/authorize endpoint

The authorization endpoint triggers the authentication and authentication on provider side. Once the user is authenticated and has authorized access to the resources, it will be redirected back to the client “callback” URL.

If the user is already authenticated and has already granted permissions, the callback might be instantly called, resulting in SSO without user interaction.

Mandatory Parameters

Parameter Description
client_id The unique identifier assigned to the client application by the authorization server.
redirect_uri The URI to which the authorization server will redirect the user after successful authentication and authorization.
response_type Specifies the type of response the application expects. For the Authorization Code Flow, this should be set to “code” to indicate that the application is requesting an authorization code.

Optional Parameters

Parameter Description
state Recommended. An opaque value used by the client to maintain state between the request and callback. This value is included when redirecting the user-agent back to the client. It also helps to prevent cross-site-request-forgery, where an attacker sends its own authorization code to induce the user in manipulating the wrong resource. More information here
acr_values Specifies the level of authentication and attribute requirements. Largely unused/unsupported in practice.
claims Requests specific user claims to be included in the ID Token or UserInfo response.
code_challenge Used when implementing PKCE (Proof Key for Code Exchange) for added security.
code_challenge_method The method used to transform the “code verifier” when implementing PKCE.
display Indicates how the authorization server displays the authentication and consent page to the user.
id_token_hint Provides the ID Token previously issued for the user.
login_hint Suggests a preferred user account to log in.
max_age Sets the maximum allowable age of authentication for the user.
nonce Used to mitigate replay attacks on the ID Token.
prompt Used to customize the user authentication and consent experience.
response_mode Specifies how the authorization server returns the authorization response.
scope Defines the scope of access requested by the client application.
ui_locales Specifies the preferred language and locale for the authorization server’s UI.

Please note that while the mandatory parameters must be included for a successful authorization process, the optional parameters can be included based on the application’s specific requirements and the authorization server’s capabilities.

Sample request

GET /authorize
      &scope=openid email

...user signs in...
...user grants `YOUR_CLIENT_ID` permission to access `openid email`...

HTTP 302 - https://yourapp.com/callback