Overview#Authorization Request (OAuth 2.0) is sent by the OAuth Client to the Authorization Server (specifically the Authorization_endpoint) to obtain an Authorization Grant. OpenID Connect defines the following Authorization Request parameters to enable Authorization Request to be signed and optionally encrypted:
- request - OPTIONAL This parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be optionally signed and/or encrypted. The parameter value is a Request Object value, as specified in Section 6.1. It represents the request as a JWT whose Claims are the Authorization Request parameters.
- request_uri - OPTIONAL - This parameter enables OpenID Connect requests to be passed by reference, rather than by value. The request_uri value is a URL using the https scheme referencing a resource containing a Authorization Request Object value, which is a JWT containing the request parameters.
Requests using these parameters are represented as JWTs, which are respectively passed by value or passed by reference. The ability to pass requests by reference is particularly useful for large requests. If one of these parameters is used, the other MUST NOT be used in the same request.
Authorization Request Parameters#The Authorization Request Parameters should be registered OAuth Parameters Registry or agreed upon by the parties in advance.
The OAuth 2.0 Authorization Request is a URI (request_uri) constructed by OAuth Client with the following parameters to the query component of the Authorization_endpoint using the "application/x-www-form-urlencoded" format:
|response_type||REQUIRED||OAuth 2.0||Value MUST be set to the appropriate value based on the Grant Type|
|client_id||REQUIRED||OAuth 2.0||The client identifier must match the value from OAuth 2.0 Client Registration|
|redirect_uri||OPTIONAL||OAuth 2.0||The redirect_uri it may be registered with Authorization Server in advance during OAuth 2.0 Client Registration.|
|scope||OPTIONAL||OAuth 2.0||The "Desired" OAuth Scopes of the Authorization Request|
|state||RECOMMENDED||OAuth 2.0||An opaque value used by the OAuth Client to maintain state between the request and callback. The Authorization Server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery nonce.|
|display||OPTIONAL||OpenID Connect||ASCII RFC20 string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the Resource Owner. The values are defined..|
|prompt||OPTIONAL||OpenID Connect||Authentication Request as a Space-delimited, case-sensitive list of ASCII string values that specifies whether the Authorization Server prompts the Resource Owner for re-authentication and consent. The values are defined.|
|max_age||OPTIONAL||OpenID Connect||Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. When max_age is used, the ID Token returned MUST include an auth_time Claim Value.|
|ui_locales||OPTIONAL||OpenID Connect||End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 RFC 5646 language tag values, ordered by preference. An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.|
|ui_hint||OPTIONAL||Authentication Request||A helpful text message that should be displayed to the End-User during the authentication process. NOTE: It's not clear what the use case for this is or how internationalization of the string would be performed.|
|claims_locales||OPTIONAL||OpenID Connect||End-User's preferred languages and scripts for Claims being returned, represented as a space-separated list of BCP47 RFC 5646 language tag values, ordered by preference. An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.|
|code_challenge||REQUIRED||Proof Key for Code Exchange by OAuth Public Clients||REQUIRED when using Proof Key for Code Exchange by OAuth Public Clients|
|code_challenge_method||OPTIONAL||Proof Key for Code Exchange by OAuth Public Clients||defaults to "plain" if not present in the request. Code verifier transformation method, "S256" or "plain".|
How the Authorization Request is Used#The OAuth Client directs the Resource Owner to the constructed Authorization Request URI using an HTTPS redirection response, or by other means available to it via the user-agent.
GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
The Authorization Server validates the Authorization Request to ensure that all required parameters are present and valid. If the Authorization Request is valid, the Authorization Server authenticates the Resource Owner and obtains an authorization decision (by asking the Resource Owner or by establishing approval via other means).
When a decision is established, the Authorization Server directs the user-agent to the OAuth Client provided Redirect URI using an HTTP redirection response, or by other means available to it via the user-agent.
More Information#There might be more information for this subject on one of the following:
- Access Token Request
- Authentication Context Class Reference
- Authorization Code Flow
- Authorization Grant
- Authorization Response
- Consent Dialog
- OAuth 2.0 Authorization
- OAuth 2.0 JWT Authorization Request
- OAuth 2.0 Multiple Response Type Encoding Practices
- OAuth Error
- OAuth Parameters Registry
- OAuth Scopes
- Proof Key for Code Exchange by OAuth Public Clients
- Request Object
- Resource Parameter
- Web Blog_blogentry_140615_1
- Web Blog_blogentry_180216_1