Authorization Endpoint

Starting point for the OAuth2 flow. The client requests an authorization code by redirecting the user to this endpoint.

Request

Code snippet: URL

GET https://.../oauth/authorize?response_type=code&client_id=...&code_challenge=...&code_challenge_method=S256&redirect_uri=...&scope=...&state=...

Parameters:

  • Base Address: the base adress of the OAuth2 Server - see Crew OAuth2 Server Overview
  • response_type: requested grant type. Only "code" is supported for this API
  • client_id: A unique identification of the client application (package key), which is assigned during application registration
  • code_challenge: PKCE code challenge according to RFC7636
  • code_challenge_method: PKCE code challenge method according to RFC7636
  • redirect_uri: A URI that will be called after the authentication and the authorization steps are done. The client application has to listen to this address, as it will be given the authorization code via this URI.
  • scope: A scope or scopes requested by the client - typically something like https://cms.fra.dlh.de/publicCrewApi
  • state: The state parameter is used by the application to store request-specific data and/or prevent CSRF attacks. The authorization server must return the unmodified state value back to the application.

Note: The "userLang" used to call the backend systems is taken from out of the client "Accept-Language"-Header.

Response

Code snippet: HTTP Header

HTTP/1.1 302 Found
Location: <redirection_uri>?code=...

Example

Code snippet: Get request

GET https://oauth-test.lufthansa.com/oauth/authorize?response_type=code
  &redirect_uri=myApp://callback/
  &scope=https://cms.fra.dlh.de/privateCabinApiDev
  &client_id=123456789012345678901234
  &code_challenge=1234567890123456789012345678901234567890123
  &code_challenge_method=S256
  &state=abc123xyz