)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pending updates on Google doc

url: 'https://{yourDomain}/oauth/par,
headers: { 'content-type': 'application/x-www-form-urlencoded' },
form: {
response_type: 'code|code id_token',
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is important that all example include

  • an audience param (optional)
  • an authorization_details param (optional)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pending updates on Google doc

curl --request POST \
--url 'https://{yourDomain}/oauth/par' \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'response_type=code|code id_token& client_id={yourClientId}& redirect_uri={https://yourApp/callback}&state=STATE&scope=openid|profile|email&code_challenge=CODE_CHALLENGE&code_challenge_method=S256&nonce=NONCE&connection=CONNECTION&prompt=login|consent|none&organisation=ORGANIZATION'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is important that all example include

  • an audience param (optional)
  • an authorization_details param (optional)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pending updates on Google doc

::: note
Highly Regulated Identity is currently available for Enterprise customers under Limited Early Access. To learn more about this program, contact [Auth0 Support](http://support.auth0.com/).
:::
Push Authorization Requests (PAR), a service of [Highly Regulated Identity](https://auth0.com/docs/secure/highly-regulated-identity), uses the `/oauth/par` endpoint to allow applications to send the authentication parameters usually sent in a `GET` request to `/authorize`. PAR uses a POST method from the backend to keep parameter values secure. The /oauth/par endpoint accepts all standard authorization parameters similar to /authorize. Assuming the call to the /oauth/par endpoint is valid, Auth0 will respond with a redirect_uri value that can be used as a parameter for the /authorize endpoint.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Push Authorization Requests (PAR), a service of [Highly Regulated Identity](https://auth0.com/docs/secure/highly-regulated-identity), uses the `/oauth/par` endpoint to allow applications to send the authentication parameters usually sent in a `GET` request to `/authorize`. PAR uses a POST method from the backend to keep parameter values secure. The /oauth/par endpoint accepts all standard authorization parameters similar to /authorize. Assuming the call to the /oauth/par endpoint is valid, Auth0 will respond with a redirect_uri value that can be used as a parameter for the /authorize endpoint.
Push Authorization Requests (PAR), a service of [Highly Regulated Identity](https://auth0.com/docs/secure/highly-regulated-identity), uses the `/oauth/par` endpoint to allow applications to send the authorization parameters usually sent in a `GET` request to `/authorize`. PAR uses a POST method from the backend to keep parameter values secure. The /oauth/par endpoint accepts all standard authorization parameters similar to /authorize. Assuming the call to the /oauth/par endpoint is valid, Auth0 will respond with a redirect_uri value that can be used as a parameter for the /authorize endpoint.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added to the next commit

## Request Parameters
| Parameter | Description |
|:-----------------|:------------|
| `response_type` <br/><span class="label label-danger">Required</span> | Specifies the token type. We recommend you use code to request an authorization code, or code id_token to receive an authorization code and a [detached signature](https://openid.net/specs/openid-financial-api-part-2-1_0.html#id-token-as-detached-signature). |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add

audience
The unique identifier of the target API you want to access.

| `redirect_uri` <br/><span class="label label-danger">Required</span> | The URL to which Auth0 will redirect the browser after authorization has been granted by the user. Specify the `redirect_uri` under your [Application's Settings](${manage_url}/#/applications).|
| `state` <br/><span class="label label-primary">Recommended</span> | An opaque value the applications adds to the initial request that the authorization server includes when redirecting the back to the application. This value must be used by the application to prevent CSRF attacks. |
| `scope` <br/><span class="label label-primary">Recommended</span>| OIDC scopes and custom API scopes. For example: `openid read:timesheets`. Include `offline_access` to get a Refresh Token.|
| `code_challenge` <br/><span class="label label-primary">Recommended</span> | OIDC scopes and custom API scopes. For example: `openid read:timesheets`. Include offline_access to get a Refresh Token. |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add

authorization_details
Similarly to scopes, this parameter allows you to request specific permissions for each resource you want to access. In this case, you can specify an array of json objects to convey fine-grained information on the authorization. Each json object must contain a type attribute and the rest is up to you to define. Read the [RAR reference documention](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-rar) to learn all the details.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I edited this description on the Google Doc and added the example case to the Remarks sections

