Optional Session Context String

Article
07/06/2022

A Session Context String may be returned from the authentication process. Microsoft 365 for mobile will pass this string in an HTTP header in calls to the token endpoint URL (RFC 6749#section-3.2) and authenticated calls to the bootstrapper (GetNewAccessToken, Shortcut operations).

The Session Context String is optional, and for the storage provider's use. A possible scenario would be to include a hint about a “tenant” so endpoints can know where they need to fetch and/or validate tokens.

Returning a Session Context string is done via an sc= URL parameter appended to the value of the Location header from the 302 Found response at the end of the sign-in flow.

Important

The contents of the sc= parameter must be URL encoded.

For example, to return the following information:

Redirection URI is https://localhost
Authorization code (RFC 6749#section-4.1.2) is “abcdefg”
Session Context String is “hello:World”

The Location header in the 302 Found response would be:

Location: https://localhost/?code=abcdefg&sc=hello%3AWorld

If present, the session context string will be included as an HTTP header when calls are made to the token exchange endpoint, and OAuth2 authenticated calls to the bootstrapper (GetNewAccessToken, Shortcut operations) as follows:

X-WOPI-SessionContext: hello:World

Share via

Optional Session Context String

Additional resources