Overview#

The OAuth 2.0 and OpenID Connect Specification defines several Grant Types and other Grant Types have or may be defined. We show the Authorization Code Grant for OpenID Connect in most of our examples.

OpenID Connect#

• request - OPTIONAL This parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be optionally signed and/or encrypted. The parameter value is a Request Object value, as specified in Section 6.1. It represents the request as a JWT whose Claims are the Authorization Request parameters.
• request_uri - OPTIONAL - This parameter enables OpenID Connect requests to be passed by-reference, rather than by-value. The request_uri value is a URL using the https scheme referencing a resource containing a Authorization Request Object value, which is a JWT containing the request parameters.

Requests using these parameters are represented as JWTs, which are respectively passed by-valueor passed by-reference. The ability to pass requests by-reference is particularly useful for large requests. If one of these parameters is used, the other MUST NOT be used in the same request.

Authorization Request Parameters#

Typically, the folowing are required:

• response_type
• client_id
• redirect_uri
• scope
• state

How the Authorization Request is Used#

For example, the OAuth Client directs the user-agent to make the following HTTP request using TLS:

https://server.example.com/authorize?
    response_type=code
    &client_id=s6BhdRkqt3
    &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
    &scope=openid%20profile
    &state=af0ifjsldkj

The Authorization Server validates the Authorization Request to ensure that all required parameters are present and valid. If the Authorization Request is valid, the Authorization Server authenticates the Resource Owner and obtains an authorization decision (by asking the Resource Owner or by establishing approval via other means).

If a successful decision is established, the Authorization Server directs the user-agent to the OAuth Client provided Redirect_uri using an HTTP Redirection response, or by other means available to it via the user-agent providing the Authorization Grant to the OAuth Client

More Information#

• Access Token Request
• Amr_values
• AppAuth
• Authentication Context Class Reference
• Authentication Request
• Authorization Code
• Authorization Code Flow
• Authorization Grant
• Authorization Request Parameters
• Authorization Response
• Authorization_endpoint
• Code_challenge_method
• Code_verifier
• Consent Dialog
• Encoding claims in the OAuth 2 state parameter using a JWT
• Explicit Endpoint
• FAPI Pushed Request Object
• Grant Types
• Grant_type
• Id_token_hint
• Identity Token
• Implicit Grant
• Invalid_grant
• Invalid_request_uri
• Issuer
• JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
• Login_hint
• OAuth 2.0 Authorization
• OAuth 2.0 Client Registration
• OAuth 2.0 Device Authorization Grant
• OAuth 2.0 Incremental Authorization
• OAuth 2.0 JWT Secured Authorization Request
• OAuth 2.0 Multiple Response Type Encoding Practices
• OAuth 2.0 Protocol Flows
• OAuth 2.0 Security Best Current Practice
• OAuth Dynamic Client Registration Metadata
• OAuth Error
• OAuth Parameters Registry
• OAuth Scopes
• OpenID Connect Authentication Response
• OpenID Connect Claims
• OpenID Connect Flows
• Openid scope
• Private-Use URI Scheme Redirection
• Prompt Parameter
• Proof Key for Code Exchange by OAuth Public Clients
• Pushed Authorization Requests
• Refresh Token
• Request Object
• Request_not_supported
• Request_uri
• Request_uri_not_supported
• Resource Parameter
• Response Type
• Response_mode
• Response_type
• Ui_hint
• Upgraded

• [#1] - RFC 6749 - based on data observed:2015-05-18