User Authentication Credentials API Reference

Following is an API reference for Adobe Identity Management Services (IMS) APIs.

On this page:

OpenID Configuration

This API allows you to view information about Adobe's OpenID configuration.

Request

curl -X GET 'https://ims-na1.adobelogin.com/ims/.well-known/openid-configuration'

Sample Response

{
    "issuer": "https://ims-na1.adobelogin.com",
    "authorization_endpoint": "https://ims-na1.adobelogin.com/ims/authorize/v2",
    "token_endpoint": "https://ims-na1.adobelogin.com/ims/token/v3",
    "userinfo_endpoint": "https://ims-na1.adobelogin.com/ims/userinfo/v2",
    "revocation_endpoint": "https://ims-na1.adobelogin.com/ims/revoke",
    "jwks_uri": "https://ims-na1.adobelogin.com/ims/keys",
    "response_types_supported": [
        "code",
        "token",
        "id_token",
        "id_token token",
        "code id_token"
    ],
    "subject_types_supported": [
        "public"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "scopes_supported": [
        "openid",
        "email",
        "profile"
    ],
    "token_endpoint_auth_methods_supported": [
        "client_secret_basic",
        "client_secret_post"
    ],
    "claims_supported": [
        "sub",
        "given_name",
        "family_name",
        "name",
        "email",
        "email_verified",
        "address"
    ],
    "grant_types_supported": [
        "authorization_code",
        "implicit_grant",
        "refresh_token"
    ]
}

ID Token Keys

This API allows you to retrieve the keys with which the ID Tokens are signed.

Request

curl -X GET 'https://ims-na1.adobelogin.com/ims/keys'

Sample Response

{
    "keys": [
        {
            "alg": "RS256",
            "kty": "RSA",
            "use": "sig",
            "kid": "ims",
            "e": "AQAB",
            "n": "gBI3r_iauYJrKOTpEsFLeQ4TFktfzmNa30BK_84uh8mZ9N1NJ8VjOlwH9SzPD_gIpELaAaf2n7GeKN8kWYGtex6uCmz5iZZ3eDzryvTfvj3MwQx_XbGloz4QKQXSlCwADlOXP3-EhMqOVr3tVqQe0uX_TPn1F_b9yIONXAX1GwWTFb9UqNjjpFNOxuKJaAh6uod7Y9kmzw0GE4GvMs6AIjitxLNLlpeC8J3vyA0l4UWVJR9lwLjS1O0Lk07IfjAMMes6fonQ5AtzYewIOk4UdNCgb_XKpqLgYY_9J9nfIuBGVY-W7ZfHhXjA1AixQw6A4XoreGr5AnF5WMwd6DA7vw"
        },
        {
            "alg": "RS256",
            "kty": "RSA",
            "use": "sig",
            "kid": "ims_na1-key-1",
            "e": "AQAB",
            "n": "q2y0X2R0db3z6yUHWjnd3qppszntWcoel3WURBYekEcadjfxDFAWrAHX8OoceddD6n-qC_2b2GVJny45qKmhq8KFvVOUCMgUUY_ErnvrZXQl0r3USDpf5rxNOQuqxBl532Z9H17k2K_VdT5BL8xwYFYpKtOc-Vgi6Gz2KnhSXlOYBQW9PII2pGsCL4_uwIl32nibGnEDgJfnja01N-hUaLJikvR1OQuYPNaww6JcFQ_Z-_Jt4ec4YYOnrqOs7H7oE-hotwe57o5FxJlqPCccirysqlA7QU4lQxGw8qlIoU3S0WAzLqaxBOgiDET6sK_QVdq6A2TDo1NNY9ktzeW2ow"
        }
    ]
}

UserInfo

This API allows you to fetch information about a user.

