Authorization API

Copyright © Cloud Software Group, Inc. All Rights Reserved

Chapter 13 OAuth Server : Authorization API

Authorization API

The OAuth server provides the following API to authorize a request.

Name

/authorize

Description

Process an authorization request.

Authorization Request

Use the following parameters to send an authorization request. The parameters can be added to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format.

Table 130 Authorization Request Parameters

Parameter

Description

response_type

The value must be set to code.

Required.

client_id

The client identifier issued to the client by the authorization server during the registration process.

Required.

redirect_uri

The URL where the authorization server sends the authorization code.

Optional.

Refer to Section 3.1.2 of RFC 6749 for details.

scope

Specifies the scope of the access request.

Refer to Section 3.3 of RFC 6749 for details.

Optional.

state

Specifies an opaque value used by the client to maintain the state between the request and callback. The authorization server includes the state value when redirecting the user-agent back to the client.

Optional.

Authorization Request Example

The client directs the user-agent to make the following HTTP request using TLS:

GET /asg/oauth2/authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz

&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1

Host: server.example.com

Authorization Response

The authorization server processes the authorize request from client as follows:

−

Issues an authorization code.

−

Adds the parameters as described in the following table to the query component of the redirection URI using "application/x-www-form-urlencoded" format.

−

Delivers the authorization code to the client.

Table 131 Authorization Response Parameters

Parameter

Description

code

The authorization code generated by the authorization server.

Required.

Refer to Section 4.1.2 of RFC 6749 for details.

state

Refers to the exact state parameter value as received from the client. This is required if the state parameter was present in the client authorization request.

Authorization Response Example

The authorization server redirects the user-agent by sending the following HTTP response:

HTTP/1.1 302 Found

Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA

Authorization Error

The authorization server returns an error response if the request processing fails. The processing of the request fails due to one of the following reasons:

•

Missing, invalid, or mismatching redirection URI

For this case, the authorization server informs the resource owner of the error and does not automatically redirect the user-agent to the invalid redirection URI.

•

Missing or invalid client identifier

For this case, the authorization server informs the resource owner of the error and does not automatically redirect the user-agent to the invalid redirection URI.

•

Resource owner denies the access request

The authorization server informs the client by adding the following parameters to the query component of the redirection URI using the application/x-www-form-urlencoded format.

Table 132 Authorize Request Error Parameters

Parameter

Description

error

Specifies a single error code returned from the authorization server.

Required.

Refer to Authorize Request Error Codes table for the error codes.

state

Refers to the exact state parameter value as received from the client. This is required if the state parameter was present in the client authorization request.

Table 133 Authorize Request Error Codes

Error Code

Description

invalid_request

The request is missing a required parameter, includes an invalid parameter value, includes parameter more than once, or is otherwise malformed.

unauthorized_client

The client is not authorized to request an authorization code using this method.

access_denied

The resource owner or authorization server denied the request.

unsupported_response_type

The authorization server does not support obtaining an authorization code using this method.

invalid_scope

The requested scope is invalid, unknown, or malformed.

server_error

The authorization server encountered an unexpected condition that prevented it from fulfilling the request. This error code is needed because a 500 Internal Server Error HTTP status code cannot be returned to the client via an HTTP redirect.

Authorization Error Example

The authorization server redirects the user-agent by sending the following HTTP response:

HTTP/1.1 302 Found

Location: https://client.example.com/cb?error=access_denied

Parameter	Description
response_type	The value must be set to code. Required.
client_id	The client identifier issued to the client by the authorization server during the registration process. Required.
redirect_uri	The URL where the authorization server sends the authorization code. Optional. Refer to Section 3.1.2 of RFC 6749 for details.
scope	Specifies the scope of the access request. Refer to Section 3.3 of RFC 6749 for details. Optional.
state	Specifies an opaque value used by the client to maintain the state between the request and callback. The authorization server includes the state value when redirecting the user-agent back to the client. Optional.

Parameter	Description
code	The authorization code generated by the authorization server. Required. Refer to Section 4.1.2 of RFC 6749 for details.
state	Refers to the exact state parameter value as received from the client. This is required if the state parameter was present in the client authorization request.

Parameter	Description
error	Specifies a single error code returned from the authorization server. Required. Refer to Authorize Request Error Codes table for the error codes.
state	Refers to the exact state parameter value as received from the client. This is required if the state parameter was present in the client authorization request.

Error Code	Description
invalid_request
	The request is missing a required parameter, includes an invalid parameter value, includes parameter more than once, or is otherwise malformed.
unauthorized_client
	The client is not authorized to request an authorization code using this method.
access_denied
	The resource owner or authorization server denied the request.
unsupported_response_type
	The authorization server does not support obtaining an authorization code using this method.
invalid_scope
	The requested scope is invalid, unknown, or malformed.
server_error
	The authorization server encountered an unexpected condition that prevented it from fulfilling the request. This error code is needed because a 500 Internal Server Error HTTP status code cannot be returned to the client via an HTTP redirect.