This page contains a list of all available OAuth related endpoints, what parameters they take and what output they may provide. If you're looking to implement the bare minimum, you'll only have to care about GET flashii.net/oauth2/authorize and POST api.flashii.net/oauth2/token.

To learn more about discovering authorization server metadata, see oauth:discovery.

To learn more about discovering authorization server metadata, see oauth:discovery.

To learn more about discovering authorization server metadata, see oauth:discovery.

To learn more about discovering authorization server metadata, see oauth:discovery.

For more details on how to use OpenID Connect with Flashii, see oauth:openid.

For more details on how to use OpenID Connect with Flashii, see oauth:openid.

A shorter alternative for the GET flashii.net/oauth2/verify. Used in the response body for POST api.flashii.net/oauth2/request-authorize.

For more details on how to use the normal authorization flow, see oauth:authorize.

Page through which a user reviews an authorization request.

• response_type (required) - Response type of the token request. Must be either code for normal authorization requests or code id_token for OpenID Connect authorization requests.
• client_id (required) - Client ID for the client/application that is making this authorization request.
• redirect_uri (required) if more than one URI is registered, (optional) if there's only one - Redirect URI to return to after the user has reviewed the authorization request. Must be registered. If the an unknown redirect URI is specified, the error will be rendered to the user without redirecting.
• scope (optional) - Scope of this authorization request.
• state (optional) - A state parameter that will be included in the query parameters of the redirect_uri value. May not be longer than 1000 characters.
• code_challenge (required) if public client, (optional) if confidential client - PKCE code challenge, if code_challenge_method is S256 the value must be 43 characters long and contain a URI BASE64 encoded SHA256 HMAC hash, if plain the value must be be at least 43 characters and at most 128 characters. S256 is recommended.
• code_challenge_method (optional) - Processing method for the code_challenge value. If specified, must be either plain for passthru, or S256 for HMAC SHA256. If left unspecified, plain will be used. If specified, code_challenge must also be specified.

• HTTP 200 text/html: A HTML document through which the user reviews the authorization request. If the specified redirect_uri is recognized, the user agent will be redirect to it with the outcome of the authorization request. In both cases the state parameter will be passed along. If an error parameter is included, an additional error_description parameter containing an English explanation of the error may be included, an additional error_uri parameter containing a URI to relevant documentation may also be included.
  • If the user approved the authorization request, the user agent will redirect to the relevant URI with the code parameter set to an authorization code that can be used with the authorization code token flow. Optionally, if the openid scope was requested, an id_token token containing a JWT will be included.
  • If the user denied the authorization request, the user agent will redirect to the relevant URI with the error parameter set to access_denied.
  • If a server error (HTTP 500) occurred, the user agent will redirect to the relevant URI with the error parameter set to server_error.
  • If a public client attempted to request authorization without a PKCE challenge_code parameter, the user agent will redirect to the relevant URI with the error parameter set to invalid_request.
  • If the user waited too long before pressing the Authorize button, the user agent will redirect to the relevant URI with the error parameter set to invalid_request.
  • If the code_challenge and/or code_challenge_method parameters are not set to an acceptable value, the user agent will redirect to the relevant URI with the error parameter set to invalid_request.
  • If the response_type parameter is not set to an acceptable value, the user agent will redirect to the relevant URI with the error parameter set to unsupported_response_type.
  • If an unsupported scope is requested in the scope parameter, the user agent will redirect to the relevant URI with the error parameter set to invalid_scope. The error_description message will contain which requested value caused the problem.

To learn more about the device token authorization, see oauth:device-authorize.

User verification page for the device token flow.

• code (optional) - Value of user_code received in the response body of POST api.flashii.net/oauth2/request-authorize.

• HTTP 200 text/html: A HTML document through which the user reviews the authorization request. The document will either confirm that that the authorization request succeeded or explain why it failed. No redirects will occur.