Parameters

ParameterMandatoryDescription
client_idNoYour client ID
ACCESS_TOKENYesAn access token obtained by your application on behalf of the user

Request

curl -X GET 'https://ims-na1.adobelogin.com/ims/userinfo/v2?client_id={YOUR_CLIENT_ID}' \
     -H 'Authorization: Bearer {ACCESS_TOKEN}'

Sample Response

{
  "sub": "B0DC108C5CD449CA0A494133@c62f24cc5b5b7e0e0a494004",
  "account_type": "ent",
  "email_verified": true,
  "address": {
    "country": "US"
  },
  "name": "John Sample",
  "given_name": "John",
  "family_name": "Sample",
  "email": "jsample@email.com"
}

Response Object

PropertiesProjected by scopeDescription
subopenidThe user ID
account_typeprofileCan be one of two values:ind: User is an individual account ent: User is part of an organization
email_verifiedemailWhether the user's email address has been verified
addressaddressUser's address - currently, only the two-digit country code is returned
nameprofileUser's full name
given_nameprofileUser's given name
family_nameprofileUser's family name or last name
emailemailUser's email address

To fetch the keys with which the ID Tokens are signed see ID Token Keys.

Authorize Request

Once a user lands on your application to initiate the OAuth authentication flow, your application should redirect the user to an Adobe IMS URL. While the URL endpoint is common, the query parameters would be specific to your application.

Read along to find out more about constructing the full authorize URL with values for the different query parameters.

Parameters

Several query parameters are available to you as a developer to customize the user experience for your application. Some of the query parameters are mandatory, and others optional. Using the parameters outlined in the table below, you can construct the authorize URL for your application.

ParameterMandatoryDescription
client_idYesThe client ID obtained from Adobe Developer Console.
redirect_uriNoThe URI to which the user agent is redirected once the authorization completes. Note that this URI must be HTTPS. The supplied value for this parameter is validated against the Redirect URI pattern supplied by you at the time of credential creation . If a redirect URI is not provided with the request or if it does not match against the pattern, Adobe will redirect the response to the Default Redirect URI supplied by you at the time of credential creation.
scopeNoThe requested scopes in the form of a list of space or comma-delimited, case-sensitive strings. See the section on OAuth 2.0 Scopes for more information.
response_typeNoPossible values are code, token, id_token, id_token token, code id_token. The default response type for the Authorization code flow is code.
stateRecommendedClient-defined state data that is replayed back to the client. It must not be longer than 4096 characters and does not need to be a JSON object. Typically, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie.
nonceNoString value used to associate a Client session with an ID Token and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token.
promptNoSpace-delimited, case-sensitive list of ASCII string values that specifies whether Adobe prompts the end-user for authentication or fails the authorize step if user is not authenticated. Supported values: none, login.none → Does not show any UI. Either returns successfully with a valid authentication response or returns with an error.error=login_required → No user is logged in.error=consent_required → User is Logged in, but has not granted access to your app.error=interaction_required → User is logged in and has granted access to your app, but there is some other action they need to perform (Accept terms of use, etc.).login → Even if the user is authenticated, they will see the login screen.No value supplied → Default behavior.
code_challenge_methodNo, defaults to plainPossible values: S256, plain
code_challengeRequired for Public ClientsThe code_challenge parameter is a security measure to confirm whether the authorize and token requests originated from the same application.A code_challenge comes in pair with a code_verifier. A code_verifier is a random string of at least 43 characters (see allowed character set).Based on the code_challenge_method, the code_challenge can then be according to - If code_challenge_method = plain, then code_challenge = code_verifierIf code_challenge_method = S256, then code_challenge = BASE64_URL_ENCODE(SHA256(code_verifier)) The code_challenge is sent with the authorize request, while the corresponding code_verifier is sent with the token request. For more information, read the Proof Key for Code Exchange by OAuth Public Clients documentation. You can use online tools to experiment with code_challenge and code_verifier.
response_modeNoPossible values: query, fragment. For more information, refer to this openid documentation.If response_mode is not specified, the following defaults are applied:code → querytoken → fragmentid_token → fragmentid_token token → fragmentcode id_token → fragment

Constructing the Request URL for OAuth Web App and OAuth Web Credentials

Note: The request URL has been split into multiple lines for readability. A complete request path includes multiple parameters separated by an ampersand (&) with no spaces or line breaks.

https://ims-na1.adobelogin.com/ims/authorize/v2
  ?client_id={CLIENT_ID}
  &redirect_uri={REDIRECT_URI}
  &scope={SCOPES}
  &state={STATE}
  &response_type=code
Sample Request URL
https://ims-na1.adobelogin.com/ims/authorize/v2?client_id=202b135c20864fbfb26a46522aa2433b&redirect_uri=https://www.myapp.com/OAuth/callback&scope=openid,creative_sdk&state=90cff02f-da33-46ec-985c-1f5cf2f9644a&response_type=code

Note: Ensure that you are using the latest version (v2) of the /authorize endpoint.

