SlideShare a Scribd company logo
1 of 9
OAuth 2.0
PROTOCOL ENDPOINTS
Protocol Endpoints
 AUTHENTICATION SERVER ENDPOINTS
 Authorization Endpoint
 Used by the client to obtain authorization from the user via user-agent
 Token Endpoint
 Used by the client to exchange and authorization grant for an access token (with client
authentication)
 CLIENT ENDPOINTS
 Redirection Endpoint
 Used by the authorization server to return responses with authorization credentials to the
client via the user-agent
Authorization Endpoint
 Used to interact with the user to obtain authorization grant.
 User is authenticated (usually username/password)
 The location of the authorization endpoint is left up to implementation.
 URI may contain query components but cannot contain fragment components.
Authorization Endpoint
RESPONSE TYPE
 The client informs the authorization server of the desired grant type:
 response_type = “code” (for requesting an authorization code)
 response_type = “token” (for requesting an access token)
Authorization Endpoint
REDIRECTION ENDPOINT
 The user is redirected back to the redirect endpoint established during client
registration or during authorization process.
 Redirection endpoint URI must be absolute, can contain query components,
but cannot contain fragment components.
 Should require the use of TLS
 Every client should register their redirection endpoint prior to using
authorization endpoint, otherwise attackers may use the authorization
endpoints as open redirector.
 Clients can have multiple redirection points, but when they request
authorization they must use “redirect_uri” request parameter. The
authorization server must compare the redirect_uri value with the values
obtained during client registration.
Authorization Endpoint
REDIRECTION ENDPOINT (Continued)
 In case of URI error, user should not be redirected, but rather receive an error
message.
 Redirection endpoint will result in an HTML document which should not
include third-party scripts.
Token Endpoint
 Used by the client to obtain an access token using authorization code /
refresh token.
 Cannot be used with implicit grant types.
 Token endpoint location is up to the implementation.
 The client must use POST method to request access tokens.
Token Endpoint
CLIENT AUTHENTICATION
 Used for:
 Enforcing the binding of refresh tokens and authorization codes to the client.
 Recovering a client by changing the credentials / disabling the client. Thus there is
no need for revoking the whole set of refresh tokens.
 Makes mandatory the rotation of client credentials.
 A client may use “client_id” request parameter to identify itself when
sending requests to token endpoints.
 A client must use “client_id” when using “authorization_code” and
“grant_type” requests to the token endpoint.
Access Token Scope
 Client request a certain scope with the “scope” request parameter, and the
authorization server responses with the authorized scope by the “scope”
request parameter as well. The authorization server may grant full requested
scope or limit it according to policies.
 If the client doesn’t send a “scope” parameter, the server should use a
default value.
 Its values are expressed as a list of space delimited, case-sensitive strings
where order doesn’t matter.
 The strings are defined by the authorization server.

More Related Content

Viewers also liked

3.การพิจารณา สถานีสูบน้ำด้วยไฟฟ้า
3.การพิจารณา สถานีสูบน้ำด้วยไฟฟ้า3.การพิจารณา สถานีสูบน้ำด้วยไฟฟ้า
3.การพิจารณา สถานีสูบน้ำด้วยไฟฟ้าสายหมอก วันใหม่
 
L'ARPA e il progetto SmartOpenData
L'ARPA e il progetto SmartOpenDataL'ARPA e il progetto SmartOpenData
L'ARPA e il progetto SmartOpenDatajexxon
 
Uflex Awards Ceremony
Uflex Awards CeremonyUflex Awards Ceremony
Uflex Awards CeremonyUflexlimited
 
01 Approaches to Language Teaching
01 Approaches to Language Teaching01 Approaches to Language Teaching
01 Approaches to Language TeachingMikhail Rogozin
 
Group activity 2 travel services
Group activity 2 travel servicesGroup activity 2 travel services
Group activity 2 travel servicesbananaapple2
 
[UX Series] 5 - Navigation
[UX Series] 5 - Navigation[UX Series] 5 - Navigation
[UX Series] 5 - NavigationPhuong Hoang Vu
 

Viewers also liked (9)

Mind 330
Mind 330Mind 330
Mind 330
 
3.การพิจารณา สถานีสูบน้ำด้วยไฟฟ้า
3.การพิจารณา สถานีสูบน้ำด้วยไฟฟ้า3.การพิจารณา สถานีสูบน้ำด้วยไฟฟ้า
3.การพิจารณา สถานีสูบน้ำด้วยไฟฟ้า
 
kanan k
kanan kkanan k
kanan k
 
L'ARPA e il progetto SmartOpenData
L'ARPA e il progetto SmartOpenDataL'ARPA e il progetto SmartOpenData
L'ARPA e il progetto SmartOpenData
 
