The authorization endpoint is one of two endpoints of the authorization server.
It's used by the client (app) to obtain authorization from the resource owner in the form of a authorization grant via user-agent redirection.
The authorization endpoint is used in:
by requiring a grant type with the help of the response type query parameter
Example of authorization_request
GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcallback HTTP/1.1
Host: server.example.com
where:
Example of an authorization_response
HTTP/1.1 302 Found
Location: https://client.example.com/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
where:
The authorization endpoint:
The client informs the authorization server of the desired grant type using the following parameter:
response_type REQUIRED.
The value MUST be one of:
Extension response types MAY contain a space-delimited (%x20) list of values, where the order of values does not matter (e.g., response type “a b” is the same as “b a”). The meaning of such composite response types is defined by their respective specifications.
If an authorization request is missing the “response_type” parameter, or if the response type is not understood, the authorization server MUST return an error response as described in Section 4.1.2.1.
With the authorization request, you can defined an optional redirection endpoint using the redirect_uri request parameter.
This is also known as the callback endpoint.
The authorization server upon successful authentication will respond with a redirection to this URI.
Example
HTTP/1.1 302 Found
Location: https://client.example.com/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
where:
The authorization server MUST compare and match the value received against at least one of the registered redirection URIs if any redirection URIs were registered.
The scope parameter defines the scope request.
The client id is required.
The state is an opaque value used by the client to maintain state between the request and callback (response).
The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery 1).
The authorization server validates the request to ensure that all required parameters are present and valid.
If an authorization request fails validation due to a missing, invalid, or mismatching redirection URI, the authorization server send an error_response
If the request is:
If an authorization request fails validation due to a missing, invalid, or mismatching redirection URI, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.
More, see Error Response
When a decision is established, the authorization server directs the user-agent to the provided client redirection URI using an HTTP redirection response, or by other means available to it via the user-agent.
The redirection request to the client's endpoint typically results in an HTML document response, processed by the user-agent.
If the HTML response is served directly as the result of the redirection request, any script included in the HTML document will execute with full access to the redirection URI and the credentials it contains.
The client SHOULD NOT include any third-party scripts (e.g., third- party analytics, social plug-ins, ad networks) in the redirection endpoint response.
Instead, it SHOULD extract the credentials from the URI and redirect the user-agent again to another endpoint without exposing the credentials (in the URI or elsewhere).
If third-party scripts are included, the client MUST ensure that its own scripts (used to extract and remove the credentials from the URI) will execute first.
The scope parameter defines the scope response.
The client MUST ignore unrecognized response parameters.