Constructing the Request URL for all other OAuth credentials

Note: The request URL has been split onto multiple lines for readability. A complete request path includes multiple parameters separated by an ampersand (&) with no spaces or line breaks.

https://ims-na1.adobelogin.com/ims/authorize/v2
  ?client_id={CLIENT_ID}
  &code_challenge={CODE_CHALLENGE}
  &code_challenge_method=S256
  &redirect_uri={REDIRECT_URI}
  &scope={SCOPES}
  &state={STATE}
  &response_type=code
Sample Request URL
https://ims-na1.adobelogin.com/ims/authorize/v2?client_id=135c20864fbfb26a46522aa2433b&code_challenge=c9vBtg5G7DupTxSYODrpd2LpBeECiSTTQtQclGNMklM&code_challenge_method=S256&redirect_uri=https://www.myapp.com/OAuth/callback&scope=openid,creative_sdk&state=90cff02f-da33-46ec-985c-1f5cf2f9644a&response_type=code

Note: Ensure that you are using the latest version (v2) of the /authorize endpoint.

Successful response

After the user has authenticated and been granted consent to your application, the user agent will be redirected to {YOUR_REDIRECT_URI} with parameters determined by the response_type sent in the request.

Response Type (response_type)Parameters
tokenaccess_token={ACCESS_TOKEN}&state={STATE}&token_type=bearer&expires_in=86399 token_type will always be bearer.expires_in is the validity of the token in seconds.
codecode={AUTHORIZATION_CODE}&state={STATE}
id_tokenid_token={ID_TOKEN}&state={STATE}
id_token tokenid_token={ID_TOKEN}&access_token={ACCESS_TOKEN}&state={STATE}&token_type=bearer&expires_in=86399
code id_tokenid_token={ID_TOKEN}&code={AUTHORIZATION_CODE}&state={STATE}

The parameters will be in the query or the fragment, according to the response_mode parameter included in the request. If a response_mode is not specified, the default values are used as shown in the Authorization parameters table.

Fetching Access tokens

Once the user grants access to your application your application can fetch access tokens by using the tokens API.

Parameters

Parameters can be sent in the body or as query parameters. Passing parameters in the body is recommended for sensitive data, as query parameters may be logged by app servers.

ParameterMandatoryDescription
codeYesThe value of the code query/fragment parameter returned in the callback request from the autorize step
grant_typeYesValue should always be authorization_code
authorizationRequired for confidential clientsBasic Authorization header.Authorization: Basic Base64(clientId:clientSecret)
client_idRequired for PUBLIC clientsThe Client ID obtained from the Adobe Developer Console
code_verifierRequired for PUBLIC clientsCode verifier corresponding to the code_challenge sent during authorize request.

Request for OAuth Web App credential

curl -X POST 'https://ims-na1.adobelogin.com/ims/token/v3' \
  -H 'Authorization: Basic {AUTHORIZATION}' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'code={AUTHORIZATION_CODE}&grant_type=authorization_code'

Request for OAuth Single Page App and OAuth Native App credentials

curl -X POST 'https://ims-na1.adobelogin.com/ims/token/v3?client_id={CLIENT_ID}' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'code={AUTHORIZATION_CODE}&grant_type=authorization_code&code_verifier={CODE_VERIFIER}'

Sample Response

{
    "access_token": "{ACCESS_TOKEN}",
    "refresh_token": "{REFRESH_TOKEN}",
    "sub": "B0DC108C5CD449CA0A494133@c62f24cc5b5b7e0e0a494004",
    "id_token": "{ID_TOKEN}",
    "token_type": "bearer",
    "expires_in": 86399
}

Note: The refresh token is only present if the offline_access scope is requested in the authorize step and subsequently consented to by the user.

