Overview#

In OAuth 2.0 the Authorization Endpoint is one the OAuth 2.0 Endpoints on the Authorization Server where the Resource Owner logs in, and grants Authorization to the OAuth Client.

This is done by sending the User-agent to the Authorization Server's Authorization_endpoint for Authentication and Authorization, using request parameters defined by OAuth 2.0 and perhaps additional parameters and parameter values defined by OpenID Connect.

The Authorization_endpoint is publicly accessible.

The Authorization_endpoint is used to interact with the Resource Owner and obtain an Authorization Grant. The Authorization Server MUST first verify the identity of the Resource Owner. The Authentication Method which the Authorization Server performs Authentication the Resource Owner is not defined in OAuth 2.0 (RFC 6749).

The means through which the OAuth Client obtains the location of the Authorization_endpoint are beyond the scope of OAuth 2.0 (RFC 6749), but the location may be defined in OpenID Connect Discovery or provided in the service documentation.

The endpoint URI MAY include a Form or a query component (RFC 3986 Section 3.4), which MUST be retained when adding additional query parameters. The Authorization_endpoint URI MUST NOT include a fragment component.

Since requests to the Authorization_endpoint result in user Authentication and the transmission of clear-text credentials (in the HTTP response), the Authorization Server MUST require the use of TLS as described in OAuth 2.0 (RFC 6749) Section 1.6 when sending requests to the Authorization_endpoint.

The Authorization Server MUST support the use of the HTTP GET method RFC 2616 for the Authorization_endpoint and MAY support the use of the HTTP POST method as well.

Any Authorization Request parameters sent without a value MUST be treated as if they were omitted from the request. The Authorization Server MUST ignore unrecognized request parameters. Authorization Request and Authorization Response parameters MUST NOT be included more than once.

Extension response_types MAY contain a space-delimited (%x20) list of values, where the order of values does not matter (e.g., response type "a b" is the same as "b a"). The meaning of such composite response types is defined by their respective specifications.

If an Authorization Request is missing the "response_type" parameter, or if the response_type is not understood, the Authorization Server MUST return an error response as described in Section 4.1.2.1. OAuth 2.0 (RFC 6749)

More Information#

There might be more information for this subject on one of the following:

• Access Token
• Authentication Request
• Authorization API
• Authorization Code Flow
• Authorization Request
• Authorization Request Parameters
• Authorization Server
• Best Practices OpenID Connect
• C_hash
• Explicit Endpoint
• External User-Agent
• FAPI Pushed Request Object
• Grant Types
• Hybrid Flow
• Id_token_signing_alg_values_supported
• Identity Token
• Implicit Grant
• OAuth 2.0 Endpoints
• OAuth 2.0 Incremental Authorization
• OAuth 2.0 JWT Secured Authorization Request
• OAuth 2.0 Multiple Response Type Encoding Practices
• OAuth 2.0 for Native Apps
• OAuth Dynamic Client Registration Metadata
• OAuth Scopes
• OpenAM Endpoints
• OpenID Connect
• OpenID Connect Authentication Response
• Openid-configuration
• Proof Key for Code Exchange by OAuth Public Clients
• Protection API
• Pushed Authorization Requests
• Resource Parameter
• Response_mode
• Uma-configuration