!!! Overview
[OAuth 2.0] ([RFC 6749]) establishes the [{$pagename}].

Additional parameters for inclusion in the authorization endpoint request, the authorization endpoint response, the token endpoint request, or the token endpoint response are registered with a Specification Required ([RFC 5226]) after a two-week review period on the oauth-ext-review@ietf.org mailing list, on the advice of one or more Designated Experts.  However, to allow for the allocation of values prior to publication, the Designated Expert(s) may approve registration once they are satisfied that such a specification will be published.

[IANA Registry] for [{$pagename}] is located at: [https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml|https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml|target='_blank']
The [{$pagename}] includes:

* [OAuth Access Token Types|https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-types|target='_blank']
* [OAuth Authorization Endpoint Response Types|https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#endpoint|target='_blank']
* [OAuth Extensions Error Registry|https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#extensions-error|target='_blank']
* [OAuth Parameters|https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#parameters|target='_blank']
* [OAuth Token Type Hints|https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-type-hint|target='_blank']
* [OAuth URI|https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#uri|target='_blank']
* [OAuth Dynamic Client Registration Metadata|https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#client-metadata|target='_blank']
* [OAuth Token Endpoint Authentication Methods]
* [PKCE Code Challenge Methods|https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#pkce-code-challenge-method|target='_blank']
* [OAuth Token Introspection Response|https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-introspection-response|target='_blank']


!! OAuth Parameters 
We are trying to show the various OAuth Parameters and 
* Where they are used
* What they represent


%%zebra-table
%%sortable
%%table-filter
||Parameter||Parameter Usage Location||Reference||Description
|[client_id]|[Authorization Request]|[OAuth 2.0]|The client identifier
|[client_id]|[Access Token Request]|[OAuth 2.0]|The client identifier
|[Client Secret]|[Access Token Request]|[OAuth 2.0]|The [OAuth Client] [credential]
|[response_type]|[Authorization Request]|[OAuth 2.0]|Value MUST be set to the appropriate value based on the Grant Type:
|[redirect_uri]|[Authorization Request]|[OAuth 2.0]|The [Redirect URI|Redirect_uri] it may be registered with [Authorization Server] in advance.
|[redirect_uri]|[Access Token Request]|[OAuth 2.0]|The [Redirect URI|Redirect_uri] it may be registered with [Authorization Server] in advance.
|[scope|OAuth Scopes]|[Authorization Request]|[OAuth 2.0]|The "Desired" [OAuth Scopes] of the [{$pagename}]
|[scope|OAuth Scopes]|[Authorization Response]|[OAuth 2.0]|The "Desired" [OAuth Scopes] of the [{$pagename}]
|[scope|OAuth Scopes]|[Access Token Request]|[OAuth 2.0]|The "Desired" [OAuth Scopes] of the [{$pagename}]
|[scope|OAuth Scopes]|[Access Token Response]|[OAuth 2.0]|The "Desired" [OAuth Scopes] of the [{$pagename}]
|[state|OAuth state parameter]|[Authorization Request]|[OAuth 2.0]|An opaque value used by the [OAuth Client] to maintain state between the request and callback. The [Authorization Server] includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery [nonce].
|[state|OAuth state parameter]|[Authorization Response]|[OAuth 2.0]|An opaque value used by the [OAuth Client] to maintain state between the request and callback. The [Authorization Server] includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery [nonce].
|[code|Authorization Code]|[Authorization Response]|[OAuth 2.0]|[Authorization Code]
|[code|Authorization Code]|[Access Token Request]|[OAuth 2.0]|[Authorization Code]
|[error|OAuth Error]|[Authorization Response]|[OAuth 2.0]|[OAuth Error]
|[error|OAuth Error]|[Access Token Response]|[OAuth 2.0]|[OAuth Error]
|[error_description|OAuth Error]|[Authorization Response]|[OAuth 2.0]|[OAuth Error]
|[error_description|OAuth Error]|[Access Token Response]|[OAuth 2.0]|[OAuth Error]
|[error_uri|OAuth Error]|[Authorization Response]|[OAuth 2.0]|[OAuth Error]
|[error_uri|OAuth Error]|[Access Token Response]|[OAuth 2.0]|[OAuth Error]
|[grant_type]|[Access Token Request]|[OAuth 2.0]|[grant_type]
|[access_token|Access Token]|[Authorization Response]|[OAuth 2.0]|[Access Token]
|[access_token|Access Token]|[Access Token Response]|[OAuth 2.0]|[Access Token]
|[token_type]|[Authorization Response]|[OAuth 2.0]|[token_type]
|[token_type]|[Access Token Response]|[OAuth 2.0]|[token_type]
|[expires_in]|[Authorization Response]|[OAuth 2.0]|[expires_in]
|[expires_in]|[Access Token Response]|[OAuth 2.0]|[expires_in]
|[username]|[Access Token Request]|[OAuth 2.0]|Used in [Resource Owner Password Credentials] 
|[password]|[Access Token Request]|[OAuth 2.0]|Used in [Resource Owner Password Credentials] 
|[refresh_token|Refresh Token]|[Access Token Request]|[OAuth 2.0]|[Refresh Token]
|[refresh_token|Refresh Token]|[Access Token Response]|[OAuth 2.0]|[Refresh Token]
|[nonce]|[Authorization Request]|[OpenID Connect]|[nonce]
|[display|Display Parameter]|[Authorization Request]|[OpenID Connect]|[ASCII] [RFC 20] [string] value that specifies how the Authorization Server displays the [authentication] and [consent] user interface pages to the [Resource Owner]. The defined values are defined.
|[prompt|prompt Parameter]|[Authorization Request]|[OpenID Connect]|[Authentication Request] as a Space-delimited, case-sensitive list of ASCII string values that specifies whether the Authorization Server prompts the [Resource Owner] for re-authentication and consent. The values are defined.
|[max_age]|[Authorization Request]|[OpenID Connect]|Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. When max_age is used, the ID Token returned MUST include an auth_time Claim Value.
|[ui_locales]|[Authorization Request]|[OpenID Connect]|End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 RFC 5646 language tag values, ordered by preference. An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.
|[ui_hint]|[Authorization Request]|[Authentication Request]|A helpful text message that should be displayed to the End-User during the authentication process. __NOTE:__ It's not clear what the use case for this is or how internationalization of the string would be performed.
|[claims_locales]|[Authorization Request]|[OpenID Connect]|End-User's preferred languages and scripts for Claims being returned, represented as a space-separated list of BCP47 RFC 5646 language tag values, ordered by preference. An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.
|[id_token_hint]|[Authorization Request]|[OpenID Connect]| 
|[login_hint]|[Authorization Request]|[OpenID Connect]| 
|[acr_values]|[Authorization Request]|[OpenID Connect]| 
|[assertion|assertion Parameter]|[Access Token Request]|[RFC 7521]|[assertion Parameter]
|[client_assertion]|[Access Token Request]|[RFC 7521]|[client_assertion]
|[client_assertion_type]|[Access Token Request]|[RFC 7521]|[client_assertion_type]
|[code_challenge]|[Authorization Request]|[Proof Key for Code Exchange by OAuth Public Clients]|__REQUIRED__ when using [Proof Key for Code Exchange by OAuth Public Clients]
|[code_challenge_method]|[Authorization Request]|[Proof Key for Code Exchange by OAuth Public Clients]|defaults to "plain" if not present in the request. Code verifier transformation method, "S256" or "plain".
|[claim_token]|client request, [Token_endpoint]|[]|[UMA 2.0 Grant for OAuth 2.0, Section 3.3.1|UMA 2.0 Grant for OAuth 2.0]
|[PCT]|client request, [Token_endpoint]|[Kantara_UMA_WG|User-Managed Access Work Group]|[Kantara_UMA_WG|User-Managed Access Work Group]|[UMA 2.0 Grant for OAuth 2.0, Section 3.3.1|UMA 2.0 Grant for OAuth 2.0]
|[PCT]|[Authorization server response|Authorization Response]|[Kantara_UMA_WG|User-Managed Access Work Group]|[UMA 2.0 Grant for OAuth 2.0, Section 3.3.5|UMA 2.0 Grant for OAuth 2.0]
|[RPT]|client request, token endpoint|[Kantara_UMA_WG|User-Managed Access Work Group]|[UMA 2.0 Grant for OAuth 2.0, Section 3.3.1|UMA 2.0 Grant for OAuth 2.0]
|[ticket]|client request, [Token_endpoint]|[Kantara_UMA_WG|User-Managed Access Work Group]|[UMA 2.0 Grant for OAuth 2.0, Section 3.3.1|UMA 2.0 Grant for OAuth 2.0]
|[upgraded]|authorization server response, [Token_endpoint]|[Kantara_UMA_WG|User-Managed Access Work Group]|[UMA 2.0 Grant for OAuth 2.0, Section 3.3.5|UMA 2.0 Grant for OAuth 2.0]
|[vtr]|authorization request, token request|[IESG]|[RFC-richer-vectors-of-trust-15|Vectors of Trust]
/%
/%
/%




!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]