Overview#

If the Resource Owner grants the access request, the Authorization Server issues an Authorization Code and delivers it to the OAuth Client by adding the following parameters to the query component of the Redirect_uri using the "application/x-www-form-urlencoded" format, per Appendix B:

code REQUIRED #

• The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks.
• A maximum Authorization Code lifetime of 10 minutes is RECOMMENDED.
• The client MUST NOT use the Authorization Code more than once. If an Authorization Code is used more than once, the Authorization Server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that Authorization Code.
• The Authorization Code is bound to the OAuth Client identifier and Redirect URI.

state REQUIRED#

For example, the Authorization Server redirects the user-agent by sending the following HTTP 302 response:

TTP/1.1 302 Found Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz

The Authorization Server MUST#

OAuth Client MUST #

The Authorization Code string size is left undefined by this specification. The client should avoid making assumptions about code value sizes. The Authorization Server SHOULD document the size of any value it issues.

Tokens#

• Access Token
• Identity Token
• OAuth Error

More Information#

• Authorization Code Flow
• Authorization Response
• Authorization_endpoint
• Form Post Response Mode
• Fragment Response Mode
• Identity Token
• Implicit Flow
• Implicit Grant
• Loopback URI Redirection
• Malicious Endpoint
• OAuth 2.0 Multiple Response Type Encoding Practices
• OAuth 2.0 Protocol Flows
• OAuth 2.0 Vulnerabilities
• OAuth Parameters Registry
• OpenID Connect Authentication Response
• OpenID Connect Flows
• Private-Use URI Scheme Redirection
• Proof Key for Code Exchange by OAuth Public Clients
• Query Response Mode
• Response_mode
• What is missing in OAuth 2.0