OIDC Flows
Manage OpenID Connect authentication flows including login, registration, callback handling, and token exchange.
Get Available OIDC Providers
Returns list of active OIDC providers configured for the login page.
Endpoint: GET /uflow/oidc/providers
Response
Success (200):
{
"providers": [
{
"provider_name": "google",
"display_name": "Google",
"icon_url": "string"
}
]
}
Initiate OIDC Flow (Unified)
Starts an OIDC flow. If tenant_domain is empty, uses "discover" mode to find existing user across tenants.
Endpoint: POST /uflow/oidc/initiate
Request Body
{
"provider": "string",
"tenant_domain": "string",
"redirect_uri": "string"
}
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
provider | string | Yes | OIDC provider name (e.g., google, github, microsoft) |
tenant_domain | string | No | Tenant domain. Empty for discover mode |
redirect_uri | string | Yes | Redirect URI after authentication |
Response
Success (200):
{
"redirect_url": "string",
"state": "string"
}
Error Responses:
400- Bad Request404- Tenant not found
Initiate OIDC Login
Starts OIDC flow specifically for logging in.
Endpoint: POST /uflow/oidc/login/initiate
Request Body
{
"provider": "string",
"tenant_domain": "string",
"redirect_uri": "string"
}
Response
Success (200):
{
"redirect_url": "string",
"state": "string"
}
Error Responses:
400- Bad Request
Initiate OIDC Registration
Starts OIDC flow for registering a new tenant via social login.
Endpoint: POST /uflow/oidc/register/initiate
Request Body
{
"provider": "string",
"tenant_domain": "string",
"redirect_uri": "string"
}
Response
Success (200):
{
"redirect_url": "string",
"state": "string"
}
Error Responses:
400- Bad Request409- Tenant domain already exists
OIDC Callback Handler
Handles the callback from OIDC provider after authentication. Part of the traditional redirect flow.
Endpoint: GET /uflow/oidc/callback
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
code | string | Yes | Authorization code from provider |
state | string | Yes | State token for CSRF protection |
Response
Success (200):
{
"access_token": "string",
"refresh_token": "string",
"token_type": "bearer",
"expires_in": 3600,
"user": {
"email": "string",
"name": "string"
}
}
Error Responses:
400- Bad Request - invalid code or state500- Internal Server Error
Exchange OIDC Code for JWT Token
Receives the authorization code from a Single-Page Application and exchanges it for a session JWT. This is the recommended flow for SPA applications.
Endpoint: POST /uflow/oidc/exchange-code
Request Body
{
"code": "string",
"state": "string",
"redirect_uri": "string"
}
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
code | string | Yes | Authorization code from provider |
state | string | Yes | State token |
redirect_uri | string | Yes | Redirect URI (must match initiation) |
Response
Success (200):
{
"access_token": "string",
"refresh_token": "string",
"email": "string",
"token_type": "bearer"
}
Error Responses:
400- Bad request - invalid input401- Unauthorized - invalid code or state500- Internal Server Error
Complete OIDC Registration
Completes registration for a new user after discover mode, with a chosen tenant domain.
Endpoint: POST /uflow/oidc/complete-registration
Request Body
{
"tenant_domain": "string",
"email": "string",
"name": "string",
"state": "string"
}
Response
Success (200):
{
"access_token": "string",
"refresh_token": "string",
"token_type": "bearer"
}
Error Responses:
400- Bad Request500- Internal Server Error
Check Tenant Domain Availability
Checks if a tenant domain is available for registration.
Endpoint: GET /uflow/oidc/check-tenant
Response
Success (200):
{
"available": true,
"tenant_domain": "string"
}