Response Object

PropertyDescription
access_tokenGenerated access token. By default they expire in 24 hours.
refresh_tokenGenerated refresh token. By default they expire in 14 days.
token_typeToken type will always be bearer.
id_tokenGenerated ID token.Present if openid is added as scope. See the section on OAuth 2.0 Scopesfor more information.
expires_inValidity of access token in seconds.

Refreshing Access tokens

Once you have fetched the access tokens for a user you may also be provided a refresh token in the response. A refresh token is only presented when the offline_access scope is requested in the authorize step. Please note that not all APIs and Services support the offline_access scope for security reasons.

Parameters

ParameterMandatoryDescription
refresh_tokenYesThe base64-encoded refresh token received in the response to the initial request for an access token
grant_typeYesThe value is always refresh_token
client_idOnly for PUBLIC clientsThe client ID obtained from Adobe Developer Console
authorizationOnly for Confidential clientsBasic Authorization header.Authorization: Basic Base64(clientId:clientSecret)

Request for OAuth Web App credential

curl -X POST 'https://ims-na1.adobelogin.com/ims/token/v3' \
  -H 'Authorization: Basic {AUTHORIZATION}' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=refresh_token&refresh_token={REFRESH_TOKEN}'

Request for OAuth Single Page App and OAuth Native App credentials

curl -X POST 'https://ims-na1.adobelogin.com/ims/token/v3?client_id={CLIENT_ID}' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'grant_type=refresh_token&refresh_token={REFRESH_TOKEN}'

Sample Response

{
    "access_token": "{ACCESS_TOKEN}",
    "refresh_token": "{REFRESH_TOKEN}",
    "token_type": "bearer",
    "expires_in": 86399
}

Response Object

PropertyDescription
access_tokenGenerated access token
refresh_tokenGenerated refresh token.offline_access scope is needed for this to be returned. See the section on OAuth 2.0 Scopes for more information.
token_typeToken type will always be bearer.
expires_inValidity of access token in seconds.

Token revocation

Use this API to revoke an access token or refresh token.

Note: Users can also revoke your application's access to their data by visiting the Connected Applications page on their Adobe account. In case a user revokes access to your application and then visits your application - the authorization workflow will prompt the user for their consent again.

Parameters

Parameters can be sent in the body or as query parameters. Passing parameters in the body is recommended for sensitive data, as query parameters may be logged by app servers.

ParameterMandatoryDescription
AUTHORIZATIONRequired only for OAuth Web and OAuth WebApp type credentialsBasic Authorization header.Authorization: Basic Base64(clientId:clientSecret)
client_idRequired only for OAuth Android, OAuth iOS, OAuth Single Page App and OAuth Native App credentialsYour client id
tokenYesThe access token or refresh token to be invalidated

Request for OAuth Web and OAuth Web App credentials

curl -X POST 'https://ims-na1.adobelogin.com/ims/revoke' \
     -H 'Content-Type: application/x-www-form-urlencoded' \
     -H 'Authorization: Basic {AUTHORIZATION}' \
     -d 'token={TOKEN}'

Request for all other OAuth credentials

curl -X POST 'https://ims-na1.adobelogin.com/ims/revoke?client_id={CLIENT_ID}' \
     -H 'Content-Type: application/x-www-form-urlencoded' \
     -d 'token={TOKEN}'

Response

A successful response returns HTTP Status 200 (OK) and no response body.

Scopes

Identity scopes

ScopeConsent descriptionDetails
openidCan access user account and read a unique identifierMandatory scope to enable authorization flows.
emailCan read user email addressReturns email and email_verified claims.
addressCan read user postal addressReturns address claim. Currently this contains only the country code.
profileCan read basic user profile, including information like nameReturns name, family_name, given_name, account_type claims.
offline_accessThe app can access the data user has given permission to, even when user is not using the appAllows the return of a refresh token.

Creative Cloud

Scopes for Creative Cloud user authentication based APIs

APIsScopes
Adobe Stockopenid
Creative SDKopenid,creative_sdk
Photoshopopenid,creative_sdk
Lightroomopenid,creative_sdk

Experience Cloud

Scopes for Experience Cloud user authentication based APIs

APIsScopes
Adobe Analyticsopenid, AdobeID, read_organizations, additional_info.projectedProductContext, additional_info.job_function