OAuth - Authorization Endpoint

> Software Security > (Authentication|Access control|Identification) - AuthN > Oauth 2.0 - Authorization framework

1 - About

The authorization endpoint is one of two endpoints of the authorization server.

It's used by the client (app) to obtain authorization from the resource owner in the form of a authorization grant via user-agent redirection.

The authorization endpoint is used in:

by requiring a grant type with the help of the response type query parameter

Advertising

3 - Example

GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
Host: server.example.com
HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz

4 - Authorization Request

4.1 - Prerequisites

The authorization endpoint:

  • MUST support the use of the HTTP "GET" for the authorization endpoint
  • MAY support the use of the "POST" method as well.
  • MUST require the use of TLS when sending requests to the authorization endpoint (since requests to the authorization endpoint result in user authentication and the transmission of clear-text credentials in the HTTP response)

4.2 - URI

Advertising

4.3 - Response Type

The client informs the authorization server of the desired grant type using the following parameter:

response_type REQUIRED.  

The value MUST be one of:

Extension response types MAY contain a space-delimited (%x20) list of values, where the order of values does not matter (e.g., response type “a b” is the same as “b a”). The meaning of such composite response types is defined by their respective specifications.

If an authorization request is missing the “response_type” parameter, or if the response type is not understood, the authorization server MUST return an error response as described in Section 4.1.2.1.

4.4 - redirect_uri

With the authorization request, you can defined an optional redirection endpoint using the redirect_uri request parameter.

The authorization server MUST compare and match the value received against at least one of the registered redirection URIs if any redirection URIs were registered.

4.5 - Scope request

The scope parameter defines the scope request.

4.6 - Client Id

required

4.7 - State

An opaque value used by the client to maintain state between the request and callback (response).

The authorization server includes this value when redirecting the user-agent back to the client. The parameter SHOULD be used for preventing cross-site request forgery as described in Section 10.12.

Advertising

4.8 - Authorization Validation

The authorization server validates the request to ensure that all required parameters are present and valid.

If an authorization request fails validation due to a missing, invalid, or mismatching redirection URI, the authorization server send an error response

5 - Response

If the request is:

  • valid, the authorization server:
    • authenticates the resource owner
    • obtains an authorization decision (by asking the resource owner or by establishing approval via other means)
  • not valid, the authorization server send an error response

5.1 - Error response

If an authorization request fails validation due to a missing, invalid, or mismatching redirection URI, the authorization server SHOULD inform the resource owner of the error and MUST NOT automatically redirect the user-agent to the invalid redirection URI.

More, see Error Response

5.2 - Authorization Response

When a decision is established, the authorization server directs the user-agent to the provided client redirection URI using an HTTP redirection response, or by other means available to it via the user-agent.

5.2.1 - Content

The redirection request to the client's endpoint typically results in an HTML document response, processed by the user-agent.

If the HTML response is served directly as the result of the redirection request, any script included in the HTML document will execute with full access to the redirection URI and the credentials it contains.

The client SHOULD NOT include any third-party scripts (e.g., third- party analytics, social plug-ins, ad networks) in the redirection endpoint response.

Instead, it SHOULD extract the credentials from the URI and redirect the user-agent again to another endpoint without exposing the credentials (in the URI or elsewhere).

If third-party scripts are included, the client MUST ensure that its own scripts (used to extract and remove the credentials from the URI) will execute first.

5.2.2 - Scope Response

The scope parameter defines the scope response.

5.2.3 - Response Validation

The client MUST ignore unrecognized response parameters.

  • The authorization code string size is left undefined by this specification.
  • The client should avoid making assumptions about code value sizes.
  • The authorization server SHOULD document the size of any value it issues.

6 - Documentation / Reference

security/auth/oauth/authorization_endpoint.txt · Last modified: 2019/04/30 21:51 by gerardnico