) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
Developers
Authorization
The authorization endpoint handles authentication and authorization of a user.
To present the Login.gov authorization page to a user, direct them to the
/openid_connect/authorize. View an example for private_key_jwt or PKCE in the side panel.
Request Parameters
acr_values
The Authentication Context Class Reference requests can be used to specify the type of service level* or the AAL (Authentication Assurance Level) for the user. These and the
scope determine which user attributes will be available in the user info response.
Multiple values can be joined with a space (before being URI-escaped in the final URL).
We default to requiring a user to be authenticated with a second factor:
urn:gov:gsa:ac:classes:sp:PasswordProtectedTransport:duo
This specifies that a user has been authenticated with a second factor. This value will be returned in the user attributes by default. We do not allow strict AAL1, because it implies that a user did not authenticate with a second factor. This setting requires users to reauthenticate with a separate second factor (i.e. not a remembered device) once every 30 days at a minimum.
Stricter behavior can be specified by adding one of:
http://idmanagement.gov/ns/assurance/aal/2
This is the same as the default behavior except users must authenticate with a separate second factor (i.e. not a remembered device).http://idmanagement.gov/ns/assurance/aal/2?phishing_resistant=true
This specifies that a user has been authenticated with a crytographically secure method, such as WebAuthn or using a PIV/CAC. Users must always authenticate with a second factor.http://idmanagement.gov/ns/assurance/aal/2?hspd12=true
This specifies that a user has been authenticated with an HSPD12 credential (requires PIV/CAC). Users must always authenticate with a second factor.
These are not recommended, and only for legacy compatibility.
http://idmanagement.gov/ns/assurance/loa/1
Equivalent to IAL1http://idmanagement.gov/ns/assurance/loa/3
Equivalent to identity verified account
client_id
The unique identifier for the client. This will be registered with the Login.gov IdP in advance.
code_challenge
required for PKCE
The RFC 4648 URL-safe Base64 encoding of the SHA256 binary digest of a random value generated by the client. The original random value is referred to as the
code_verifier and is later used with the token endpoint. Generating these values in Ruby might look like this, for example:
Correct Example
code_verifier = SecureRandom.hex
=> "5787d673fb784c90f0e309883241803d"
code_challenge = Digest::SHA256.digest(code_verifier)
=> "\xD4\x15)\xC7-\xFBJ\x82\x0F\x98\xAC=\xEB\x06\xDD\xE8\xC0\xDC\xBD\xAC\x8Ebm\xE9\xB5?\xB3m\xEE\x8B\xFF3" # binary digest
url_safe_code_challenge = Base64.urlsafe_encode64(code_challenge)
# RFC 4648 URL-safe Base64 encoding replaces "+" with "-" and "/" with "_"
=> "1BUpxy37SoIPmKw96wbd6MDcvayOYm3ptT-zbe6L_zM="
Incorrect Example
=> "1BUpxy37SoIPmKw96wbd6MDcvayOYm3ptT-zbe6L_zM"
Base64.encode64(code_challenge) # wrong and URL-unsafe encoding
=> "1BUpxy37SoIPmKw96wbd6MDcvayOYm3ptT+zbe6L/zM=" # wrong and URL-unsafe encoding
code_challenge_method
required for PKCE
This must be
S256, the only PKCE code challenge method supported.
prompt
This must be
select_account
response_type
This must be
code
redirect_uri
The URI Login.gov will redirect to after a successful authorization.
scope
A space-separated string of the scopes being requested. (Keep in mind the blank space “ “ should be encoded with “+”.) The authorization page will display the list of attributes being requested from the user. Applications should aim to request the fewest user attributes and smallest scope needed.
Possible values are:
openidaddressemailall_emailsphoneprofile:birthdateprofile:nameprofile:verified_atprofilesocial_security_numberx509x509:issuerx509:presentedx509:subject
state
A unique value, at least 22 characters in length, used for maintaining state between the request and the callback. This value will be returned to the client on a successful authorization.
nonce
A unique value, at least 22 characters in length, used to verify the integrity
of the
id_token and mitigate
replay attacks.
This value should include per-session state and be unguessable by attackers. This value will be present in the
id_token of the token endpoint response,
where clients will verify that the nonce claim value is equal to the value of the nonce parameter sent in the authentication request.
Read more about nonce implementation in the spec.
locale
optional
If you know that a user would prefer one of our alternative language translations (currently Spanish or French), you can include the
locale parameter to specify the language Login.gov should use (either es for Spanish or fr for French).
https://idp.int.identitysandbox.gov/openid_connect/authorize?
acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&
client_id=${CLIENT_ID}&
code_challenge=${CODE_CHALLENGE}&
code_challenge_method=S256&
nonce=${NONCE}&
prompt=select_account&
redirect_uri=${REDIRECT_URI}&
response_type=code&
scope=openid+email&
state=abcdefghijklmnopabcdefghijklmnop
https://idp.int.identitysandbox.gov/openid_connect/authorize?
acr_values=http%3A%2F%2Fidmanagement.gov%2Fns%2Fassurance%2Fial%2F1&
client_id=${CLIENT_ID}&
nonce=${NONCE}&
prompt=select_account&
redirect_uri=${REDIRECT_URI}&
response_type=code&
scope=openid+email&
state=abcdefghijklmnopabcdefghijklmnop
Authorization response
After an authorization, Login.gov will redirect to the provided redirect_uri.
In a successful authorization, the URI will contain the two parameters code and state:
- code — A unique authorization code the client can pass to the token endpoint.
- state — The
statevalue originally provided by the client. Validate that the value is the same.
In an unsuccessful authorization, the URI will contain the parameters error and state, and optionally error_description:
- error — The error type, either:
access_denied— The user has either cancelled or declined to authorize the client.invalid_request— The authorization request was invalid. Theerror_descriptionparameter will provide a description.
- error_description — A description of the error.
- state — The
statevalue originally provided by the client.
https://agency.gov/response?
code=12345&
state=abcdefghijklmnopabcdefghijklmnop
https://agency.gov/response?
error=access_denied&
state=abcdefghijklmnopabcdefghijklmnop
*Login.gov continues to work toward achieving certification of compliance with NIST’s IAL2 standard from a third-party assessment organization.
