Overview#

Authorization Request (OAuth 2.0) is sent by the OAuth Client to the Authorization Server (specifically the Authorization_endpoint) to obtain an Authorization Grant.

OpenID Connect#

OpenID Connect defines the following Authorization Request parameters to enable Authorization Request to be signed and optionally encrypted:
  • request - OPTIONAL This parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be optionally signed and/or encrypted. The parameter value is a Request Object value, as specified in Section 6.1. It represents the request as a JWT whose Claims are the Authorization Request parameters.
  • request_uri - OPTIONAL - This parameter enables OpenID Connect requests to be passed by-reference, rather than by-value. The request_uri value is a URL using the https scheme referencing a resource containing a Authorization Request Object value, which is a JWT containing the request parameters.

Requests using these parameters are represented as JWTs, which are respectively passed by-valueor passed by-reference. The ability to pass requests by-reference is particularly useful for large requests. If one of these parameters is used, the other MUST NOT be used in the same request.

Authorization Request Parameters#

The Authorization Request Parameters should be registered OAuth Parameters Registry or agreed upon by the parties in advance.

The OAuth 2.0 Authorization Request is a URI (request_uri) constructed by OAuth Client with the following parameters to the query component of the Authorization_endpoint using the "application/x-www-form-urlencoded" format:

ParameterREQUIREDDefined BYDescription
response_typeREQUIREDOAuth 2.0Value MUST be set to the appropriate value based on the Grant Type
client_idREQUIREDOAuth 2.0The client identifier must match the value from OAuth 2.0 Client Registration
redirect_uriOPTIONALOAuth 2.0The redirect_uri it may be registered with Authorization Server in advance during OAuth 2.0 Client Registration.
scopeOPTIONALOAuth 2.0The "Desired" OAuth Scopes of the Authorization Request
stateRECOMMENDEDOAuth 2.0An opaque value used by the OAuth Client to maintain state between the request and callback. The Authorization Server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery nonce.
nonce OpenID Connectnonce
displayOPTIONALOpenID ConnectASCII RFC 20 string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the Resource Owner. The values are defined..
promptOPTIONALOpenID ConnectAuthentication Request as a Space-delimited, case-sensitive list of ASCII string values that specifies whether the Authorization Server prompts the Resource Owner for re-authentication and consent. The values are defined.
max_ageOPTIONALOpenID ConnectMaximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. When max_age is used, the ID Token returned MUST include an auth_time Claim Value.
ui_localesOPTIONALOpenID ConnectEnd-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 RFC 5646 language tag values, ordered by preference. An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.
ui_hintOPTIONALAuthentication RequestA helpful text message that should be displayed to the End-User during the authentication process. NOTE: It's not clear what the use case for this is or how internationalization of the string would be performed.
claims_localesOPTIONALOpenID ConnectEnd-User's preferred languages and scripts for Claims being returned, represented as a space-separated list of BCP47 RFC 5646 language tag values, ordered by preference. An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.
id_token_hintOPTIONALOpenID Connect
login_hintOPTIONALOpenID Connect
acr_valuesOPTIONALOpenID Connect
amr_valuesOPTIONALOpenID Connect
code_challengeREQUIREDProof Key for Code Exchange by OAuth Public ClientsREQUIRED when using Proof Key for Code Exchange by OAuth Public Clients
code_challenge_methodOPTIONALProof Key for Code Exchange by OAuth Public Clientsdefaults to "plain" if not present in the request. Code verifier transformation method, "S256" or "plain".

How the Authorization Request is Used#

The OAuth Client directs the Resource Owner to the constructed Authorization Request URI using an HTTPS redirection response, or by other means available to it via the user-agent.

For example, the OAuth Client directs the user-agent to make the following HTTP request using TLS:

GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1  Host: server.example.com

The Authorization Server validates the Authorization Request to ensure that all required parameters are present and valid. If the Authorization Request is valid, the Authorization Server authenticates the Resource Owner and obtains an authorization decision (by asking the Resource Owner or by establishing approval via other means).

When a decision is established, the Authorization Server directs the user-agent to the OAuth Client provided Redirect URI using an HTTP redirection response, or by other means available to it via the user-agent.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-42) was last changed on 17-Jul-2017 09:40 by jim