Authorization Endpoint
Overview
The Authorization Endpoint is the starting point for OAuth 2.0 and OpenID Connect flows. It handles user authentication and authorization, and issues an authorization code, implicit tokens, or an ID Token, depending on the flow.
Clients redirect the user’s browser to this endpoint with the appropriate query parameters. After the user authenticates (and consents if required), the IdP redirects the browser back to the client with the authorization response.
Endpoint
The endpoint is advertised in the authorization_endpoint in the metadata exposed by the discovery endpoint and typically is:
GET https://[BASE_URL]/connect/authorize
Parameters
| Parameter | Required | Description |
|---|---|---|
response_type |
Yes | Defines which flow to use (code, id_token, token, or a combination). |
client_id |
Yes | The client identifier registered with the IdP. |
redirect_uri |
Yes | Where the user should be redirected after authentication. Must be pre-registered. |
scope |
Yes | Space-delimited list of scopes. Must include openid for OpenID Connect requests. |
state |
Recommended | Opaque value used to maintain request state and prevent CSRF. Returned unchanged in response. |
nonce |
Required for id_token |
String used to associate client session with ID Token to prevent replay attacks. |
All parameters are documented here.
Usage
- Redirect User:
The RP builds an authorization request and redirects the user’s browser to the IdP:
https://idp.example.com/authorize?
response_type=code&
client_id=my-client-id&
redirect_uri=https%3A%2F%2Frp.example.com%2Fcallback&
scope=openid%20profile%20email&
state=xyzABC123&
nonce=abc987-
User Authenticates:
The IdP authenticates the user. -
Redirect Back:
The IdP redirects the user’s browser back to the RP with an authorization response. Example (Authorization Code Flow):
https://rp.example.com/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=xyzABC123Security Considerations
- Always validate
stateto protect against CSRF. - Always use
noncewhen requestingid_token. - Use
response_type=codewith PKCE for public clients (e.g., SPAs, mobile apps).
Related Endpoints
- Token Endpoint – To exchange authorization codes for tokens.
- Check Session iframe – To monitor the authenticated session.
- End Session Endpoint – To log the user out.