A space-delimited list of response types. Valid response types are: code, token, id_token.

The response mode. It defaults to query for the authorization_code flow, and to fragment for the implicit or hybrid flow.

The redirect URI.

The state. An opaque value that is used to maintain the state between the request and the callback.

Nonce. The string value that is used to associate a client session with an ID Token to mitigate replay attacks. This attribute is required when the response type includes id_token.

Whether the user is prompted for reauthentication. When the value is "login", the user is reauthenticated. When the value is "none", the user is not be prompted for authentication.

Maximum authentication age. Specifies the allowable elapsed time, in seconds, since the last time the user was authenticated.

Code challenge. Required if the OIDC client is configured to require proof key for code exchange (PKCE).

Code challenge method for PKCE. Defaults to plain if not specified.

A space-delimited list of scopes that are associated with this authorization request.

The JSON that contains the claims for id_token or userinfo endpoint.

Login hint. Value to use when prompting the user for login. Optional for OIDC request. This value is the username as a string (e.g. john@ibm.com).

The request object in the form of a signed JWT. This can be used as an alternative to sending the individual properties in the form.

The URI referencing the request object.

The OIDC client ID that is required when the basic authorization header is not set.

The OIDC client secret that is required when the basic authorization header is not set and the client is not a public client.

The JWT assertion being used to authenticate the client.

The format of client assertion.

The basic authorization header that contains a base64-encoded client ID and the client secret. Use this header as an alternative to sending the client ID and secret in the form parameters.