Must be set to “credential” or "service". First call must use "service" (login authorization), second call must use "credential" (signing authorization).

The value SHALL be “code”.

The unique client_id previously assigned to the client by the remote service (ZealiD).

The URL where the user will be redirected after the authorization process has completed. Only a valid URI preregistered with the remote service (i.e. which starts with the base URL preregistered with ZealiD) SHALL be passed. If omitted, the remote service will use the default redirect URI pre-registered by the client.

Optional string (up to 255 characters) which will be passed back to client after eventual redirect to error or success page

REQUIRED CONDITIONAL field with scope "service". Account token generated according to CSC spec

REQUIRED CONDITIONAL field with scope "credential". One or more base64url-encoded hash values to be signed. Multiple hash values can be passed as comma separated values, e.g. oauth2/authorize?hash=bjQLnP+zepicpUTmu3gKLHiQHT+zNzh2hRGjBhevoB0=,lqKW0iTyhcZ77pPDD4owkVfw2qNdxbh+QQt4YwoJz8c=,… (The parameter name is singular “hash” to match CSC spec).

REQUIRED CONDITIONAL field with scope "credential". The unique identifier associated to the credential. Returned in credentials/list.