<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
The [Authorization] Response to the [Authorization Request] within [OAuth 2.0].

If the [Resource Owner] grants the access request, the [Authorization Server] issues an [Authorization Code] and delivers it to the [OAuth Client] by adding the following parameters to the query component of the [Redirect_uri] using the &quot;application/x-www-form-urlencoded&quot; format, per [Appendix B|RFC 6749]:

!! code __REQUIRED__ 
The [Authorization Code] generated by the [Authorization Server].  
* The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks.  
* A maximum [Authorization Code] lifetime of 10 minutes is __RECOMMENDED__. 
* The client MUST NOT use the [Authorization Code] more than once.  If an [Authorization Code] is used more than once, the [Authorization Server] __MUST deny__ the request and __SHOULD__ revoke (when possible) all tokens previously issued based on that [Authorization Code].  
* The [Authorization Code] is bound to the [OAuth Client] identifier and [Redirect URI|Redirect_uri].

!! state __REQUIRED__
If the [OAuth state parameter] was present in the client [Authorization Request] the [OAuth Client] [MUST] validate that the [OAuth state parameter] value returned in the [Authorization Response] is identical.

For [example], the [Authorization Server] redirects the [user-agent] by sending the following [HTTP 302] response:
%%prettify 
{{{
TTP/1.1 302 Found Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&amp;state=xyz
}}} /%

!! The [Authorization Server] __MUST__
The [Authorization Server] __MUST__ associate the [code_challenge] and [code_challenge_method] values with the [Authorization Code] if they were present in the [Authorization Request] so they can be verified later as required for [Proof Key for Code Exchange by OAuth Public Clients]

!! [OAuth Client] __MUST__ 
The [OAuth Client] __MUST__ ignore unrecognized response parameters.

The [Authorization Code] string size is left undefined by this specification.  The client should avoid making assumptions about code value sizes.  The [Authorization Server] __SHOULD__ document the size of any value it issues.

!! [Tokens]
In addition to the above the following may be returned depending on the parameters within the [Authorization Request]:
* [Access Token]
* [Identity Token]
* [OAuth Error]

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>