SstOIDCAuthorizationCodeFlow
This class implements the authorization code flow for OpenID Connect (OIDC), which is essentially an OAuth2.0 authorization code grant with some additional standard parameters. We provide some convenience methods for these parameters.
See https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
Class Methods
newWithClientId:authorizationBaseUrl:tokenUrl:
Create instances of this subclass via the other instance creation method.
newWithClientId:providerMetadata:
Create the 'Authorization Code' flow which can be used to create the authorization URL (to which to redirect the user) and subsequently create a client with the necessary authorization code.
Raises an error if the provided metadata shows that this flow is not supported by the provider.
Arguments:
clientId: <String> the id of the registered client
aSstOIDCProviderMetadata: <SstOIDCProviderMetadata> carrying the OIDC provider's metadata document obtained via its well-known discovery url
Answers:
<SstOIDCAuthorizationCodeFlow>
Raises:
<SstOIDCError>
Instance Methods
acrValues:
Sets the value of the 'acr_values' (Requested Authentication Context Class Reference values) query parameter.
See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for more information.
Arguments:
aCollectionOfStrings: a <SequenceableCollection> of <String>
displayPage
Sets the value of the 'display' query parameter to 'page'.
The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view.
If the display parameter is not specified, this is the default display mode.
See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for more information.
displayPopup
Sets the value of the 'display' query parameter to 'pop-up'.
The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window.
See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for more information.
displayTouch
Sets the value of the 'display' query parameter to 'touch'.
The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface.
See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for more information.
displayWap
Sets the value of the 'display' query parameter to 'wap'.
The Authorization Server SHOULD display the authentication and consent UI consistent with a 'feature phone' type display.
See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for more information.
idTokenHint:
Sets the value of the 'id_token_hint' query parameter.
ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client.
See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for more information.
Arguments:
previousIdToken: <String>
loginHint:
Sets the value of the 'login_hint' query parameter.
Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary).
See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for more information.
Arguments:
aString - <String>
maxAge
Returns the value set for the 'max_age' (Maximum Authentication Age) query parameter.
See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for more information.
Returns: <Integer> - Allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP.
maxAge:
Sets the value of the 'max_age' (Maximum Authentication Age) query parameter.
See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for more information.
Arguments:
seconds: <Integer> - Allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP.
nonce
Retrieve the value of the 'nonce' query parameter sent with the Authorization request.
See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for more information.
nonce:
Sets the value of the 'nonce' query parameter.
If no value is set, a value will be generated automatically.
See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for more information.
Arguments:
aString: <String> - String value used to associate a Client session with an ID Token, and to mitigate replay attacks.
promptConsent
Sets the value for the prompt query parameter to 'consent'.
The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client.
If it cannot obtain consent, it MUST return an error, typically consent_required.
See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for more information.
promptLogin
Sets the value for the prompt query parameter to 'login'.
The Authorization Server SHOULD prompt the End-User for reauthentication.
If it cannot reauthenticate the End-User, it MUST return an error, typically login_required.
See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for more information.
promptNone
Sets the value for the prompt query parameter to 'none'.
The Authorization Server MUST NOT display any authentication or consent user interface pages.
See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for more information.
promptSelectAccount
Sets the value for the prompt query parameter to 'select_account'.
The Authorization Server SHOULD prompt the End-User to select a user account.
See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for more information.
providerMetadata
Answers:
<SstOIDCProviderMetadata>
uiLocales:
Sets the value of the 'ui_locales' (End-User's preferred languages and scripts for the user interface) query parameter.
See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for more information.
Arguments:
aCollectionOfStrings: a <SequenceableCollection> of <String>
Last modified date: 01/13/2026