Skip to main content

Initiate an authorization request

GET 
/oauth2/auth

Initiates the authorization flow by redirecting the resource owner's user-agent through the authorization server. Supports Authorization Code (response_type=code), Implicit (response_type=token or id_token), and Hybrid flows as defined in RFC 6749 and OpenID Connect Core 1.0. PKCE (RFC 7636) and Pushed Authorization Requests (RFC 9126) via request_uri are also supported. On success the user-agent is redirected to redirect_uri with the authorization code or tokens appended as query parameters (code flow) or in the fragment (implicit/hybrid flows). On error the user-agent is redirected to redirect_uri with error and error_description query parameters, unless redirect_uri itself is missing or invalid. Refer to the introduction section for details on how to configure this use case.

Request

Query Parameters

    response_type stringrequired

    Space-delimited response type. code requests an authorization code (Authorization Code flow); token requests an access token directly (Implicit flow), both as defined in RFC 6749. OpenID Connect extends this with id_token and composite values such as code id_token or code token for Hybrid flows.

    client_id stringrequired

    The client identifier registered at the authorization server.

    redirect_uri uri

    URI to redirect the user-agent to after the authorization decision. Must match one of the redirect URIs registered for the client.

    scope string

    Space-delimited list of requested scopes. Include openid for OpenID Connect flows.

    state string

    Opaque value used to maintain state between the request and callback. RECOMMENDED by RFC 6749 Section 4.1.1 to protect against CSRF attacks; returned unchanged in the redirect.

    nonce string

    (OIDC) String value used to associate a client session with the ID token and to mitigate replay attacks. REQUIRED for Implicit flow (response_type=id_token or id_token token). For other flows, when provided, the value is reflected unchanged in the ID token.

    code_challenge string

    (PKCE) Code challenge derived from the code verifier. Required when PKCE is enforced by the client or server configuration.

    code_challenge_method string

    Possible values: [S256, plain]

    (PKCE) Method used to derive the code challenge. S256 is recommended; plain is also supported.

    prompt string

    Possible values: [none, login, consent, select_account]

    (OIDC) Controls the authentication and consent prompts shown to the resource owner. none requires an existing session; login forces re-authentication.

    max_age int64

    (OIDC) Maximum elapsed time in seconds since the last end-user authentication. If exceeded, re-authentication is required.

    acr_values string

    (OIDC) Space-delimited list of requested Authentication Context Class Reference values.

    request_uri string

    (PAR) Reference URI to a previously pushed authorization request. When present, all other parameters except client_id are ignored. The URI must have been issued by the PAR endpoint and must not have expired.

Responses

Authorization result delivered via redirect to redirect_uri

Loading...
Last updated on