Edit in GitHubLog an issue

Authentication API Reference

Following is an API reference for Adobe Identity Management Services (IMS) APIs.

On this page:

OpenID Configuration#

This API allows you to view information about Adobe's OpenID configuration.

Request#

Copied to your clipboard
curl -X GET 'https://ims-na1.adobelogin.com/ims/.well-known/openid-configuration'

Sample Response#

Copied to your clipboard
1{
2 "issuer": "https://ims-na1.adobelogin.com",
3 "authorization_endpoint": "https://ims-na1.adobelogin.com/ims/authorize/v2",
4 "token_endpoint": "https://ims-na1.adobelogin.com/ims/token/v3",
5 "userinfo_endpoint": "https://ims-na1.adobelogin.com/ims/userinfo/v2",
6 "revocation_endpoint": "https://ims-na1.adobelogin.com/ims/revoke",
7 "jwks_uri": "https://ims-na1.adobelogin.com/ims/keys",
8 "response_types_supported": [
9 "code",
10 "token",
11 "id_token",
12 "id_token token",
13 "code id_token"
14 ],
15 "subject_types_supported": [
16 "public"
17 ],
18 "id_token_signing_alg_values_supported": [
19 "RS256"
20 ],
21 "scopes_supported": [
22 "openid",
23 "email",
24 "profile"
25 ],
26 "token_endpoint_auth_methods_supported": [
27 "client_secret_basic",
28 "client_secret_post"
29 ],
30 "claims_supported": [
31 "sub",
32 "given_name",
33 "family_name",
34 "name",
35 "email",
36 "email_verified",
37 "address"
38 ],
39 "grant_types_supported": [
40 "authorization_code",
41 "implicit_grant",
42 "refresh_token"
43 ]
44}

ID Token Keys#

This API allows you to retrieve the keys with which the ID Tokens are signed.

Request#

Copied to your clipboard
curl -X GET 'https://ims-na1.adobelogin.com/ims/keys'

Sample Response#

Copied to your clipboard
1{
2 "keys": [
3 {
4 "alg": "RS256",
5 "kty": "RSA",
6 "use": "sig",
7 "kid": "ims",
8 "e": "AQAB",
9 "n": "gBI3r_iauYJrKOTpEsFLeQ4TFktfzmNa30BK_84uh8mZ9N1NJ8VjOlwH9SzPD_gIpELaAaf2n7GeKN8kWYGtex6uCmz5iZZ3eDzryvTfvj3MwQx_XbGloz4QKQXSlCwADlOXP3-EhMqOVr3tVqQe0uX_TPn1F_b9yIONXAX1GwWTFb9UqNjjpFNOxuKJaAh6uod7Y9kmzw0GE4GvMs6AIjitxLNLlpeC8J3vyA0l4UWVJR9lwLjS1O0Lk07IfjAMMes6fonQ5AtzYewIOk4UdNCgb_XKpqLgYY_9J9nfIuBGVY-W7ZfHhXjA1AixQw6A4XoreGr5AnF5WMwd6DA7vw"
10 },
11 {
12 "alg": "RS256",
13 "kty": "RSA",
14 "use": "sig",
15 "kid": "ims_na1-key-1",
16 "e": "AQAB",
17 "n": "q2y0X2R0db3z6yUHWjnd3qppszntWcoel3WURBYekEcadjfxDFAWrAHX8OoceddD6n-qC_2b2GVJny45qKmhq8KFvVOUCMgUUY_ErnvrZXQl0r3USDpf5rxNOQuqxBl532Z9H17k2K_VdT5BL8xwYFYpKtOc-Vgi6Gz2KnhSXlOYBQW9PII2pGsCL4_uwIl32nibGnEDgJfnja01N-hUaLJikvR1OQuYPNaww6JcFQ_Z-_Jt4ec4YYOnrqOs7H7oE-hotwe57o5FxJlqPCccirysqlA7QU4lQxGw8qlIoU3S0WAzLqaxBOgiDET6sK_QVdq6A2TDo1NNY9ktzeW2ow"
18 }
19 ]
20}

UserInfo#

This API allows you to fetch information about a user.

