Microsoft OIDC redirect URI

GET 
/auth/microsoft/callback

Microsoft redirects here with code + state. The handler exchanges the code, verifies the ID token, finds the user's tenant, runs Cognito CUSTOM_AUTH to mint Cognito tokens, sets session cookies, and 302-redirects to the SPA.

Request

Responses

302

Redirect to the SPA with tenant state query param. Sets session cookies.

400

Missing code, expired/invalid state.

401

Bad ID token, account not onboarded for Swishing, tenant config incomplete, or Cognito CUSTOM_AUTH failed. Account-not-found case returns an HTML page; other 401s return JSON.