Unique identifier issued to Akamai customers. If you aren’t sure what your Akamai customer ID is, log into Console and check the value of the customer_id application setting.

Hosted Login domain name.

Unique identifier of the OIDC login client used to make the authorization request.

OpenID Connect scopes accessible from the userinfo endpoint following a successful authentication. You need to include the scope parameter and, at a minimum, request the openid scope. This tells the authorization server that you want to authenticate by using OpenID Connect. You can include any of the supported scopes in your authorization request by separating scope names with a blank space. However, that doesn’t mean that you’ll get back all of those scopes. Instead, the scopes accessible from the userinfo endpoint depend on the value of the allowedScopes member found in the token policy applied during a user login.

URL the user is redirected to following a successful authentication. The specified URL must exactly match one of the URLs listed in the OIDC login client’s redirectURIs property.

Hashed and encoded authentication value generated by the client. This value is verified before the client can exchange an authorization code for a set of tokens. The code challenge parameter is only used with Proof Key for Code Exchange (PKCE) clients.

Hashing algorithm for generating the value of the code_challenge parameter. For Hosted Login, this is always S256.

Random string value in an authorization request that helps protect against cross-site request forgeries (CSRF). After a successful authentication, you’re redirected to the URL specified by the redirect_uri parameter. When that happens, the state is included in the redirect URL. The value of the state parameter in the redirect URL should match the value of the state parameter in the authentication request.

Specifies which screen, if any, displays when a user makes an authorization request. If set to none, Hosted Login checks to see if the client has a valid session. The user doesn't need to authenticate if a valid session is found. If a valid session can't be found, a No authenticated session found error generates and the user can't log in. If set to login, the sign-in screen displays. If set to create, the registration screen displays.

Language or locale used when displaying Hosted Login’s screens. Language preferences are passed as a space-delimited set of RFC 5646 language codes.

Email address of the user requesting authorization. If you use this parameter, the supplied email address automatically appears in the sign-in screen’s Email Address field. Note that Hosted Login cannot determine the email address to be included in the authorization request. Instead, you will need to use an alternate approach to determine the email address (for example, getting the email address when the user logs on to the computer) and then take the steps needed to add that address to the authorization request.

Specifies how the sign-in screen is displayed. If set to page you are redirected you to a standalone sign-in screen. If set to popup the sign-in screen appears in a pop-up window, with no redirection required.

Random string value included in an authorization request. After a successful authentication, the identity token returned should include the nonce claim. The value of the nonce claim in the identity token should be identical to the value of the nonce parameter used in the authorization request.