Parameters#

ParameterMandatoryDescription
client_idNoYour client ID
ACCESS_TOKENYesAn access token obtained by your application on behalf of the user

Request#

Copied to your clipboard
1curl -X GET 'https://ims-na1.adobelogin.com/ims/userinfo/v2?client_id={YOUR_CLIENT_ID}' \
2 -H 'Authorization: Bearer {ACCESS_TOKEN}'

Sample Response#

Copied to your clipboard
1{
2 "sub": "B0DC108C5CD449CA0A494133@c62f24cc5b5b7e0e0a494004",
3 "account_type": "ent",
4 "email_verified": true,
5 "address": {
6 "country": "US"
7 },
8 "name": "John Sample",
9 "given_name": "John",
10 "family_name": "Sample",
11 "email": "jsample@email.com"
12}

Response Object#

PropertiesProjected by scopeDescription
subopenidThe user ID
account_typeprofileCan be one of two values:
  • ind: User is an individual account
  • ent: User is part of an organization
email_verifiedemailWhether the user's email address has been verified
addressaddressUser's address - currently, only the two-digit country code is returned
nameprofileUser's full name
given_nameprofileUser's given name
family_nameprofileUser's family name or last name
emailemailUser's email address

To fetch the keys with which the ID Tokens are signed see ID Token Keys.

Authorize Request#

Once a user lands on your application to initiate the OAuth authentication flow, your application should redirect the user to an Adobe IMS URL. While the URL endpoint is common, the query parameters would be specific to your application.

Read along to find out more about constructing the full authorize URL with values for the different query parameters.

Parameters#

Several query parameters are available to you as a developer to customize the user experience for your application. Some of the query parameters are mandatory, and others optional. Using the parameters outlined in the table below, you can construct the authorize URL for your application.

ParameterMandatoryDescription
client_idYesThe client ID obtained from Adobe Developer Console.
redirect_uriNoThe URI to which the user agent is redirected once the authorization completes. Note that this URI must be HTTPS. The supplied value for this parameter is validated against the Redirect URI pattern supplied by you at the time of credential creation . If a redirect URI is not provided with the request or if it does not match against the pattern, Adobe will redirect the response to the Default Redirect URI supplied by you at the time of credential creation.
scopeNoThe requested scopes in the form of a list of space or comma-delimited, case-sensitive strings. See the OAuth 2.0 Scopes reference document for more information.
response_typeNoPossible values are code, token, id_token, id_token token, code id_token. The default response type for the Authorization code flow is code.
stateRecommendedClient-defined state data that is replayed back to the client. It must not be longer than 4096 characters and does not need to be a JSON object. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie.
nonceNoString value used to associate a Client session with an ID Token and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token.
promptNoSpace-delimited, case-sensitive list of ASCII string values that specifies whether Adobe prompts the end-user for authentication or fails the authorize step if user is not authenticated. Supported values: none, login.
  • none → Does not show any UI. Either returns successfully with a valid authentication response or returns with an error.
    • error=login_required → No user is logged in.
    • error=consent_required → User is Logged in, but has not granted access to your app.
    • error=interaction_required → User is logged in and has granted access to your app, but there is some other action they need to perform (Accept terms of use, etc.).
  • login → Even if the user is authenticated, they will see the login screen.
  • No value supplied → Default behavior.
code_challenge_methodNo, defaults to plainPossible values: S256, plain
code_challengeRequired for Public ClientsThe code_challenge parameter is a security measure to confirm whether the authorize and token requests originated from the same application.

A code_challenge comes in pair with a code_verifier. A code_verifier is a random string of at least 43 characters (see allowed character set).

Based on the code_challenge_method, the code_challenge can then be according to -
  • If code_challenge_method = plain, then code_challenge = code_verifier
  • If code_challenge_method = S256, then code_challenge = BASE64_URL_ENCODE(SHA256(code_verifier))


The code_challenge is sent with the authorize request, while the corresponding code_verifier is sent with the token request. For more information, read the Proof Key for Code Exchange by OAuth Public Clients documentation.
You can use online tools to experiment with code_challenge and code_verifier.
response_modeNoPossible values: query, fragment.
For more information, refer to this openid documentation.

If response_mode is not specified, the following defaults are applied:
  • code → query
  • token → fragment
  • id_token → fragment
  • id_token token → fragment
  • code id_token → fragment

Constructing the Request URL for OAuth Web App and OAuth Web Credentials#

Note: The request URL has been split into multiple lines for readability. A complete request path includes multiple parameters separated by an ampersand (&) with no spaces or line breaks.

