<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
In [OAuth 2.0] the [Authorization] [Endpoint] is one the [OAuth 2.0 Endpoints] on the [Authorization Server] where the [Resource Owner] logs in, and grants [Authorization] to the [OAuth Client].

This is done by sending the [User-agent] to the [Authorization Server]'s [{$pagename}] for [Authentication] and [Authorization], using request parameters defined by [OAuth 2.0] and perhaps additional parameters and parameter values defined by [OpenID Connect].

The [{$pagename}] is publicly accessible.

The [{$pagename}] is used to interact with the [Resource Owner] and obtain an [Authorization Grant]. The [Authorization Server] [MUST] first verify the identity of the [Resource Owner]. The [Authentication Method] which the [Authorization Server] performs [Authentication] the [Resource Owner] is not defined in [OAuth 2.0] ([RFC 6749]).

The means through which the [OAuth Client] obtains the location of the [{$pagename}] are beyond the scope of [OAuth 2.0] ([RFC 6749]), but the location may be defined in [OpenID Connect Discovery] or provided in the service documentation.

The [endpoint] [URI] [MAY] include a [Form|Form Post Response Mode] or a [query|Query Response Mode] component ([RFC 3986] Section 3.4), which [MUST] be retained when adding additional query parameters.  The [{$pagename}] [URI] [MUST NOT] include a [fragment|Fragment Response Mode] component.

Since requests to the [{$pagename}] result in user [Authentication] and the transmission of clear-text [credentials] (in the [HTTP] response), the [Authorization Server] [MUST] require the use of [TLS]  as described in [OAuth 2.0] ([RFC 6749]) Section 1.6 when sending requests to the [{$pagename}].

The [Authorization Server] [MUST] support the use of the [HTTP GET] method [RFC 2616] for the [{$pagename}] and [MAY] support the use of the [HTTP POST] method as well.

Any [Authorization Request] [parameters] sent without a value [MUST] be treated as if they were omitted from the request. The [Authorization Server] [MUST] ignore unrecognized request parameters. [Authorization Request] and [Authorization Response] parameters [MUST NOT] be included more than once.

Extension [response_types] [MAY] contain a space-delimited (%x20) list of values, where the order of values does not matter (e.g., response type &quot;a b&quot; is the same as &quot;b a&quot;).  The meaning of such composite response types is defined by their respective specifications.

If an [Authorization Request] is missing the &quot;[response_type]&quot; parameter, or if the [response_type] is not understood, the [Authorization Server] [MUST] return an error response as described in Section 4.1.2.1. [OAuth 2.0] ([RFC 6749])



!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>