Overview#In OAuth 2.0 the Authorization Endpoint is one the OAuth 2.0 Endpoints on the Authorization Server where the Resource Owner logs in, and grants Authorization to the OAuth Client.
This is done by sending the User-agent to the Authorization Server's Authorization_endpoint for Authentication and Authorization, using request parameters defined by OAuth 2.0 and perhaps additional parameters and parameter values defined by OpenID Connect.
The Authorization_endpoint is publicly accessible.
The Authorization_endpoint is used to interact with the Resource Owner and obtain an Authorization Grant. The Authorization Server MUST first verify the identity of the Resource Owner. The way in which the Authorization Server authenticates the Resource Owner (e.g., username and password login, session cookies) is beyond the scope of this specification.
The means through which the OAuth Client obtains the location of the Authorization_endpoint are beyond the scope of this specification, but the location is typically provided in the service documentation.
The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per Appendix B) query component (RFC 3986 Section 3.4), which MUST be retained when adding additional query parameters. The endpoint URI MUST NOT include a fragment component.
Since requests to the Authorization_endpoint result in user Authentication and the transmission of clear-text credentials (in the HTTP response), the Authorization Server MUST require the use of TLS as described in Section 1.6 when sending requests to the Authorization_endpoint.
Authorization Request parameters sent without a value MUST be treated as if they were omitted from the request. The Authorization Server MUST ignore unrecognized request parameters. Authorization Request and response parameters MUST NOT be included more than once.
Extension response types MAY contain a space-delimited (%x20) list of values, where the order of values does not matter (e.g., response type "a b" is the same as "b a"). The meaning of such composite response types is defined by their respective specifications.
If an authorization request is missing the "response_type" parameter, or if the response_type is not understood, the authorization server MUST return an error response as described in Section 188.8.131.52.
More Information#There might be more information for this subject on one of the following:
- Authorization API
- Authorization Code Flow
- Authorization Request
- Authorization Server
- External User-Agent
- Identity Token
- Implicit Flow
- OAuth 2.0
- OAuth 2.0 Endpoints
- OAuth 2.0 JWT Authorization Request
- OAuth 2.0 Multiple Response Type Encoding Practices
- OAuth 2.0 for Native Apps
- OAuth Scopes
- OpenAM Endpoints
- OpenID Connect
- OpenID Connect Discovery
- Protection API
- Resource Parameter
- Web Blog_blogentry_140615_1