/authorize endpoint
The authorization endpoint triggers the authentication and authentication on provider side. Once the user is authenticated and has authorized access to the resources, it will be redirected back to the client “callback” URL.
If the user is already authenticated and has already granted permissions, the callback might be instantly called, resulting in SSO without user interaction.
Mandatory Parameters
| Parameter | Description |
|---|---|
client_id |
The unique identifier assigned to the client application by the authorization server. |
redirect_uri |
The URI to which the authorization server will redirect the user after successful authentication and authorization. |
response_type |
Specifies the type of response the application expects. For the Authorization Code Flow, this should be set to “code” to indicate that the application is requesting an authorization code. |
Optional Parameters
| Parameter | Description |
|---|---|
state |
Recommended. An opaque value used by the client to maintain state between the request and callback. This value is included when redirecting the user-agent back to the client. It also helps to prevent cross-site-request-forgery, where an attacker sends its own authorization code to induce the user in manipulating the wrong resource. More information here |
acr_values |
Specifies the level of authentication and attribute requirements. Largely unused/unsupported in practice. |
claims |
Requests specific user claims to be included in the ID Token or UserInfo response. |
code_challenge |
Used when implementing PKCE (Proof Key for Code Exchange) for added security. |
code_challenge_method |
The method used to transform the “code verifier” when implementing PKCE. |
display |
Indicates how the authorization server displays the authentication and consent page to the user. |
id_token_hint |
Provides the ID Token previously issued for the user. |
login_hint |
Suggests a preferred user account to log in. |
max_age |
Sets the maximum allowable age of authentication for the user. |
nonce |
Used to mitigate replay attacks on the ID Token. |
prompt |
Used to customize the user authentication and consent experience. |
response_mode |
Specifies how the authorization server returns the authorization response. |
scope |
Defines the scope of access requested by the client application. |
ui_locales |
Specifies the preferred language and locale for the authorization server’s UI. |
Please note that while the mandatory parameters must be included for a successful authorization process, the optional parameters can be included based on the application’s specific requirements and the authorization server’s capabilities.
Sample request
GET /authorize
?response_type=code
&client_id=YOUR_CLIENT_ID
&redirect_uri=https://yourapp.com/callback
&scope=openid email
&state=UNIQUE_STATE_VALUE
&code_challenge=YOUR_CODE_CHALLENGE
&code_challenge_method=S256
...user signs in...
...user grants `YOUR_CLIENT_ID` permission to access `openid email`...
HTTP 302 - https://yourapp.com/callback
?code=...
&state=...