Copied to your clipboard
1https://ims-na1.adobelogin.com/ims/authorize/v2
2 ?client_id={CLIENT_ID}
3 &redirect_uri={REDIRECT_URI}
4 &scope={SCOPES}
5 &state={STATE}
6 &response_type=code
Sample Request URL#
Copied to your clipboard
https://ims-na1.adobelogin.com/ims/authorize/v2?client_id=202b135c20864fbfb26a46522aa2433b&redirect_uri=https://www.myapp.com/OAuth/callback&scope=openid,creative_sdk&state=90cff02f-da33-46ec-985c-1f5cf2f9644a&response_type=code

Note: Ensure that you are using the latest version (v2) of the /authorize endpoint.

Constructing the Request URL for all other OAuth credentials#

Note: The request URL has been split onto multiple lines for readability. A complete request path includes multiple parameters separated by an ampersand (&) with no spaces or line breaks.

Copied to your clipboard
1https://ims-na1.adobelogin.com/ims/authorize/v2
2 ?client_id={CLIENT_ID}
3 &code_challenge={CODE_CHALLENGE}
4 &code_challenge_method=S256
5 &redirect_uri={REDIRECT_URI}
6 &scope={SCOPES}
7 &state={STATE}
8 &response_type=code
Sample Request URL#
Copied to your clipboard
https://ims-na1.adobelogin.com/ims/authorize/v2?client_id=135c20864fbfb26a46522aa2433b&code_challenge=c9vBtg5G7DupTxSYODrpd2LpBeECiSTTQtQclGNMklM&code_challenge_method=S256&redirect_uri=https://www.myapp.com/OAuth/callback&scope=openid,creative_sdk&state=90cff02f-da33-46ec-985c-1f5cf2f9644a&response_type=code

Note: Ensure that you are using the latest version (v2) of the /authorize endpoint.

Successful response#

After the user has authenticated and been granted consent to your application, the user agent will be redirected to {YOUR_REDIRECT_URI} with parameters determined by the response_type sent in the request.

Response Type (response_type)Parameters
tokenaccess_token={ACCESS_TOKEN}&state={STATE}&token_type=bearer&expires_in=86399

  • token_type will always be bearer.
  • expires_in is the validity of the token in seconds.
codecode={AUTHORIZATION_CODE}&state={STATE}
id_tokenid_token={ID_TOKEN}&state={STATE}
id_token tokenid_token={ID_TOKEN}&access_token={ACCESS_TOKEN}&state={STATE}&token_type=bearer&expires_in=86399
code id_tokenid_token={ID_TOKEN}&code={AUTHORIZATION_CODE}&state={STATE}

The parameters will be in the query or the fragment, according to the response_mode parameter included in the request. If a response_mode is not specified, the default values are used as shown in the Authorization parameters table.

Fetching Access tokens#

Once the user grants access to your application your application can fetch access tokens by using the tokens API.

Parameters#

Parameters can be sent in the body or as query parameters. Passing parameters in the body is recommended for sensitive data, as query parameters may be logged by app servers.

ParameterMandatoryDescription
authorization_codeYesThe value of the code query/fragment parameter returned in the callback request from the autorize step
grant_typeYesValue should always be authorization_code
authorizationRequired for confidential clientsBasic Authorization header.

Authorization: Basic Base64(clientId:clientSecret)
client_idRequired for PUBLIC clientsThe Client ID obtained from the Adobe Developer Console
code_verifierRequired for PUBLIC clientsCode verifier corresponding to the code_challenge sent during authorize request.

Request for OAuth Web App and OAuth Web credentials#

Copied to your clipboard
1curl -X POST 'https://ims-na1.adobelogin.com/ims/token/v3' \
2 -H 'Authorization: Basic {AUTHORIZATION}' \
3 -H 'Content-Type: application/x-www-form-urlencoded' \
4 -d 'code={AUTHORIZATION_CODE}&grant_type=authorization_code'

Request for all other OAuth credentials#

Copied to your clipboard
1curl -X POST 'https://ims-na1.adobelogin.com/ims/token/v3?client_id={CLIENT_ID}' \
2 -H 'Content-Type: application/x-www-form-urlencoded' \
3 -d 'code={AUTHORIZATION_CODE}&grant_type=authorization_code&code_verifier={CODE_VERIFIER}'

Sample Response#

Copied to your clipboard
1{
2 "access_token": "{ACCESS_TOKEN}",
3 "refresh_token": "{REFRESH_TOKEN}",
4 "sub": "B0DC108C5CD449CA0A494133@c62f24cc5b5b7e0e0a494004",
5 "id_token": "{ID_TOKEN}",
6 "token_type": "bearer",
7 "expires_in": 86399
8}

Note: The refresh token is only present if the offline_access scope is requested in the authorize step and subsequently consented to by the user.