Uflex Awards Ceremony
Uflex Awards CeremonyUflex Awards Ceremony
Uflex Awards Ceremony
 
01 Approaches to Language Teaching
01 Approaches to Language Teaching01 Approaches to Language Teaching
01 Approaches to Language Teaching
 
Group activity 2 travel services
Group activity 2 travel servicesGroup activity 2 travel services
Group activity 2 travel services
 
[UX Series] 5 - Navigation
[UX Series] 5 - Navigation[UX Series] 5 - Navigation
[UX Series] 5 - Navigation
 
TOS 3rd Quarter
TOS 3rd QuarterTOS 3rd Quarter
TOS 3rd Quarter
 

Similar to (3) OAuth 2.0 Protocol Endpoints

(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorizationanikristo
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkSamuele Cozzi
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsStefan Weber
 
Amazon Cognito OAuth 2.0 Grants
Amazon Cognito OAuth 2.0 GrantsAmazon Cognito OAuth 2.0 Grants
Amazon Cognito OAuth 2.0 GrantsSibtay Abbas
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceAmin Saqi
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 

Similar to (3) OAuth 2.0 Protocol Endpoints (20)

(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization(4) OAuth 2.0 Obtaining Authorization
(4) OAuth 2.0 Obtaining Authorization
 
The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization Framework
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated Permissions
 
Amazon Cognito OAuth 2.0 Grants
Amazon Cognito OAuth 2.0 GrantsAmazon Cognito OAuth 2.0 Grants
Amazon Cognito OAuth 2.0 Grants
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Introducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and PerformanceIntroducing OpenID 1.0 Protocol: Security and Performance
Introducing OpenID 1.0 Protocol: Security and Performance
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Full stack security
Full stack securityFull stack security
Full stack security
 

Recently uploaded

History of Indian Railways - the story of Growth & Modernization
History of Indian Railways - the story of Growth & ModernizationHistory of Indian Railways - the story of Growth & Modernization
History of Indian Railways - the story of Growth & ModernizationEmaan Sharma
 
Geometric constructions Engineering Drawing.pdf
Geometric constructions Engineering Drawing.pdfGeometric constructions Engineering Drawing.pdf
Geometric constructions Engineering Drawing.pdfJNTUA
 
analog-vs-digital-communication (concept of analog and digital).pptx
analog-vs-digital-communication (concept of analog and digital).pptxanalog-vs-digital-communication (concept of analog and digital).pptx
analog-vs-digital-communication (concept of analog and digital).pptxKarpagam Institute of Teechnology
 
Basics of Relay for Engineering Students
Basics of Relay for Engineering StudentsBasics of Relay for Engineering Students
Basics of Relay for Engineering Studentskannan348865
 
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024EMMANUELLEFRANCEHELI
 
21P35A0312 Internship eccccccReport.docx
21P35A0312 Internship eccccccReport.docx21P35A0312 Internship eccccccReport.docx
21P35A0312 Internship eccccccReport.docxrahulmanepalli02
 
Circuit Breakers for Engineering Students
Circuit Breakers for Engineering StudentsCircuit Breakers for Engineering Students
Circuit Breakers for Engineering Studentskannan348865
 
engineering chemistry power point presentation
engineering chemistry  power point presentationengineering chemistry  power point presentation
engineering chemistry power point presentationsj9399037128
 
Path loss model, OKUMURA Model, Hata Model
Path loss model, OKUMURA Model, Hata ModelPath loss model, OKUMURA Model, Hata Model
Path loss model, OKUMURA Model, Hata ModelDrAjayKumarYadav4
 
5G and 6G refer to generations of mobile network technology, each representin...
5G and 6G refer to generations of mobile network technology, each representin...5G and 6G refer to generations of mobile network technology, each representin...
5G and 6G refer to generations of mobile network technology, each representin...archanaece3
 
一比一原版(NEU毕业证书)东北大学毕业证成绩单原件一模一样
一比一原版(NEU毕业证书)东北大学毕业证成绩单原件一模一样一比一原版(NEU毕业证书)东北大学毕业证成绩单原件一模一样
一比一原版(NEU毕业证书)东北大学毕业证成绩单原件一模一样A
 
