Overview#The Authorization Response to the Authorization Request within OAuth 2.0.
If the Resource Owner grants the access request, the Authorization Server issues an Authorization Code and delivers it to the OAuth Client by adding the following parameters to the query component of the Redirect_uri using the "application/x-www-form-urlencoded" format, per Appendix B:
code REQUIRED #The Authorization Code generated by the Authorization Server.
- The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks.
- A maximum Authorization Code lifetime of 10 minutes is RECOMMENDED.
- The client MUST NOT use the Authorization Code more than once. If an Authorization Code is used more than once, the Authorization Server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that Authorization Code.
- The Authorization Code is bound to the OAuth Client identifier and Redirect URI.
state REQUIRED#If the OAuth state parameter was present in the client Authorization Request the OAuth Client MUST validate that the OAuth state parameter value returned in the Authorization Response is identical.
TTP/1.1 302 Found Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
The Authorization Server MUST#The Authorization Server MUST associate the code_challenge and code_challenge_method values with the Authorization Code if they were present in the Authorization Request so they can be verified later as required for Proof Key for Code Exchange by OAuth Public Clients
OAuth Client MUST #The OAuth Client MUST ignore unrecognized response parameters.
The Authorization Code string size is left undefined by this specification. The client should avoid making assumptions about code value sizes. The Authorization Server SHOULD document the size of any value it issues.Authorization Request:
More Information#There might be more information for this subject on one of the following:
- Access Token
- Authorization Code Flow
- Authorization Response
- Form Post Response Mode
- Fragment Response Mode
- Identity Token
- Implicit Grant
- Loopback URI Redirection
- Malicious Endpoint
- OAuth 2.0 Multiple Response Type Encoding Practices
- OAuth 2.0 Protocol Flows
- OAuth 2.0 Security Best Current Practice
- OAuth 2.0 Vulnerabilities
- OAuth Parameters Registry
- OpenID Connect Authentication Response
- OpenID Connect Flows
- Private-Use URI Scheme Redirection
- Proof Key for Code Exchange by OAuth Public Clients
- Query Response Mode
- What is missing in OAuth 2.0