May 23, 2021 OAuth 2.0 Series
Authorization code authorization consists of a total of 2 requests and 2 responses. O ne authorization request plus response, and one token request plus response. A uthorization Request An authorization request is sent to an authorization endpoint to obtain an authorization code. This is the parameter used in the request:
| response_type | Have to. Must be set into code |
|---|---|
| client_id | Have to. When the client is registered, the authorization server identifies the client. |
| redirect_uri | Optional. Redirect URIs registered through the client. |
| scope | Optional. Request a possible scope. |
| state | Optional (recommended). The state of any URI client that needs to be passed to the client request. |
Authorization Response The authorization response contains the authorization code that needs to be used to obtain the access token. This is the parameter included in the response:
| code | Have to. Authorization code |
|---|---|
| state | If it appears in the request, it must be included. If so, it is the same as the state parameters sent in the client request. |
If an error occurs during authorization, two things can happen. I n the first case, the client is not authorized or identified. F or example, the URI is incorrectly redirected in the request. I n this case, there is no need for the authorization server to redirect the resource owner to the redirect URI, but rather to notify the resource owner that an error has occurred. I n the second case, the client is properly authorized, but something else fails. In this case, the following error response is sent to the client, including in the redirect URI:
| error | Have to. M ust be one of the predefined error codes. See the specification to check these error codes and what they mean. |
|---|---|
| error_description | Optional. A text encoded by UTC-8 that describes an error. For developers, not end users. |
| error_uri | Optional. A URI that points to a Web page that contains human-readable error messages. |
| state | Have to. If it occurs during an authorization request, it is the same as the state parameter in the request. |
Once the authorization code is obtained, the client can use it to obtain an access token. This is the access token request parameter:
| grant_type | Have to. Must be set to the authorization code. |
|---|---|
| code | Have to. The authorization code received by the authorized server. |
| redirect_uri | Have to. If the request URI is included in the authorization request, it must be the same after that. |
Token Response The response to an access token request is a JSON string that contains the access token and some more information:
{ "access_token" : "...",
"token_type" : "...",
"expires_in" : "...",
"refresh_token" : "...",
}access_token property is the access token assigned by the authorization server. t oken_type is the type of token assigned by the authorized server. e xpires_in is how many seconds after the access token, it is no longer valid. A ccess token expiration values are optional. r efresh_token property contains tokens that are refreshed after the token expires. Refreshed tokens are used to include a new access token once the response returns a token that is no longer valid.