Fuzzy logic method-based stress detector with blood pressure and body tempera...
Fuzzy logic method-based stress detector with blood pressure and body tempera...Fuzzy logic method-based stress detector with blood pressure and body tempera...
Fuzzy logic method-based stress detector with blood pressure and body tempera...IJECEIAES
 
Independent Solar-Powered Electric Vehicle Charging Station
Independent Solar-Powered Electric Vehicle Charging StationIndependent Solar-Powered Electric Vehicle Charging Station
Independent Solar-Powered Electric Vehicle Charging Stationsiddharthteach18
 
8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...josephjonse
 
Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)Ramkumar k
 
handbook on reinforce concrete and detailing
handbook on reinforce concrete and detailinghandbook on reinforce concrete and detailing
handbook on reinforce concrete and detailingAshishSingh1301
 
Developing a smart system for infant incubators using the internet of things ...
Developing a smart system for infant incubators using the internet of things ...Developing a smart system for infant incubators using the internet of things ...
Developing a smart system for infant incubators using the internet of things ...IJECEIAES
 
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdfInstruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdfEr.Sonali Nasikkar
 
Max. shear stress theory-Maximum Shear Stress Theory ​ Maximum Distortional ...
Max. shear stress theory-Maximum Shear Stress Theory ​  Maximum Distortional ...Max. shear stress theory-Maximum Shear Stress Theory ​  Maximum Distortional ...
Max. shear stress theory-Maximum Shear Stress Theory ​ Maximum Distortional ...ronahami
 
Call for Papers - Journal of Electrical Systems (JES), E-ISSN: 1112-5209, ind...
Call for Papers - Journal of Electrical Systems (JES), E-ISSN: 1112-5209, ind...Call for Papers - Journal of Electrical Systems (JES), E-ISSN: 1112-5209, ind...
Call for Papers - Journal of Electrical Systems (JES), E-ISSN: 1112-5209, ind...Christo Ananth
 

Recently uploaded (20)

History of Indian Railways - the story of Growth & Modernization
History of Indian Railways - the story of Growth & ModernizationHistory of Indian Railways - the story of Growth & Modernization
History of Indian Railways - the story of Growth & Modernization
 
Geometric constructions Engineering Drawing.pdf
Geometric constructions Engineering Drawing.pdfGeometric constructions Engineering Drawing.pdf
Geometric constructions Engineering Drawing.pdf
 
analog-vs-digital-communication (concept of analog and digital).pptx
analog-vs-digital-communication (concept of analog and digital).pptxanalog-vs-digital-communication (concept of analog and digital).pptx
analog-vs-digital-communication (concept of analog and digital).pptx
 
Basics of Relay for Engineering Students
Basics of Relay for Engineering StudentsBasics of Relay for Engineering Students
Basics of Relay for Engineering Students
 
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
 
21P35A0312 Internship eccccccReport.docx
21P35A0312 Internship eccccccReport.docx21P35A0312 Internship eccccccReport.docx
21P35A0312 Internship eccccccReport.docx
 
Circuit Breakers for Engineering Students
Circuit Breakers for Engineering StudentsCircuit Breakers for Engineering Students
Circuit Breakers for Engineering Students
 
engineering chemistry power point presentation
engineering chemistry  power point presentationengineering chemistry  power point presentation
engineering chemistry power point presentation
 
Path loss model, OKUMURA Model, Hata Model
Path loss model, OKUMURA Model, Hata ModelPath loss model, OKUMURA Model, Hata Model
Path loss model, OKUMURA Model, Hata Model
 
5G and 6G refer to generations of mobile network technology, each representin...
5G and 6G refer to generations of mobile network technology, each representin...5G and 6G refer to generations of mobile network technology, each representin...
5G and 6G refer to generations of mobile network technology, each representin...
 
一比一原版(NEU毕业证书)东北大学毕业证成绩单原件一模一样
一比一原版(NEU毕业证书)东北大学毕业证成绩单原件一模一样一比一原版(NEU毕业证书)东北大学毕业证成绩单原件一模一样
一比一原版(NEU毕业证书)东北大学毕业证成绩单原件一模一样
 
Fuzzy logic method-based stress detector with blood pressure and body tempera...
Fuzzy logic method-based stress detector with blood pressure and body tempera...Fuzzy logic method-based stress detector with blood pressure and body tempera...
Fuzzy logic method-based stress detector with blood pressure and body tempera...
 