Response Object#

PropertyDescription
access_tokenGenerated access token. By default they expire in 24 hours.
refresh_tokenGenerated refresh token. By default they expire in 14 days.
token_typeToken type will always be bearer.
id_tokenGenerated ID token.

Present if openid is added as scope. See the OAuth 2.0 Scopes reference document for more information.
expires_inValidity of access token in seconds.

Refreshing Access tokens#

Once you have fetched the access tokens for a user you may also be provided a refresh token in the response. A refresh token is only presented when the offline_access scope is requested in the authorize step. Please note that not all APIs and Services support the offline_access scope for security reasons.

Parameters#

ParameterMandatoryDescription
refresh_tokenYesThe base64-encoded refresh token received in the response to the initial request for an access token
grant_typeYesThe value is always refresh_token
client_idOnly for PUBLIC clientsThe client ID obtained from Adobe Developer Console
authorizationOnly for Confidential clientsBasic Authorization header.

Authorization: Basic Base64(clientId:clientSecret)

Request for OAuth Web App and OAuth Web credentials#

Copied to your clipboard
1curl -X POST 'https://ims-na1.adobelogin.com/ims/token/v3' \
2 -H 'Authorization: Basic {AUTHORIZATION}' \
3 -H 'Content-Type: application/x-www-form-urlencoded' \
4 -d 'grant_type=refresh_token&refresh_token={REFRESH_TOKEN}'

Request for all other OAuth credentials#

Copied to your clipboard
1curl -X POST 'https://ims-na1.adobelogin.com/ims/token/v3?client_id={CLIENT_ID}' \
2 -H 'Content-Type: application/x-www-form-urlencoded' \
3 -d 'grant_type=refresh_token&refresh_token={REFRESH_TOKEN}'

Sample Response#

Copied to your clipboard
1{
2 "access_token": "{ACCESS_TOKEN}",
3 "refresh_token": "{REFRESH_TOKEN}",
4 "token_type": "bearer",
5 "expires_in": 86399
6}

Response Object#

PropertyDescription
access_tokenGenerated access token
refresh_tokenGenerated refresh token.

offline_access scope is needed for this to be returned. See the OAuth 2.0 Scopes reference document for more information.
token_typeToken type will always be bearer.
expires_inValidity of access token in seconds.

Token revocation#

Use this API to revoke an access token or refresh token.

Note: Users can also revoke your application's access to their data by visiting the Connected Applications page on their Adobe account. In case a user revokes access to your application and then visits your application - the authorization workflow will prompt the user for their consent again.

Parameters#

Parameters can be sent in the body or as query parameters. Passing parameters in the body is recommended for sensitive data, as query parameters may be logged by app servers.

ParameterMandatoryDescription
AUTHORIZATIONRequired only for OAuth Web and OAuth WebApp type credentialsBasic Authorization header.

Authorization: Basic Base64(clientId:clientSecret)
client_idRequired only for OAuth Android, OAuth iOS, OAuth Single Page App and OAuth Native App credentialsYour client id
tokenYesThe access token or refresh token to be invalidated

Request for OAuth Web and OAuth Web App credentials#

Copied to your clipboard
1curl -X POST 'https://ims-na1.adobelogin.com/ims/revoke' \
2 -H 'Content-Type: application/x-www-form-urlencoded' \
3 -H 'Authorization: Basic {AUTHORIZATION}' \
4 -d 'token={TOKEN}'

Request for all other OAuth credentials#

Copied to your clipboard
1curl -X POST 'https://ims-na1.adobelogin.com/ims/revoke?client_id={CLIENT_ID}' \
2 -H 'Content-Type: application/x-www-form-urlencoded' \
3 -d 'token={TOKEN}'

Response#

A successful response returns HTTP Status 200 (OK) and no response body.

Copyright © 2022 Adobe. All rights reserved.