> RESPONSE SAMPLE:
``` json
/**
The `/oauth/token` endpoint will respond with a JSON object containing an `id_token` property, and potentially also a `refresh_token` if one was requested.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The `/oauth/token` endpoint will respond with a JSON object containing an `id_token` property, and potentially also a `refresh_token` if one was requested.
The `/oauth/token` endpoint will respond with a JSON object containing an `access_token` property, and potentially also a `refresh_token` if one was requested. If you specified the authorization_details parameter at the beginning of the flow, it will also be added to the response to indicate the details of what has been authorized.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if this text should appear here in the json example or be included as part of the remarks

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line was originally associated with the Response, so I put it as commented out. Feel free to update it on the Google doc and I can update.

Content-Type: application/json
{
"refresh_token":"GEbRxBN...edjnXbL",
"id_token":"eyJ0XAi...4faeEoQ",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add

"access_token":"eybRxBN...edjnXZQ",

{
"refresh_token":"GEbRxBN...edjnXbL",
"id_token":"eyJ0XAi...4faeEoQ",
"token_type":"Bearer",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add

"authrorization_details":[
{
"type":"my_type",
"other_attributes_of_my_type":"value"
}
],

"link": "#exchange-an-authorization-code-for-a-token"
}) %>

```http
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

THIS IS INCORRECT. It should be a request to /token.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, if you're talking about the ```http section, I'll need that sample from the team. If this is about the include ^ that's actually the link to the endpoint.

```

```javascript
curl --request POST \
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

THIS IS INCORRECT. It should be a request to /token.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay. Please add the correct sample to the Google doc and I'll get it from there.

```

```shell
var request = require("request");
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This request is correct, but shouldn't we add it before the response?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Honestly, it doesn't matter. It's going to show in the correct spot in the Explorer. I'll move it in the next commit.

