jspωiki
Authorization Request

Overview#

Authorization Request (OAuth 2.0) is sent by the OAuth Client to the Authorization Server (specifically the Authorization_endpoint) to obtain an Authorization Grant.

The OAuth 2.0 and OpenID Connect Specification defines several Grant Types and other Grant Types have or may be defined. We show the Authorization Code Grant for OpenID Connect in most of our examples.

OpenID Connect#

OpenID Connect defines the following Authorization Request parameters to enable Authorization Request to be signed and optionally encrypted:
  • request - OPTIONAL This parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be optionally signed and/or encrypted. The parameter value is a Request Object value, as specified in Section 6.1. It represents the request as a JWT whose Claims are the Authorization Request parameters.
  • request_uri - OPTIONAL - This parameter enables OpenID Connect requests to be passed by-reference, rather than by-value. The request_uri value is a URL using the https scheme referencing a resource containing a Authorization Request Object value, which is a JWT containing the request parameters.

Requests using these parameters are represented as JWTs, which are respectively passed by-valueor passed by-reference. The ability to pass requests by-reference is particularly useful for large requests. If one of these parameters is used, the other MUST NOT be used in the same request.

Authorization Request Parameters#

The Authorization Request Parameters should be registered OAuth Parameters Registry or agreed upon by the parties in advance.

Typically, the folowing are required:

How the Authorization Request is Used#

The OAuth Client directs the Resource Owner to the constructed Authorization Request URI using an HTTPS redirection response, or by other means available to it via the user-agent.

For example, the OAuth Client directs the user-agent to make the following HTTP request using TLS:

https://server.example.com/authorize?
    response_type=code
    &client_id=s6BhdRkqt3
    &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
    &scope=openid%20profile
    &state=af0ifjsldkj

The Authorization Server validates the Authorization Request to ensure that all required parameters are present and valid. If the Authorization Request is valid, the Authorization Server authenticates the Resource Owner and obtains an authorization decision (by asking the Resource Owner or by establishing approval via other means).

If a successful decision is established, the Authorization Server directs the user-agent to the OAuth Client provided Redirect_uri using an HTTP Redirection response, or by other means available to it via the user-agent providing the Authorization Grant to the OAuth Client

More Information#

There might be more information for this subject on one of the following: