Overview#

OAuth 2.0 (RFC 6749) establishes the OAuth Parameters Registry.

Additional parameters for inclusion in the authorization endpoint request, the authorization endpoint response, the token endpoint request, or the token endpoint response are registered with a Specification Required (RFC 5226) after a two-week review period on the oauth-ext-review@ietf.org mailing list, on the advice of one or more Designated Experts. However, to allow for the allocation of values prior to publication, the Designated Expert(s) may approve registration once they are satisfied that such a specification will be published.

IANA Registry for OAuth Parameters Registry is located at: https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml The OAuth Parameters Registry includes:

OAuth Parameters #

We are trying to show the various OAuth Parameters and
  • Where they are used
  • What they represent

ParameterParameter Usage LocationReferenceDescription
client_idAuthorization RequestOAuth 2.0The client identifier
client_idAccess Token RequestOAuth 2.0The client identifier
Client SecretAccess Token RequestOAuth 2.0The OAuth Client credential
response_typeAuthorization RequestOAuth 2.0Value MUST be set to the appropriate value based on the Grant Type:
redirect_uriAuthorization RequestOAuth 2.0The Redirect URI it may be registered with Authorization Server in advance.
redirect_uriAccess Token RequestOAuth 2.0The Redirect URI it may be registered with Authorization Server in advance.
scopeAuthorization RequestOAuth 2.0The "Desired" OAuth Scopes of the OAuth Parameters Registry
scopeAuthorization ResponseOAuth 2.0The "Desired" OAuth Scopes of the OAuth Parameters Registry
scopeAccess Token RequestOAuth 2.0The "Desired" OAuth Scopes of the OAuth Parameters Registry
scopeAccess Token ResponseOAuth 2.0The "Desired" OAuth Scopes of the OAuth Parameters Registry
stateAuthorization RequestOAuth 2.0An opaque value used by the OAuth Client to maintain state between the request and callback. The Authorization Server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery nonce.
stateAuthorization ResponseOAuth 2.0An opaque value used by the OAuth Client to maintain state between the request and callback. The Authorization Server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery nonce.
codeAuthorization ResponseOAuth 2.0Authorization Code
codeAccess Token RequestOAuth 2.0Authorization Code
errorAuthorization ResponseOAuth 2.0OAuth Error
errorAccess Token ResponseOAuth 2.0OAuth Error
error_descriptionAuthorization ResponseOAuth 2.0OAuth Error
error_descriptionAccess Token ResponseOAuth 2.0OAuth Error
error_uriAuthorization ResponseOAuth 2.0OAuth Error
error_uriAccess Token ResponseOAuth 2.0OAuth Error
grant_typeAccess Token RequestOAuth 2.0grant_type
access_tokenAuthorization ResponseOAuth 2.0Access Token
access_tokenAccess Token ResponseOAuth 2.0Access Token
token_typeAuthorization ResponseOAuth 2.0token_type
token_typeAccess Token ResponseOAuth 2.0token_type
expires_inAuthorization ResponseOAuth 2.0expires_in
expires_inAccess Token ResponseOAuth 2.0expires_in
usernameAccess Token RequestOAuth 2.0Used in Resource Owner Password Credentials
passwordAccess Token RequestOAuth 2.0Used in Resource Owner Password Credentials
refresh_tokenAccess Token RequestOAuth 2.0Refresh Token
refresh_tokenAccess Token ResponseOAuth 2.0Refresh Token
nonceAuthorization RequestOpenID Connectnonce
displayAuthorization RequestOpenID ConnectASCII RFC20 string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the Resource Owner. The defined values are defined.
promptAuthorization RequestOpenID ConnectAuthentication Request as a Space-delimited, case-sensitive list of ASCII string values that specifies whether the Authorization Server prompts the Resource Owner for re-authentication and consent. The values are defined.
max_ageAuthorization RequestOpenID ConnectMaximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. When max_age is used, the ID Token returned MUST include an auth_time Claim Value.
ui_localesAuthorization RequestOpenID ConnectEnd-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 RFC 5646 language tag values, ordered by preference. An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.
ui_hintAuthorization RequestAuthentication RequestA helpful text message that should be displayed to the End-User during the authentication process. NOTE: It's not clear what the use case for this is or how internationalization of the string would be performed.
claims_localesAuthorization RequestOpenID ConnectEnd-User's preferred languages and scripts for Claims being returned, represented as a space-separated list of BCP47 RFC 5646 language tag values, ordered by preference. An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.
id_token_hintAuthorization RequestOpenID Connect
login_hintAuthorization RequestOpenID Connect
acr_valuesAuthorization RequestOpenID Connect
assertionAccess Token RequestRFC 7521assertion Parameter
client_assertionAccess Token RequestRFC 7521client_assertion
client_assertion_typeAccess Token RequestRFC 7521client_assertion_type
code_challengeAuthorization RequestProof Key for Code Exchange by OAuth Public ClientsREQUIRED when using Proof Key for Code Exchange by OAuth Public Clients
code_challenge_methodAuthorization RequestProof Key for Code Exchange by OAuth Public Clientsdefaults to "plain" if not present in the request. Code verifier transformation method, "S256" or "plain".

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-17) was last changed on 11-Sep-2016 10:57 by jim