Redirect RequiredYour application will need to redirect to this endpoint instead of making a direct API call.
Tenant Vanity Domain RequiredWhen calling this API you need to use the vanity domain of the tenant that the user is logging in to.
OIDC CompliantThis endpoint is compliant with the OIDC Authorization Endpoint (Authorization Code Flow) specification.
Initiates a user login request for a specific tenant. The tenant vanity domain in the request identifies the tenant the user is logging into. When this endpoint is redirected to, one of the following responses will be returned:
- If the request fails and the client's redirect URI can't be determined or the client ID is invalid, this API returns a redirect to either the default Wristband error page or a custom error page, if one is configured.
- If the given request fails and the client's redirect URI is valid, then this API returns a 302 redirect to the client's redirect URI with the appropriate error code.
- If the request is valid but the user is not authenticated (i.e., a valid auth session cookie is not present), the user will be redirected to either the Wristband-hosted login page or a custom login page, if configured. The
prompt
param must also either be set tologin
or not be set at all. If theprompt
param is set tonone
then a 302 redirect to the client's redirect URI will be returned with alogin_required
error code. - If the request is valid and the user is authenticated (i.e., a valid auth session cookie is present), but the
prompt
param is set tologin
, then the user will be redirected to either the Wristband-hosted login page or a custom login page, if one is configured. - If the request is valid and the user is authenticated (i.e., a valid auth session cookie is present) and the
prompt
query param is set tonone
, or is not set at all, then this API will return a redirect to the client's redirect URI with an authorization code.
NoteIf a response is returned that redirects to a login page, then an authorization request JWT will be created (composed of the original authorization request parameters) and appended to the URL using the
req
query parameter. The authorization request JWT can then be used by the login page to infer the original authorization request parameters by introspecting the JWT using the Introspect Authorization Request Token API.
Error Codes:
Below is a list of error codes that can be returned on redirects to the client's callback URI.
invalid_request
: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.unauthorized_client
: The client is not authorized to request an authorization code, usually because the client doesn't support theauthorization_code
grant type.access_denied
: The resource owner or authorization server denied the request.unsupported_response_type
: The response type specified in the request is not supported.invalid_scope
: The requested scope is invalid, unknown, or malformed.server_error
: The authorization server encountered an unexpected condition that prevented it from fulfilling the request.temporarily_unavailable
: The authorization server is currently unable to handle the request due to a temporary overload or maintenance of the server.login_required
: The authorization request does not have a valid auth session associated with it and requires the user to authenticate.request_not_supported
: Returned if the OIDCrequest
parameter is specified in the request.request_uri_not_supported
: Returned if the OIDCrequest_uri
parameter is specified in the request.registration_not_supported
: Returned if the OIDCregistration
parameter is specified in the request.