Create the Authorization URL

The Okta Identity Provider that you created in the second step generated an authorize URL with a number of blank parameters that you can fill in to test the flow with the Identity Provider. The authorize URL initiates the authorization flow that authenticates the user with the Identity Provider.

Note: Use this step to test your authorization URL as an HTML link. For information on using the Sign-in Widget, Okta Hosted Sign-in Page, or AuthJS, see the next step.

In the URL, replace ${yourOktaDomain} with your org's base URL, and then replace the following values:

  • client_id — use the client_id value that you obtained from the OpenID Connect client application in the previous section. This is not the client_id from the Identity Provider.

  • response_type — determines which flow is used. For the Implicit flow, this should be id_token. For the Authorization Code flow, this should be code.

  • response_mode — determines how the authorization response should be returned. This should be fragment.

  • scope — determines the claims that are returned in the ID token. Include the scopes that you want to request authorization for and separate each by a space. You need to include at least the openid scope. You can request any of the standard OpenID Connect scopes about users, such as profile and email as well as any custom scopes specific to your Identity Provider.

  • redirect_uri — the location where Okta returns a browser after the user finishes authenticating with their Identity Provider. This URL must start with https and must match one of the redirect URIs that you configured in the previous section.

  • state — protects against cross-site request forgery (CSRF). Can be any value.

  • nonce — a string included in the returned ID token. Use it to associate a client session with an ID token and to mitigate replay attacks. Can be any value.

For a full explanation of all of these parameters, see: /authorize Request parameters.

An example of a complete URL looks like this: