2. Protocol Endpoints
AUTHENTICATION SERVER ENDPOINTS
Authorization Endpoint
Used by the client to obtain authorization from the user via user-agent
Token Endpoint
Used by the client to exchange and authorization grant for an access token (with client
authentication)
CLIENT ENDPOINTS
Redirection Endpoint
Used by the authorization server to return responses with authorization credentials to the
client via the user-agent
3. Authorization Endpoint
Used to interact with the user to obtain authorization grant.
User is authenticated (usually username/password)
The location of the authorization endpoint is left up to implementation.
URI may contain query components but cannot contain fragment components.
4. Authorization Endpoint
RESPONSE TYPE
The client informs the authorization server of the desired grant type:
response_type = “code” (for requesting an authorization code)
response_type = “token” (for requesting an access token)
5. Authorization Endpoint
REDIRECTION ENDPOINT
The user is redirected back to the redirect endpoint established during client
registration or during authorization process.
Redirection endpoint URI must be absolute, can contain query components,
but cannot contain fragment components.
Should require the use of TLS
Every client should register their redirection endpoint prior to using
authorization endpoint, otherwise attackers may use the authorization
endpoints as open redirector.
Clients can have multiple redirection points, but when they request
authorization they must use “redirect_uri” request parameter. The
authorization server must compare the redirect_uri value with the values
obtained during client registration.
6. Authorization Endpoint
REDIRECTION ENDPOINT (Continued)
In case of URI error, user should not be redirected, but rather receive an error
message.
Redirection endpoint will result in an HTML document which should not
include third-party scripts.
7. Token Endpoint
Used by the client to obtain an access token using authorization code /
refresh token.
Cannot be used with implicit grant types.
Token endpoint location is up to the implementation.
The client must use POST method to request access tokens.
8. Token Endpoint
CLIENT AUTHENTICATION
Used for:
Enforcing the binding of refresh tokens and authorization codes to the client.
Recovering a client by changing the credentials / disabling the client. Thus there is
no need for revoking the whole set of refresh tokens.
Makes mandatory the rotation of client credentials.
A client may use “client_id” request parameter to identify itself when
sending requests to token endpoints.
A client must use “client_id” when using “authorization_code” and
“grant_type” requests to the token endpoint.
9. Access Token Scope
Client request a certain scope with the “scope” request parameter, and the
authorization server responses with the authorized scope by the “scope”
request parameter as well. The authorization server may grant full requested
scope or limit it according to policies.
If the client doesn’t send a “scope” parameter, the server should use a
default value.
Its values are expressed as a list of space delimited, case-sensitive strings
where order doesn’t matter.
The strings are defined by the authorization server.