Created
April 27, 2010 15:02
-
-
Save mbleigh/380829 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 3.5.2.1. Client Requests Authorization | |
| In order for the end user to grant the client access, the client | |
| sends the end user to the authorization server. The client | |
| constructs the request URI by adding the following URI query | |
| parameters to the user authorization endpoint URI: | |
| type | |
| REQUIRED. The parameter value MUST be set to "web_server" | |
| (case sensitive). | |
| client_id | |
| REQUIRED. The client identifier as described in Section 3.4. | |
| redirect_uri | |
| REQUIRED unless a redirection URI has been established between | |
| the client and authorization server via other means. An | |
| absolute URI to which the authorization server will redirect | |
| the user-agent to when the end user authorization step is | |
| completed. The authorization server MAY require the client to | |
| pre-register their redirection URI. The redirection URI MUST | |
| NOT includes a query component as defined by [RFC3986] section | |
| 3 if the "state" parameter is present. | |
| state | |
| OPTIONAL. An opaque value used by the client to maintain state | |
| between the request and callback. The authorization server | |
| includes this value when redirecting the user-agent back to the | |
| client. | |
| immediate | |
| OPTIONAL. The parameter value must be set to "true" or "false" | |
| (case sensitive). If set to "true", the authorization server | |
| MUST NOT prompt the end user to authenticate or approve access. | |
| Instead, the authorization server attempts to establish the end | |
| user's identity via other means (e.g. browser cookies) and | |
| checks if the end user has previously approved an identical | |
| access request by the same client and if that access grant is | |
| still active. If the authorization server does not support an | |
| immediate check or if it is unable to establish the end user's | |
| identity or approval status, it MUST deny the request without | |
| prompting the end user. Defaults to "false" if omitted. | |
| The client directs the end user to the constructed URI using an HTTP | |
| redirection response, or by other means available to it via the end | |
| user's user-agent. The request MUST use the HTTP "GET" method. | |
| For example, the client directs the end user's user-agent to make the | |
| following HTTPS requests (line breaks are for display purposes only): | |
| GET /authorize?type=web_server&client_id=s6BhdRkqt3&redirect_uri= | |
| https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 | |
| Host: server.example.com | |
| If the client has previously registered a redirection URI with the | |
| authorization server, the authorization server MUST verify that the | |
| redirection URI received matches the registered URI associated with | |
| the client identifier. | |
| The authorization server authenticates the end user and obtains an | |
| authorization decision (by asking the end user or establishing | |
| approval via other means). The authorization server sends the end | |
| user's user-agent to the provided client redirection URI using an | |
| HTTP redirection response, or by other means available to it via the | |
| end user's user-agent. | |
| 3.5.2.1.1. End User Grants Authorization | |
| If the end user authorizes the access request, the authorization | |
| server generates a verification code and associates it with the | |
| client identifier and redirection URI. The authorization server | |
| constructs the request URI by adding the following parameters to the | |
| query component of redirection URI provided by the client: | |
| code | |
| REQUIRED. The verification code generated by the authorization | |
| server. | |
| state | |
| REQUIRED if the "state" parameter was present in the client | |
| authorization request. Set to the exact value received from | |
| the client. | |
| The verification code SHOULD expire shortly after it is issued and | |
| allowed for a single use. | |
| For example, the authorization server redirects the end user's user- | |
| agent by sending the following HTTP response: | |
| HTTP/1.1 302 Found | |
| Location: https://client.example.com/cb?code=i1WsRn1uB1 | |
| GET /cb?code=i1WsRn1uB1 HTTP/1.1 | |
| Host: client.example.com | |
| 3.5.2.1.2. End User Denies Authorization | |
| If the end user denied the access request, the authorization server | |
| constructs the request URI by adding the following parameters to the | |
| query component of the redirection URI provided by the client: | |
| error | |
| REQUIRED. The parameter value MUST be set to "user_denied" | |
| (case sensitive). | |
| state | |
| REQUIRED if the "state" parameter was present in the client | |
| authorization request. Set to the exact value received from | |
| the client. | |
| For example, the authorization server directs the client to make the | |
| following HTTP request: | |
| GET /cb?error=user_denied HTTP/1.1 | |
| Host: client.example.com | |
| The authorization flow concludes unsuccessfully. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment