User Authentication Credentials API Reference
Following is an API reference for Adobe Identity Management Services (IMS) APIs.
On this page:
- OpenID Configuration
- ID Token Keys
- UserInfo
- Authorize Request
- Fetching Access tokens
- Refreshing Access tokens
- Token revocation
- Scopes
OpenID Configuration
This API allows you to view information about Adobe's OpenID configuration.
Request
curl -X GET 'https://ims-na1.adobelogin.com/ims/.well-known/openid-configuration'
Sample Response
{
"issuer": "https://ims-na1.adobelogin.com",
"authorization_endpoint": "https://ims-na1.adobelogin.com/ims/authorize/v2",
"token_endpoint": "https://ims-na1.adobelogin.com/ims/token/v3",
"userinfo_endpoint": "https://ims-na1.adobelogin.com/ims/userinfo/v2",
"revocation_endpoint": "https://ims-na1.adobelogin.com/ims/revoke",
"jwks_uri": "https://ims-na1.adobelogin.com/ims/keys",
"response_types_supported": [
"code",
"token",
"id_token",
"id_token token",
"code id_token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"openid",
"email",
"profile"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"claims_supported": [
"sub",
"given_name",
"family_name",
"name",
"email",
"email_verified",
"address"
],
"grant_types_supported": [
"authorization_code",
"implicit_grant",
"refresh_token"
]
}
ID Token Keys
This API allows you to retrieve the keys with which the ID Tokens are signed.
Request
curl -X GET 'https://ims-na1.adobelogin.com/ims/keys'
Sample Response
{
"keys": [
{
"alg": "RS256",
"kty": "RSA",
"use": "sig",
"kid": "ims",
"e": "AQAB",
"n": "gBI3r_iauYJrKOTpEsFLeQ4TFktfzmNa30BK_84uh8mZ9N1NJ8VjOlwH9SzPD_gIpELaAaf2n7GeKN8kWYGtex6uCmz5iZZ3eDzryvTfvj3MwQx_XbGloz4QKQXSlCwADlOXP3-EhMqOVr3tVqQe0uX_TPn1F_b9yIONXAX1GwWTFb9UqNjjpFNOxuKJaAh6uod7Y9kmzw0GE4GvMs6AIjitxLNLlpeC8J3vyA0l4UWVJR9lwLjS1O0Lk07IfjAMMes6fonQ5AtzYewIOk4UdNCgb_XKpqLgYY_9J9nfIuBGVY-W7ZfHhXjA1AixQw6A4XoreGr5AnF5WMwd6DA7vw"
},
{
"alg": "RS256",
"kty": "RSA",
"use": "sig",
"kid": "ims_na1-key-1",
"e": "AQAB",
"n": "q2y0X2R0db3z6yUHWjnd3qppszntWcoel3WURBYekEcadjfxDFAWrAHX8OoceddD6n-qC_2b2GVJny45qKmhq8KFvVOUCMgUUY_ErnvrZXQl0r3USDpf5rxNOQuqxBl532Z9H17k2K_VdT5BL8xwYFYpKtOc-Vgi6Gz2KnhSXlOYBQW9PII2pGsCL4_uwIl32nibGnEDgJfnja01N-hUaLJikvR1OQuYPNaww6JcFQ_Z-_Jt4ec4YYOnrqOs7H7oE-hotwe57o5FxJlqPCccirysqlA7QU4lQxGw8qlIoU3S0WAzLqaxBOgiDET6sK_QVdq6A2TDo1NNY9ktzeW2ow"
}
]
}
UserInfo
This API allows you to fetch information about a user.
Parameters
client_id
ACCESS_TOKEN
Request
curl -X GET 'https://ims-na1.adobelogin.com/ims/userinfo/v2?client_id={YOUR_CLIENT_ID}' \
-H 'Authorization: Bearer {ACCESS_TOKEN}'
Sample Response
{
"sub": "B0DC108C5CD449CA0A494133@c62f24cc5b5b7e0e0a494004",
"account_type": "ent",
"email_verified": true,
"address": {
"country": "US"
},
"name": "John Sample",
"given_name": "John",
"family_name": "Sample",
"email": "jsample@email.com"
}
Response Object
sub
openid
account_type
profile
ind
: User is an individual account ent
: User is part of an organizationemail_verified
email
address
address
name
profile
given_name
profile
family_name
profile
email
email
To fetch the keys with which the ID Tokens are signed see ID Token Keys.
Authorize Request
Once a user lands on your application to initiate the OAuth authentication flow, your application should redirect the user to an Adobe IMS URL. While the URL endpoint is common, the query parameters would be specific to your application.
Read along to find out more about constructing the full authorize URL with values for the different query parameters.
Parameters
Several query parameters are available to you as a developer to customize the user experience for your application. Some of the query parameters are mandatory, and others optional. Using the parameters outlined in the table below, you can construct the authorize URL for your application.
redirect_uri
scope
response_type
code
, token
, id_token
, id_token token
, code id_token
. The default response type for the Authorization code flow is code
.state
nonce
prompt
none
, login
.none
→ Does not show any UI. Either returns successfully with a valid authentication response or returns with an error.error=login_required
→ No user is logged in.error=consent_required
→ User is Logged in, but has not granted access to your app.error=interaction_required
→ User is logged in and has granted access to your app, but there is some other action they need to perform (Accept terms of use, etc.).login
→ Even if the user is authenticated, they will see the login screen.No value supplied → Default behavior.code_challenge_method
plain
S256
, plain
code_challenge
code_challenge
parameter is a security measure to confirm whether the authorize and token requests originated from the same application.A code_challenge
comes in pair with a code_verifier
. A code_verifier
is a random string of at least 43 characters (see allowed character set).Based on the code_challenge_method
, the code_challenge
can then be according to - If code_challenge_method
= plain
, then code_challenge
= code_verifier
If code_challenge_method
= S256
, then code_challenge
= BASE64_URL_ENCODE(SHA256(code_verifier))
The code_challenge
is sent with the authorize request, while the corresponding code_verifier
is sent with the token request. For more information, read the Proof Key for Code Exchange by OAuth Public Clients documentation. You can use online tools to experiment with code_challenge
and code_verifier
.response_mode
query
, fragment
. For more information, refer to this openid documentation.If response_mode
is not specified, the following defaults are applied:code → querytoken → fragmentid_token → fragmentid_token token → fragmentcode id_token → fragmentConstructing the Request URL for OAuth Web App and OAuth Web Credentials
Note: The request URL has been split into multiple lines for readability. A complete request path includes multiple parameters separated by an ampersand (&
) with no spaces or line breaks.
https://ims-na1.adobelogin.com/ims/authorize/v2
?client_id={CLIENT_ID}
&redirect_uri={REDIRECT_URI}
&scope={SCOPES}
&state={STATE}
&response_type=code
Sample Request URL
https://ims-na1.adobelogin.com/ims/authorize/v2?client_id=202b135c20864fbfb26a46522aa2433b&redirect_uri=https://www.myapp.com/OAuth/callback&scope=openid,creative_sdk&state=90cff02f-da33-46ec-985c-1f5cf2f9644a&response_type=code
Note: Ensure that you are using the latest version (v2
) of the /authorize
endpoint.
Constructing the Request URL for all other OAuth credentials
Note: The request URL has been split onto multiple lines for readability. A complete request path includes multiple parameters separated by an ampersand (&
) with no spaces or line breaks.
https://ims-na1.adobelogin.com/ims/authorize/v2
?client_id={CLIENT_ID}
&code_challenge={CODE_CHALLENGE}
&code_challenge_method=S256
&redirect_uri={REDIRECT_URI}
&scope={SCOPES}
&state={STATE}
&response_type=code
Sample Request URL
https://ims-na1.adobelogin.com/ims/authorize/v2?client_id=135c20864fbfb26a46522aa2433b&code_challenge=c9vBtg5G7DupTxSYODrpd2LpBeECiSTTQtQclGNMklM&code_challenge_method=S256&redirect_uri=https://www.myapp.com/OAuth/callback&scope=openid,creative_sdk&state=90cff02f-da33-46ec-985c-1f5cf2f9644a&response_type=code
Note: Ensure that you are using the latest version (v2
) of the /authorize
endpoint.
Successful response
After the user has authenticated and been granted consent to your application, the user agent will be redirected to {YOUR_REDIRECT_URI}
with parameters determined by the response_type
sent in the request.
response_type
)token
access_token={ACCESS_TOKEN}&state={STATE}&token_type=bearer&expires_in=86399
token_type
will always be bearer
.expires_in
is the validity of the token in seconds.code
code={AUTHORIZATION_CODE}&state={STATE}
id_token
id_token={ID_TOKEN}&state={STATE}
id_token token
id_token={ID_TOKEN}&access_token={ACCESS_TOKEN}&state={STATE}&token_type=bearer&expires_in=86399
code id_token
id_token={ID_TOKEN}&code={AUTHORIZATION_CODE}&state={STATE}
The parameters will be in the query
or the fragment
, according to the response_mode
parameter included in the request. If a response_mode
is not specified, the default values are used as shown in the Authorization parameters table.
Fetching Access tokens
Once the user grants access to your application your application can fetch access tokens by using the tokens API.
Parameters
Parameters can be sent in the body or as query parameters. Passing parameters in the body is recommended for sensitive data, as query parameters may be logged by app servers.
code
code
query/fragment parameter returned in the callback request from the autorize stepgrant_type
authorization_code
authorization
Authorization: Basic Base64(clientId:clientSecret)
code_verifier
code_challenge
sent during authorize request.Request for OAuth Web App credential
curl -X POST 'https://ims-na1.adobelogin.com/ims/token/v3' \
-H 'Authorization: Basic {AUTHORIZATION}' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'code={AUTHORIZATION_CODE}&grant_type=authorization_code'
Request for OAuth Single Page App and OAuth Native App credentials
curl -X POST 'https://ims-na1.adobelogin.com/ims/token/v3?client_id={CLIENT_ID}' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'code={AUTHORIZATION_CODE}&grant_type=authorization_code&code_verifier={CODE_VERIFIER}'
Sample Response
{
"access_token": "{ACCESS_TOKEN}",
"refresh_token": "{REFRESH_TOKEN}",
"sub": "B0DC108C5CD449CA0A494133@c62f24cc5b5b7e0e0a494004",
"id_token": "{ID_TOKEN}",
"token_type": "bearer",
"expires_in": 86399
}
Note: The refresh token is only present if the offline_access
scope is requested in the authorize step and subsequently consented to by the user.
Response Object
access_token
refresh_token
token_type
bearer
.id_token
openid
is added as scope. See the section on OAuth 2.0 Scopesfor more information.expires_in
Refreshing Access tokens
Once you have fetched the access tokens for a user you may also be provided a refresh token in the response. A refresh token is only presented when the offline_access
scope is requested in the authorize step. Please note that not all APIs and Services support the offline_access
scope for security reasons.
Parameters
refresh_token
grant_type
refresh_token
authorization
Authorization: Basic Base64(clientId:clientSecret)
Request for OAuth Web App credential
curl -X POST 'https://ims-na1.adobelogin.com/ims/token/v3' \
-H 'Authorization: Basic {AUTHORIZATION}' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=refresh_token&refresh_token={REFRESH_TOKEN}'
Request for OAuth Single Page App and OAuth Native App credentials
curl -X POST 'https://ims-na1.adobelogin.com/ims/token/v3?client_id={CLIENT_ID}' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=refresh_token&refresh_token={REFRESH_TOKEN}'
Sample Response
{
"access_token": "{ACCESS_TOKEN}",
"refresh_token": "{REFRESH_TOKEN}",
"token_type": "bearer",
"expires_in": 86399
}
Response Object
access_token
refresh_token
offline_access
scope is needed for this to be returned. See the section on OAuth 2.0 Scopes for more information.token_type
bearer
.expires_in
Token revocation
Use this API to revoke an access token or refresh token.
Note: Users can also revoke your application's access to their data by visiting the Connected Applications page on their Adobe account. In case a user revokes access to your application and then visits your application - the authorization workflow will prompt the user for their consent again.
Parameters
Parameters can be sent in the body or as query parameters. Passing parameters in the body is recommended for sensitive data, as query parameters may be logged by app servers.
AUTHORIZATION
OAuth Web
and OAuth WebApp
type credentialsAuthorization: Basic Base64(clientId:clientSecret)
client_id
OAuth Android
, OAuth iOS
, OAuth Single Page App
and OAuth Native App
credentialstoken
Request for OAuth Web and OAuth Web App credentials
curl -X POST 'https://ims-na1.adobelogin.com/ims/revoke' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Authorization: Basic {AUTHORIZATION}' \
-d 'token={TOKEN}'
Request for all other OAuth credentials
curl -X POST 'https://ims-na1.adobelogin.com/ims/revoke?client_id={CLIENT_ID}' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'token={TOKEN}'
Response
A successful response returns HTTP Status 200 (OK) and no response body.
Scopes
Identity scopes
openid
email
email
and email_verified
claims.address
address
claim. Currently this contains only the country code.profile
name
name
, family_name
, given_name
, account_type
claims.offline_access
Creative Cloud
Scopes for Creative Cloud user authentication based APIs
openid
openid,creative_sdk
openid,creative_sdk
openid,creative_sdk
Experience Cloud
Scopes for Experience Cloud user authentication based APIs
openid, AdobeID, read_organizations, additional_info.projectedProductContext, additional_info.job_function