The Authorization Controller is a central component of the OAuth2 implementation in the Auth Server, managing the relationship between users and client applications. It handles the authorization process, allowing users to grant or revoke permissions to applications, supports multiple authentication methods including traditional login and SAML SSO, and maintains records of authorized applications.
Reference
Authorize
Initiates the OAuth2 authorization flow, managing user consent for client applications to access their resources. This endpoint supports multiple authentication scenarios including standard browser flows, SAML SSO integration, cookie-based authentication, and iframe implementations.
Response: On successful authentication and authorization, the server responds with an HTTP 302 redirect to the specified redirect_uri, appending the authorization code and state as query parameters.:
Attention: For legacy reasons, clientId is marked as required, but it is not required. Make sure to use required client_id
Although currently not marked as such: The redirect_uri is a required field. Applications without redirect_uri will stop working without prior notice soon!
| Field | Type | Required | Description |
|---|---|---|---|
| clientId | string | ✓ | Legacy parameter for client application identifier. Use client_id instead for compliance with OAuth2 specifications. Please use client_id instead |
| client_id | string | ✓ | Unique identifier for the client application requesting authorization. Required for initiating the OAuth2 flow. |
| device | string | ✗ | Unique identifier for the device requesting authorization. Used for security validation and session management. |
| env | string | ✗ | Environment identifier used for multi-environment deployments. Helps determine the correct authentication context. |
| iframe | integer | ✗ | Configuration flag for iframe-based authentication flows. Value 1 enables basic iframe support, 2 enables enhanced iframe handling with additional security considerations. allowed values: 12 |
| r | string | ✗ | Legacy parameter for specifying the resource the client is requesting access to. Use resource instead |
| redirect_uri | string | ✗ | URI where the user will be redirected after authorization. Must exactly match one of the redirect URIs registered for the client application. |
| resource | string | ✗ | Identifier for the specific resource the client application is requesting access to. Helps with resource-specific authorization scoping. |
| response_type | string | ✓ | OAuth2 response type specifying the grant flow to use. Must be "code" for authorization code flow. allowed values: code |
| ssoIdentifier | string | ✗ | Identifier for the SAML SSO configuration to use for authentication. Required when using SSO-based authentication flows. |
| state | string | ✗ | Opaque value used to maintain state between request and callback. Protects against CSRF attacks and should be validated upon return. |
| u | string | ✗ | Legacy resource identifier parameter. Use resource instead for consistent implementation. |
| version | string | ✗ | API version identifier. Used to ensure compatibility between client and server implementations. |
Example
// REQUEST
GET /v4/authorize?
client_id=CLIENT_ID_OF_YOUR_APP&
response_type=code&
redirect_uri=YOUR_APPS_CALLBACK_URL&
device=YOUR_UNIQUE_DEVICE_IDENTIFIER (optional, but recommended)
state=YOUR_STATE
// RESPONSE
HTTP/1.1 302 Found
Location: https://client-app.example.com/callback?state=YOUR_STATE&code=CODE_TO_EXCHANGE_FOR_TOKENDeauthorize app
Revokes a previously granted application authorization, giving users control over which applications have access to their resources. This endpoint terminates all active sessions for the specified application, removes the authorization record from the system, and invalidates any tokens issued to that application. Use this for security-conscious user account management or when decommissioning application integrations.
| Field | Type | Required | Description |
|---|---|---|---|
| clientId | string | ✗ | Legacy parameter for client application identifier. Use client_id instead for compliance with OAuth2 specifications. Please use client_id instead |
| client_id | string | ✗ | Unique identifier for the client application requesting authorization. Required for initiating the OAuth2 flow. |
| device | string | ✗ | Unique identifier for the device requesting authorization. Used for security validation and session management. |
| id | integer | ✗ | Unique identifier of the authorized application to be deauthorized. Required for revoking specific application authorizations. |
List app
Retrieves a comprehensive list of all applications currently authorized by the authenticated user. The response includes detailed information about each application such as name, type, authentication history (including last login timestamp), device information, IP address, and creation/update timestamps. This endpoint helps users monitor and manage their application authorizations and is useful for security auditing and access control.
| Field | Type | Required | Description |
|---|---|---|---|
| – | ✗ | Ths endpoint does not require or accept any request parameters |
| Field | Type | Description |
|---|---|---|
| client_id | string | Unique identifier for the client application requesting authorization. Required for initiating the OAuth2 flow. |
| createdAt | datetime | ISO 8601 formatted datetime when the application was initially authorized by the user. Establishes the beginning of the authorization relationship. |
| device | string | Unique identifier for the device requesting authorization. Used for security validation and session management. |
| id | integer | Unique identifier of the authorized application to be deauthorized. Required for revoking specific application authorizations. |
| ip | string | IP address from which the authorization request originated. Important for security auditing and geographic access tracking. |
| lastLogin | integer | Unix timestamp of the most recent successful authentication using this authorized application. Used for session tracking and activity monitoring. |
| name | string | Display name of the authorized application. Used in user interfaces to clearly identify the application. |
| type | string | Classification of the authorized application (e.g., web, mobile, desktop). Helps with application categorization and security policies. |
| updatedAt | datetime | ISO 8601 formatted datetime when the application authorization was last modified. Useful for tracking changes to authorization scope or settings. |
| userAgent | string | User agent string of the browser or application used during the authorization process. Provides context for security auditing. |