Authorization Response


The Authorization Response to the Authorization Request within OAuth 2.0.

If the Resource Owner grants the access request, the Authorization Server issues an Authorization Code and delivers it to the OAuth Client by adding the following parameters to the query component of the Redirect_uri using the "application/x-www-form-urlencoded" format, per Appendix B:


The Authorization Code generated by the Authorization Server.


If the OAuth state parameter was present in the client Authorization Request the OAuth Client MUST validate that the OAuth state parameter value returned in the Authorization Response is identical.

For example, the Authorization Server redirects the user-agent by sending the following HTTP 302 response:

TTP/1.1 302 Found Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz

The Authorization Server MUST#

The Authorization Server MUST associate the code_challenge and code_challenge_method values with the Authorization Code if they were present in the Authorization Request so they can be verified later as required for Proof Key for Code Exchange by OAuth Public Clients

OAuth Client MUST #

The OAuth Client MUST ignore unrecognized response parameters.

The Authorization Code string size is left undefined by this specification. The client should avoid making assumptions about code value sizes. The Authorization Server SHOULD document the size of any value it issues.


In addition to the above the following may be returned depending on the parameters within the Authorization Request:

More Information#

There might be more information for this subject on one of the following: