In OAuth 2.0 the Authorization Endpoint is one the OAuth 2.0 Endpoints on the Authorization Server where the Resource Owner logs in, and grants Authorization to the OAuth Client.

This is done by sending the User-agent to the Authorization Server's Authorization_endpoint for Authentication and Authorization, using request parameters defined by OAuth 2.0 and perhaps additional parameters and parameter values defined by OpenID Connect.

The Authorization_endpoint is publicly accessible.

The Authorization_endpoint is used to interact with the Resource Owner and obtain an Authorization Grant. The Authorization Server MUST first verify the identity of the Resource Owner. The way in which the Authorization Server authenticates the Resource Owner (e.g., username and password login, session cookies) is beyond the scope of this specification.

The means through which the OAuth Client obtains the location of the Authorization_endpoint are beyond the scope of this specification, but the location is typically provided in the service documentation.

The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per Appendix B) query component (RFC 3986 Section 3.4), which MUST be retained when adding additional query parameters. The endpoint URI MUST NOT include a fragment component.

Since requests to the Authorization_endpoint result in user Authentication and the transmission of clear-text credentials (in the HTTP response), the Authorization Server MUST require the use of TLS as described in Section 1.6 when sending requests to the Authorization_endpoint.

The Authorization Server MUST support the use of the HTTP "GET" method RFC 2616 for the Authorization_endpoint and MAY support the use of the "POST" method as well.

Authorization Request parameters sent without a value MUST be treated as if they were omitted from the request. The Authorization Server MUST ignore unrecognized request parameters. Authorization Request and response parameters MUST NOT be included more than once.

Extension response types MAY contain a space-delimited (%x20) list of values, where the order of values does not matter (e.g., response type "a b" is the same as "b a"). The meaning of such composite response types is defined by their respective specifications.

If an authorization request is missing the "response_type" parameter, or if the response_type is not understood, the authorization server MUST return an error response as described in Section

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-10) was last changed on 22-Nov-2016 12:44 by jim