In OAuth 2.0 the Authorization Endpoint is one the OAuth 2.0 Endpoints on the Authorization Server where the Resource Owner logs in, and grants Authorization to the OAuth Client.

This is done by sending the User-agent to the Authorization Server's Authorization_endpoint for Authentication and Authorization, using request parameters defined by OAuth 2.0 and perhaps additional parameters and parameter values defined by OpenID Connect.

The Authorization_endpoint is publicly accessible.

The Authorization_endpoint is used to interact with the Resource Owner and obtain an Authorization Grant. The Authorization Server MUST first verify the identity of the Resource Owner. The Authentication Method which the Authorization Server performs Authentication the Resource Owner is not defined in OAuth 2.0 (RFC 6749).

The means through which the OAuth Client obtains the location of the Authorization_endpoint are beyond the scope of OAuth 2.0 (RFC 6749), but the location may be defined in OpenID Connect Discovery or provided in the service documentation.

The endpoint URI MAY include a Form or a query component (RFC 3986 Section 3.4), which MUST be retained when adding additional query parameters. The Authorization_endpoint URI MUST NOT include a fragment component.

Since requests to the Authorization_endpoint result in user Authentication and the transmission of clear-text credentials (in the HTTP response), the Authorization Server MUST require the use of TLS as described in OAuth 2.0 (RFC 6749) Section 1.6 when sending requests to the Authorization_endpoint.

The Authorization Server MUST support the use of the HTTP GET method RFC 2616 for the Authorization_endpoint and MAY support the use of the HTTP POST method as well.

Any Authorization Request parameters sent without a value MUST be treated as if they were omitted from the request. The Authorization Server MUST ignore unrecognized request parameters. Authorization Request and Authorization Response parameters MUST NOT be included more than once.

Extension response_types MAY contain a space-delimited (%x20) list of values, where the order of values does not matter (e.g., response type "a b" is the same as "b a"). The meaning of such composite response types is defined by their respective specifications.

If an Authorization Request is missing the "response_type" parameter, or if the response_type is not understood, the Authorization Server MUST return an error response as described in Section OAuth 2.0 (RFC 6749)

More Information#

There might be more information for this subject on one of the following: