### Authorization Request Example with PKCE Source: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/04 This example demonstrates an HTTP GET request to the authorization server, including parameters for PKCE (code_challenge and code_challenge_method). ```http GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb &code_challenge=6fdkQaPm51l13DSukcAH3Mdx7_ntecHYd1vi3n0hMZY &code_challenge_method=S256 HTTP/1.1 Host: server.example.com ``` -------------------------------- ### OAuth 2.1 Authorization Request Example Source: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/06 Example of an HTTP GET request to the authorization server. Ensure all required parameters are present and valid. ```http GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb &code_challenge=6fdkQaPm51l13DSukcAH3Mdx7_ntecHYd1vi3n0hMZY &code_challenge_method=S256 HTTP/1.1 Host: server.example.com ``` -------------------------------- ### Token Response Example Source: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/13 Example of a successful token response from the authorization server. ```APIDOC ## Token Response (200 OK) ### Description Successful response containing an access token and optional refresh token. ### Response #### Success Response (200) - **access_token** (string) - REQUIRED. The access token issued by the authorization server. - **token_type** (string) - REQUIRED. The type of the access token (e.g., Bearer). - **expires_in** (number) - RECOMMENDED. The lifetime in seconds of the access token. - **scope** (string) - RECOMMENDED, if identical to the scope requested by the client; otherwise, REQUIRED. The scope of the access token. - **refresh_token** (string) - OPTIONAL. The refresh token, which can be used to obtain new access tokens. ### Response Example ```json { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"Bearer", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" } ``` ``` -------------------------------- ### Token Request Example Source: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/13 Example of a client making a POST request to the token endpoint to obtain an access token. ```APIDOC ## POST /token ### Description Requests an access token from the authorization server. ### Method POST ### Endpoint /token ### Parameters #### Request Body - **grant_type** (string) - Required - Identifies the grant type being used. - **code** (string) - Required - The authorization code received from the authorization server. - **redirect_uri** (string) - Required - The redirect URI used in the initial authorization request. - **code_verifier** (string) - Required - The code verifier used in the authorization request. ### Request Example ```http POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb &code_verifier=3641a2d12d66101249cdf7a79c000c1f8c05d2aafcf14bf146497bed ``` ``` -------------------------------- ### OAuth 2.1 Authorization Request Example Source: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/09 Example of an HTTP GET request for authorization, including response_type, client_id, state, redirect_uri, code_challenge, and code_challenge_method. Clients MUST use code_challenge and code_verifier. ```http GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb &code_challenge=6fdkQaPm51l13DSukcAH3Mdx7_ntecHYd1vi3n0hMZY &code_challenge_method=S256 HTTP/1.1 Host: server.example.com ``` -------------------------------- ### Content Security Policy Example Source: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/03 This example demonstrates a Content Security Policy (CSP) that restricts frame ancestors and script sources. It should be combined with other countermeasures for broader compatibility. ```http HTTP/1.1 200 OK Content-Security-Policy: frame-ancestors https://ext.example.org:8000 Content-Security-Policy: script-src 'self' X-Frame-Options: ALLOW-FROM https://ext.example.org:8000 ... ``` -------------------------------- ### Content Security Policy Example Source: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/10 This example demonstrates a Content Security Policy (CSP) configuration to protect against clickjacking by restricting frame ancestors and script sources. It should be combined with other measures for broader compatibility. ```http HTTP/1.1 200 OK Content-Security-Policy: frame-ancestors https://ext.example.org:8000 Content-Security-Policy: script-src 'self' X-Frame-Options: ALLOW-FROM https://ext.example.org:8000 ``` -------------------------------- ### Accessing Protected Resource with Bearer Token Source: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/06 Example HTTP GET request to access a protected resource using a Bearer token in the Authorization header. The client must understand the token type. ```http GET /resource/1 HTTP/1.1 Host: example.com Authorization: Bearer mF_9.B5f-4.1JqM ``` -------------------------------- ### CSP and X-Frame-Options for Clickjacking Protection Source: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/07 This example demonstrates a Content Security Policy (CSP) and X-Frame-Options header configuration to protect against clickjacking attacks by restricting where the page can be framed. It is recommended to combine this with other countermeasures if legacy user agents are not explicitly unsupported. ```http HTTP/1.1 200 OK Content-Security-Policy: frame-ancestors https://ext.example.org:8000 Content-Security-Policy: script-src 'self' X-Frame-Options: ALLOW-FROM https://ext.example.org:8000 ```