This workflow outlines the process for executing a pushed authorization request using Akamai MFA OIDC API.

Submit the authorization request

1. Build an authorization request with the following parameters:

   1. client_id. The integration identifier for your Akamai MFA OIDC integration.

   2. nonce. Random string value included in an authorization request. After a successful authentication, the identity token returned should include the nonce claim. The value of the nonce claim in the identity token should be identical to the value of the nonce parameter used in the authorization request.

   3. redirect_uri. Callback URL where the authorization code should be sent.

   4. request. Generate a JSON Web Token (JWT) and sign it with your OIDC integration's Signing Key. The Signing Key is Base64URLSafe-NoPadding encoded and can be found on the OIDC integration's page in Enterprise Center. Akamai MFA expects nonce, username, and redirect_uri to be present in the payload. Your JWT may look something like this:

      JSON

      #Header
      {
        "alg": "HS256",
        "typ": "JWT"
      }
      
      #Payload
      {
        "iat": 1724939908,
        "exp": 1724940208,
        "nbf": 1724939908,
        "nonce": "gTElua2E4RCLl3OZKKgXw8KduXrtmInN",
        "tid": null,
        "oid": null,
        "sub": null,
        "username": "username",
        "redirect_uri": "https://mfa.callback.com"
      }
      

   5. response_type. Type of response expected from the authorization server. code is the only supported response type.

   6. state. Random string value in an authorization request that helps protect against cross-site request forgeries (CSRF). After a successful authentication, you’re redirected to the URL specified by the redirect_uri parameter. When that happens, the state is included in the redirect URL. The value of the state parameter in the redirect URL should match the value of the state parameter in the authentication request.

2. POST to the /par endpoint.

3. The server responds with a JSON payload containing:

   1. request_uri. A unique identifier referencing the stored authentication request.
   2. expires_in. The lifetime of the request URI.

Get the authorization code

1. After obtaining the request_uri, the user's browser is redirected to the /authorize endpoint. The URL includes the following query parameters:
   1. request_uri. A unique identifier referencing the stored authentication request.
   2. client_id. The identifier for your OIDC integration in Akamai MFA.
2. The /authorize endpoint retrieves the pushed authorization request details using the request_uri and verifies the user's identity.
3. The user completes the Akamai MFA challenge.
4. Once authentication and MFA are successfully completed, the server issues an authorization code.
5. The authorization server redirects the user's browser to the redirect_uri with the code and state appended as query parameters.

Create an ID token

1. Send a POST request to the /token endpoint containing:
   1. client_secret. The client secret for your Akamai MFA OIDC integration.
   2. code. The authorization code.
2. The server validates the request and, upon success, returns a JSON response with an id_token containing information about the user.