});
```

When users are redirected to `/authorize`, you need to make a `POST` call to the `oauth/token` endpoint to exchange an authorization code for an access and/or an ID token.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
When users are redirected to `/authorize`, you need to make a `POST` call to the `oauth/token` endpoint to exchange an authorization code for an access and/or an ID token.
When users are redirected back to your callback, you need to make a `POST` call to the `oauth/token` endpoint to exchange an authorization code for an access and/or an ID token.

Copy link
Contributor

@lrzhou25 lrzhou25 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work, Amanda! This was a behemoth of a project, and all the updates you did will greatly improve doc readability and discoverability.

lmk if you have any questions about my comments!

@@ -2,7 +2,7 @@

The Authentication API enables you to manage all aspects of user identity when you use Auth0. It offers endpoints so your users can log in, sign up, log out, access APIs, and more.

The API supports various identity protocols, like <dfn data-key="openid">[OpenID Connect](/protocols/oidc)</dfn>, [OAuth 2.0](/protocols/oauth2), and <dfn data-key="security-assertion-markup-language">[SAML](/protocols/saml)</dfn>.
The API supports various identity protocols, like <dfn data-key="openid">[OpenID Connect](/protocols/oidc)</dfn>, <dfn data-key="oath2"> [OAuth 2.0](/protocols/oauth2)</dfn>, <dfn data-key="fapi">[FAPI](https://auth0.com/docs/secure/highly-regulated-identity#advanced-security-with-openid-connect-fapi-)</dfn> and <dfn data-key="security-assertion-markup-language">[SAML](/protocols/saml)</dfn>.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

small nitpick: you could shorten FAPI link by removing "https://auth0.com/docs" from "/secure/highly-regulated-identity#advanced-security-with-openid-connect-fapi-"


1. At the *OAuth2 / OIDC* tab, click **OAuth2 / OIDC Login**.

### Use Authentication API Debuggar
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Use Authentication API Debuggar"-->"Use Authentication API Debugger"

- Legacy Delegation: At the *OAuth2 / OIDC* tab, set **Username** and **Password**. Click **Resource Owner Endpoint**.
- Legacy Resource Owner: At the *OAuth2 / OIDC* tab, set the **Username** and **Password**, and click **Resource Owner Endpoint**.

### Use Authentication API Debuggar with authentications flows
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should Authentications Flows be capitalized?

- [Custom Social Connections](/connections/social/oauth2)
- [State Parameter](/protocols/oauth2/oauth-state)
- [State Parameter](https://auth0.com/docs/secure/attack-protection/state-parameters)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the link could be shortened to "/docs/secure/attack-protection/state-parameters"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it! I missed this one :D

| `client_id` <br/><span class="label label-danger">Required</span> | Your application's Client ID. |
| `client_secret` <br/><span class="label label-danger">Required</span> | Your application's Client Secret. |
| `code` <br/><span class="label label-danger">Required</span> | The Authorization Code received from the initial `/authorize` call. |
| `redirect_uri`| This is required only if it was set at the [GET /authorize](#authorization-code-grant) endpoint. The values must match. |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

which values must match?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah okay. If you set the redirect_uri at /authorize, the same redirect_uri must be set at /oauth/token. I'll clarify that. Thanks!

| `username` <br/><span class="label label-danger">Required</span> | The user's username |
| `password` <br/><span class="label label-danger">Required</span> | The user's password |
| <dfn data-key="scope">`scope`</dfn> | Use `openid` to get an ID Token, `openid profile email` to get an ID Token and the user profile, or `openid offline_access` to get an ID Token and a <dfn data-key="refresh-token">Refresh Token</dfn>. |
| `id_token` | Used to authenticate using a token instead of username/password, in [Touch ID](/libraries/lock-ios/touchid-authentication) scenarios. |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

using a token->with a token
no comma between username/password and in Touch ID

| `password` <br/><span class="label label-danger">Required</span> | The user's password |
| <dfn data-key="scope">`scope`</dfn> | Use `openid` to get an ID Token, `openid profile email` to get an ID Token and the user profile, or `openid offline_access` to get an ID Token and a <dfn data-key="refresh-token">Refresh Token</dfn>. |
| `id_token` | Used to authenticate using a token instead of username/password, in [Touch ID](/libraries/lock-ios/touchid-authentication) scenarios. |
| `device` | You should set this to a string, if you are requesting a Refresh Token (`scope=offline_access`). |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you should set->Set
capitalization of Refresh Token


- This endpoint only works for database connections, <dfn data-key="passwordless">passwordless</dfn> connections, Active Directory/LDAP, Windows Azure AD and ADFS.

- The `profile` scope value requests access to the End-User's default profile Claims, which are: `name`, `family_name`, `given_name`, `middle_name`, `nickname`, `preferred_username`, `profile`, `picture`, `website`, `gender`, `birthdate`, `zoneinfo`, `locale`, and `updated_at`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

End-User's->end user's


### Error Codes

For the complete error code reference for this endpoint refer to [Errors > POST /oauth/ro](#post-oauth-ro).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

comma between endpoint and refer

