Authorization
The authorization endpoint initiates the OAuth2 Authorization Code flow. Aero2 requires PKCE with S256 for all authorization requests.
GET/oauth2/authorizeSession
Initiates the OAuth2 Authorization Code flow with PKCE. Redirects the user to authenticate, then returns an authorization code to the redirect_uri. PKCE with S256 is mandatory.
| Parameter | Type | Description |
|---|---|---|
| client_id* query | string | The registered OAuth client ID |
| redirect_uri* query | string | Must match a registered redirect URI for the client |
| response_type* query | string | Must be "code" |
| scope query | string | Space-separated scopes: openid, profile, email |
| state query | string | Opaque value for CSRF protection |
| code_challenge* query | string | PKCE code challenge (base64url-encoded SHA-256) |
| code_challenge_method* query | string | Must be "S256" |
| nonce query | string | Value included in the ID token for replay protection |
Response
HTTP 302 → redirect_uri?code=abc123&state=xyz
Flow Overview
- Your app generates a PKCE
code_verifierandcode_challenge - Redirect user to
/oauth2/authorizewith the challenge - User authenticates with Aero2
- Aero2 redirects back to your
redirect_uriwith an authorizationcode - Exchange the code at the Token endpoint with the
code_verifier
See Authorization Code Flow for a detailed walk-through.