Independent Solar-Powered Electric Vehicle Charging Station
Independent Solar-Powered Electric Vehicle Charging StationIndependent Solar-Powered Electric Vehicle Charging Station
Independent Solar-Powered Electric Vehicle Charging Station
 
8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...8th International Conference on Soft Computing, Mathematics and Control (SMC ...
8th International Conference on Soft Computing, Mathematics and Control (SMC ...
 
Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)Theory of Time 2024 (Universal Theory for Everything)
Theory of Time 2024 (Universal Theory for Everything)
 
handbook on reinforce concrete and detailing
handbook on reinforce concrete and detailinghandbook on reinforce concrete and detailing
handbook on reinforce concrete and detailing
 
Developing a smart system for infant incubators using the internet of things ...
Developing a smart system for infant incubators using the internet of things ...Developing a smart system for infant incubators using the internet of things ...
Developing a smart system for infant incubators using the internet of things ...
 
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdfInstruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
Instruct Nirmaana 24-Smart and Lean Construction Through Technology.pdf
 
Max. shear stress theory-Maximum Shear Stress Theory ​ Maximum Distortional ...
Max. shear stress theory-Maximum Shear Stress Theory ​  Maximum Distortional ...Max. shear stress theory-Maximum Shear Stress Theory ​  Maximum Distortional ...
Max. shear stress theory-Maximum Shear Stress Theory ​ Maximum Distortional ...
 
Call for Papers - Journal of Electrical Systems (JES), E-ISSN: 1112-5209, ind...
Call for Papers - Journal of Electrical Systems (JES), E-ISSN: 1112-5209, ind...Call for Papers - Journal of Electrical Systems (JES), E-ISSN: 1112-5209, ind...
Call for Papers - Journal of Electrical Systems (JES), E-ISSN: 1112-5209, ind...
 

(3) OAuth 2.0 Protocol Endpoints

  • 2. Protocol Endpoints  AUTHENTICATION SERVER ENDPOINTS  Authorization Endpoint  Used by the client to obtain authorization from the user via user-agent  Token Endpoint  Used by the client to exchange and authorization grant for an access token (with client authentication)  CLIENT ENDPOINTS  Redirection Endpoint  Used by the authorization server to return responses with authorization credentials to the client via the user-agent
  • 3. Authorization Endpoint  Used to interact with the user to obtain authorization grant.  User is authenticated (usually username/password)  The location of the authorization endpoint is left up to implementation.  URI may contain query components but cannot contain fragment components.
  • 4. Authorization Endpoint RESPONSE TYPE  The client informs the authorization server of the desired grant type:  response_type = “code” (for requesting an authorization code)  response_type = “token” (for requesting an access token)
  • 5. Authorization Endpoint REDIRECTION ENDPOINT  The user is redirected back to the redirect endpoint established during client registration or during authorization process.  Redirection endpoint URI must be absolute, can contain query components, but cannot contain fragment components.  Should require the use of TLS  Every client should register their redirection endpoint prior to using authorization endpoint, otherwise attackers may use the authorization endpoints as open redirector.  Clients can have multiple redirection points, but when they request authorization they must use “redirect_uri” request parameter. The authorization server must compare the redirect_uri value with the values obtained during client registration.
  • 6. Authorization Endpoint REDIRECTION ENDPOINT (Continued)  In case of URI error, user should not be redirected, but rather receive an error message.  Redirection endpoint will result in an HTML document which should not include third-party scripts.
  • 7. Token Endpoint  Used by the client to obtain an access token using authorization code / refresh token.  Cannot be used with implicit grant types.  Token endpoint location is up to the implementation.  The client must use POST method to request access tokens.
  • 8. Token Endpoint CLIENT AUTHENTICATION  Used for:  Enforcing the binding of refresh tokens and authorization codes to the client.  Recovering a client by changing the credentials / disabling the client. Thus there is no need for revoking the whole set of refresh tokens.  Makes mandatory the rotation of client credentials.  A client may use “client_id” request parameter to identify itself when sending requests to token endpoints.  A client must use “client_id” when using “authorization_code” and “grant_type” requests to the token endpoint.
  • 9. Access Token Scope  Client request a certain scope with the “scope” request parameter, and the authorization server responses with the authorized scope by the “scope” request parameter as well. The authorization server may grant full requested scope or limit it according to policies.  If the client doesn’t send a “scope” parameter, the server should use a default value.  Its values are expressed as a list of space delimited, case-sensitive strings where order doesn’t matter.  The strings are defined by the authorization server.