### Remarks

- The <dfn data-key="scope">scopes</dfn> issued to the application may differ from the scopes requested. In this case, a `scope` parameter will be included in the response JSON.
- If you don't request specific scopes, all scopes defined for the audience will be returned due to the implied trust to the application in this grant. You can customize the scopes returned in a rule. For more information, refer to [Calling APIs from Highly Trusted Applications](/api-auth/grant/password).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For more information->To learn more

lrzhou25
lrzhou25 previously approved these changes Apr 26, 2024
|:-----------------|:------------|
| `audience` <br/> | The unique identifier of the target API you want to access. |
| `scope` | The <dfn data-key="scope">scopes</dfn> which you want to request authorization for. These must be separated by a space. You can request any of the [standard OpenID Connect (OIDC) scopes](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) about users, such as `profile` and `email`, custom claims that must [conform to a namespaced format](/tokens/guides/create-namespaced-custom-claims), or any scopes supported by the target API (for example, `read:contacts`). Include `offline_access` to get a <dfn data-key="refresh-token">Refresh Token</dfn>. |
| `response_type` <br/><span class="label label-danger">Required</span> | Indicates to Auth0 which OAuth 2.0 flow you want to perform. Use `code` for Authorization Code Grant Flow. |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"want to perform"->"want to use?"

| `state` <br/><span class="label label-primary">Recommended</span> | An opaque value the application adds to the initial request that Auth0 includes when redirecting the back to the application. This value must be used by the application to prevent CSRF attacks. |
| `redirect_uri` | The URL to which Auth0 will redirect the browser after authorization has been granted by the user. |
| `connection` | The name of the connection configured to your application. |
| `prompt` | To initiate a [silent authentication](/api-auth/tutorials/silent-authentication) request, use `prompt=none` (see Remarks for more info). |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should you link to the Remarks section below? also suggested rewording: "To learn more, read Remarks"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See that's one of the drawbacks with Remarks. I can't link to them. The link just goes back to the first one in Login with #remarks. But! With the next project, hopefully we can fix this. But I will update to the To learn more, see the Remarks.

:::
<br></br>

Authorization Code Flow with [Push Authorization Requests (PAR)](/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-par), uses the `/oauth/par` endpoint to allow applications to send the authorization parameters usually sent in a `GET` request to `/authorize`. PAR uses a POST method from the backend to keep parameter values secure. The /oauth/par endpoint accepts all authorization parameters which can be proivided to `/authorize`. Assuming the call to the `/oauth/par` endpoint is valid, Auth0 will respond with a `redirect_uri` value that can be used as a parameter for the `/authorize` endpoint.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Push Authorization Requests->Pushed Authorization Requests
no comma after (PAR)
/oauth/par endpoint accepts->/oauth/par endpoint accepts


Authorization Code Flow with [Push Authorization Requests (PAR)](/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-par), uses the `/oauth/par` endpoint to allow applications to send the authorization parameters usually sent in a `GET` request to `/authorize`. PAR uses a POST method from the backend to keep parameter values secure. The /oauth/par endpoint accepts all authorization parameters which can be proivided to `/authorize`. Assuming the call to the `/oauth/par` endpoint is valid, Auth0 will respond with a `redirect_uri` value that can be used as a parameter for the `/authorize` endpoint.

Assuming the call to the `/oauth/par` endpoint is valid, Auth0 will respond with a `redirect_uri` value also used as a parameter for the `/authorize` endpoint. To learn more about configuring PAR, read [Configure Push Authorization Requests (PAR)](/get-started/applications/configure-par).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Configure Push Authorization Requests->Configure Pushed Authorization Requests

| `nonce` <br/><span class="label label-primary">Recommended</span> | A string value which will be included in the ID Token response from Auth0, used to prevent token replay attacks. It is required for `response_type=id_token` token. |
| `connection` | The name of the connection configured to your application. If null, it will redirect to the [Auth0 Login Page](https://${account.namespace}/login) and show the Login Widget using the first database connection. |
| `prompt` | Can be used to force a particular prompt to display, e.g. `prompt=consent` will always display the consent prompt.|
| `organization` | ID of the organization to use when authenticating a user. When not provided, if your application is configured to Display Organization Prompt, the user will be able to enter the organization name when authenticating. |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nvm i see that for all the other instances of this paramter, Display Organization Prompt is bolded i.e. Display Organization Prompt, so i think we can just bold it to be consistent

lrzhou25
lrzhou25 previously approved these changes Apr 29, 2024
lrzhou25
lrzhou25 previously approved these changes Apr 29, 2024
@avanscoy avanscoy merged commit 248e423 into master Apr 29, 2024
6 checks passed
@avanscoy avanscoy deleted the docs-3689-auth-explorer-update branch April 29, 2024 21:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants