### Example Authorization Request URI Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 This example demonstrates an HTTPS GET request for an authorization code, including the mandatory code_challenge and code_challenge_method parameters. Ensure redirect_uri is properly URL-encoded. ```http GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb &code_challenge=6fdkQaPm51l13DSukcAH3Mdx7_ntecHYd1vi3n0hMZY &code_challenge_method=S256 HTTP/1.1 Host: server.example.com ``` -------------------------------- ### Example Scope Values for WWW-Authenticate Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Illustrates two distinct examples of how the 'scope' attribute can be formatted within the WWW-Authenticate header, one for OpenID Connect and another for OATC. ```text scope="openid profile email" ``` ```text scope="urn:example:channel=HBO&urn:example:rating=G,PG-13" ``` -------------------------------- ### Token Endpoint Response Example Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Example of a successful JSON response from the token endpoint. Includes access token, token type, expiration, and an optional refresh token. ```json HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter": "example_value" } ``` -------------------------------- ### URL-Encoded Form Data Example Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Example of how an octet sequence is represented in a content string using URL encoding. ```text +%25%26%2B%C2%A3%E2%82%AC ``` -------------------------------- ### Token Endpoint Request Example Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Example of an HTTPS request to the token endpoint for an authorization code grant. Ensure proper encoding for parameters like redirect_uri. ```http POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb &code_verifier=3641a2d12d66101249cdf7a79c000c1f8c05d2aafcf14bf146497bed ``` -------------------------------- ### Authorization Error Response Example Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 An example of an HTTP redirect response from the authorization server indicating that the request was denied. This is used when the resource owner denies access or the request fails for reasons other than an invalid redirect URI. ```http HTTP/1.1 302 Found Location: https://client.example.com/cb?error=access_denied &state=xyz&iss=https%3A%2F%2Fauthorization-server.example.com ``` -------------------------------- ### Encoded Octet Sequence Example Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Example of an octet sequence encoded using UTF-8 and HTML escaping rules for non-US-ASCII characters. ```text 20 25 26 2B C2 A3 E2 82 AC ``` -------------------------------- ### Refresh Token Grant Request Example Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Example HTTP request to the token endpoint using the refresh_token grant type. Ensure to use transport-layer security. ```http POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA ``` -------------------------------- ### Loopback Interface Redirect URI (IPv4) Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Example of a redirect URI using the IPv4 loopback interface for native apps. This format is recommended for desktop applications that can open ports on the loopback interface. ```text http://127.0.0.1:51004/oauth2redirect/example-provider ``` -------------------------------- ### Client Secret Basic Authentication Example Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 This method uses HTTP Basic authentication with the client ID as the username and the client secret as the password. Ensure proper URL encoding. ```http Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3 ``` -------------------------------- ### Example Claimed HTTPS Scheme URI for OAuth Redirect Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 This is an example of a redirect URI that a native app can claim to receive OAuth authorization responses. The authorization server treats this like a standard web client redirect URI, but the operating system ensures it is directed to the correct native application. ```plaintext https://app.example.com/oauth2redirect/example-provider ``` -------------------------------- ### Client Secret POST Authentication Example Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Use this method to send client credentials in the request body for token endpoint authentication. It avoids URL encoding issues. ```http POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA &client_id=s6BhdRkqt3&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw ``` -------------------------------- ### Loopback Interface Redirect URI (IPv6) Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Example of a redirect URI using the IPv6 loopback interface for native apps. Clients should consider supporting both IPv4 and IPv6 loopback interfaces. ```text http://[::1]:61023/oauth2redirect/example-provider ``` -------------------------------- ### Content Security Policy for Clickjacking Prevention Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 This example demonstrates a Content Security Policy (CSP) and X-Frame-Options header configuration to prevent clickjacking attacks. It restricts framing to specific origins and controls script sources. ```http HTTP/1.1 200 OK Content-Security-Policy: frame-ancestors https://ext.example.org:8000 Content-Security-Policy: script-src 'self' X-Frame-Options: ALLOW-FROM https://ext.example.org:8000 ... ``` -------------------------------- ### Token Endpoint Error Response Example Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 An example of an HTTP 400 Bad Request response from the token endpoint, indicating an 'invalid_request' error. The response includes the 'error' parameter in JSON format. ```http HTTP/1.1 400 Bad Request Content-Type: application/json Cache-Control: no-store { "error": "invalid_request" } ``` -------------------------------- ### HTTP Response for Missing Authentication Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 When a request lacks any authentication information, the resource server should not include error codes or other error details. This example shows a basic unauthorized response. ```http HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer realm="example" ``` -------------------------------- ### Authorization Response Redirect Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Example of an HTTP response redirecting the user agent with authorization code and state parameters. The 'iss' parameter is optional for identifying the authorization server. ```http HTTP/1.1 302 Found Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA &state=xyz&iss=https%3A%2F%2Fauthorization-server.example.com ``` -------------------------------- ### Requesting Access Token with Device Authorization Grant Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Example of a client requesting an access token using the Device Authorization Grant by specifying the grant type as a URI and including necessary parameters. ```http POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Adevice_code &device_code=GmRhmhcxhwEzkoEqiMEg_DnyEysNkuNhszIySk9eS &client_id=C409020731 ``` -------------------------------- ### Private-Use URI Scheme Redirect URI Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Example of a redirect URI utilizing a private-use URI scheme registered by a native app. This method is less secure and should only be used when other options are unavailable. ```text com.example.app:/oauth2redirect/example-provider ``` -------------------------------- ### Sending Bearer Token in Authorization Header Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Example of a client sending an access token using the Bearer scheme in the Authorization request header field. ```http GET /resource HTTP/1.1 Host: server.example.com Authorization: Bearer mF_9.B5f-4.1JqM ``` -------------------------------- ### Access Token in Form-Encoded Content Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Example of an HTTP POST request including the access token in the request content with the 'Content-Type' header set to 'application/x-www-form-urlencoded'. This method is used when the Authorization header is not accessible. ```http POST /resource HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded access_token=mF_9.B5f-4.1JqM ``` -------------------------------- ### Authorization Endpoint Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 The Authorization Endpoint is used to interact with the resource owner to obtain an authorization grant. It supports GET and optionally POST methods. ```APIDOC ## Authorization Endpoint ### Description Used to interact with the resource owner and obtain an authorization grant. The server must first authenticate the resource owner. The URL must not include a fragment component and may include a query string. ### Method HTTP `GET` (required), `POST` (optional) ### Endpoint Authorization endpoint URL (typically provided in service documentation or metadata document). ### Parameters Unrecognized request parameters are ignored. Parameters defined by the specification must not be included more than once. Parameters sent without a value are treated as omitted. ### Request Example (No specific request example provided in source) ### Response (No specific response details provided in source) ### Error Handling (No specific error handling details provided in source) ``` -------------------------------- ### OAuth 2.0 Refresh Token Flow Diagram Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 This diagram illustrates the sequence of interactions between a client, authorization server, and resource server when refreshing an access token. It shows the steps involved in obtaining and using authorization grants, access tokens, and refresh tokens. ```text +--------+ +---------------+ | |--(1)------- Authorization Grant --------->| | | | | | | |<-(2)----------- Access Token -------------| | | | & Refresh Token | | | | | | | | +----------+ | | | |--(3)---- Access Token ---->| | | | | | | | | | | |<-(4)- Protected Resource --| Resource | | Authorization | | Client | | Server | | Server | | |--(5)---- Access Token ---->| | | | | | | | | | | |<-(6)- Invalid Token Error -| | | | | | +----------+ | | | | | | | |--(7)----------- Refresh Token ----------->| | | | | | | |<-(8)----------- Access Token -------------| | +--------+ & Optional Refresh Token +---------------+ ``` -------------------------------- ### Case-Insensitive Bearer Scheme Usage Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Illustrates valid uses of the Authorization header with the Bearer scheme, demonstrating case-insensitivity. ```http Authorization: Bearer mF_9.B5f-4.1JqM ``` ```http Authorization: bearer mF_9.B5f-4.1JqM ``` ```http Authorization: BEARER mF_9.B5f-4.1JqM ``` ```http Authorization: bEaReR mF_9.B5f-4.1JqM ``` -------------------------------- ### Abstract OAuth 2.1 Protocol Flow Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 This diagram outlines the sequence of interactions between the client, resource owner, authorization server, and resource server in a typical OAuth 2.1 flow. ```text +--------+ +---------------+ | |--(1)- Authorization Request ->| Resource | | | | Owner | | |<-(2)-- Authorization Grant ---| | | | +---------------+ | | | | +---------------+ | |--(3)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(4)----- Access Token -------| | | | +---------------+ | | | | +---------------+ | |--(5)----- Access Token ------>| Resource | | | | Server | | |<-(6)--- Protected Resource ---| | +--------+ +---------------+ ``` -------------------------------- ### redirect_uri ABNF Syntax Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Defines the ABNF syntax for the redirect_uri element, which is a URI-reference. ```abnf redirect-uri = URI-reference ``` -------------------------------- ### ABNF for param-name Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Defines the syntax for endpoint parameter names, which is identical to the syntax for type names. ```abnf param-name = 1*name-char name-char = "-" / "." / "_" / DIGIT / ALPHA ``` -------------------------------- ### Endpoint Parameter Syntax Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Defines the ABNF syntax for new endpoint parameter names. ```abnf param-name = 1*name-char name-char = "-" / "." / "_" / DIGIT / ALPHA ``` -------------------------------- ### client_id ABNF Syntax Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Defines the ABNF syntax for the client_id element. ```abnf client-id = *VSCHAR ``` -------------------------------- ### Token Endpoint - Client Credentials Grant Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 This section describes the parameters supported by the token endpoint when using the client_credentials grant type. This grant is intended for confidential clients. ```APIDOC ## POST /token ### Description Requests an access token using the client credentials grant type. This is typically used by clients to access protected resources under their control. ### Method POST ### Endpoint /token ### Parameters #### Request Body - **grant_type** (string) - REQUIRED - Must be set to `client_credentials`. - **scope** (string) - OPTIONAL - The scope of the access request. ### Request Example ``` POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=client_credentials ``` ### Response #### Success Response (200) - **access_token** (string) - The access token issued by the authorization server. - **token_type** (string) - The type of the access token (e.g., Bearer). - **expires_in** (integer) - The lifetime in seconds of the access token. - **scope** (string) - The scope of the access token, if issued. ``` -------------------------------- ### Client Credentials Grant Token Request Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Client makes an HTTP POST request to the token endpoint with grant_type=client_credentials for accessing protected resources. ```http POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=client_credentials ``` -------------------------------- ### Token Endpoint - Authorization Code Grant Extension Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 This section describes the parameters supported by the token endpoint when using the authorization_code grant type. It includes the authorization code, code verifier, and client ID. ```APIDOC ## POST /token ### Description Requests an access token using the authorization code grant type. This endpoint supports additional parameters for enhanced security and validation. ### Method POST ### Endpoint /token ### Parameters #### Request Body - **grant_type** (string) - REQUIRED - Must be set to `authorization_code`. - **code** (string) - REQUIRED - The authorization code received from the authorization server. - **code_verifier** (string) - REQUIRED, if `code_challenge` was included in the authorization request. The original code verifier string. - **client_id** (string) - REQUIRED, if the client is not authenticating with the authorization server. ### Request Example ``` POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &code_verifier=3641a2d12d66101249cdf7a79c000c1f8c05d2aafcf14bf146497bed ``` ### Response #### Success Response (200) - **access_token** (string) - The access token issued by the authorization server. - **token_type** (string) - The type of the access token (e.g., Bearer). - **expires_in** (integer) - The lifetime in seconds of the access token. - **refresh_token** (string) - The refresh token, if issued. - **scope** (string) - The scope of the access token, if issued. ``` -------------------------------- ### code_challenge ABNF Syntax Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Defines the ABNF syntax for the code_challenge, specifying a length range and allowed characters. ```abnf code-challenge = 43*128unreserved unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" ALPHA = %x41-5A / %x61-7A DIGIT = %x30-39 ``` -------------------------------- ### Token Endpoint Response Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Upon a successful request, the authorization server returns an access token and optionally a refresh token in JSON format. ```APIDOC ## Token Response (200 OK) ### Description Returns an access token and optional refresh token upon successful authentication and authorization. ### Success Response (200) - **access_token** (string) - REQUIRED - The access token issued by the authorization server. - **token_type** (string) - REQUIRED - The type of the access token (e.g., `Bearer`). Case insensitive. - **expires_in** (number) - RECOMMENDED - The lifetime of the access token in seconds. - **scope** (string) - RECOMMENDED, if identical to the scope requested by the client; otherwise, REQUIRED - The scope of the access token. - **refresh_token** (string) - OPTIONAL - The refresh token, used to obtain new access tokens. ### Response Example ```json { "access_token": "2YotnFZFEjr1zCsicMWpAA", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA" } ``` ``` -------------------------------- ### access_token ABNF Syntax Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Defines the ABNF syntax for the access_token element. ```abnf access-token = 1*VSCHAR ``` -------------------------------- ### Bearer Token Syntax Definition Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Defines the syntax for Bearer credentials, which includes the scheme name and the token itself. ```abnf token68 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"=" credentials = "bearer" 1*SP token68 ``` -------------------------------- ### state ABNF Syntax Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Defines the ABNF syntax for the state element. ```abnf state = 1*VSCHAR ``` -------------------------------- ### Scope Definition Syntax Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Defines the syntax for scope tokens and their space-delimited representation. This grammar is used to express the access range of an access token. ```abnf scope = scope-token * ( SP scope-token ) scope-token = 1*( %x21 / %x23-5B / %x5D-7E ) ``` -------------------------------- ### Code Challenge Transformations Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Specifies the transformations for generating a code challenge from a code verifier, including S256 and plain methods. ```plaintext S256 code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) plain code_challenge = code_verifier ``` -------------------------------- ### response_type ABNF Syntax Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Defines the ABNF syntax for the response_type element, which can consist of one or more response names. ```abnf response-type = response-name *( SP response-name ) response-name = 1*response-char response-char = "_" / DIGIT / ALPHA ``` -------------------------------- ### refresh_token ABNF Syntax Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Defines the ABNF syntax for the refresh_token element. ```abnf refresh-token = 1*VSCHAR ``` -------------------------------- ### error_uri ABNF Syntax Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Defines the ABNF syntax for the error_uri element, which is a URI-reference. ```abnf error-uri = URI-reference ``` -------------------------------- ### ABNF for type-name Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Defines the syntax for access token type names, allowing alphanumeric characters, hyphens, periods, and underscores. ```abnf type-name = 1*name-char name-char = "-" / "." / "_" / DIGIT / ALPHA ``` -------------------------------- ### client_secret ABNF Syntax Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Defines the ABNF syntax for the client_secret element. ```abnf client-secret = *VSCHAR ``` -------------------------------- ### code_verifier ABNF Syntax Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 Defines the ABNF syntax for the code_verifier, specifying a length range and allowed characters. ```abnf code-verifier = 43*128unreserved unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" ALPHA = %x41-5A / %x61-7A DIGIT = %x30-39 ``` -------------------------------- ### Token Endpoint Request Source: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-15 The client makes a request to the token endpoint using form-encoded parameters to obtain an access token. The required parameters depend on the grant type. ```APIDOC ## POST /token ### Description Requests an access token from the authorization server. This endpoint supports various grant types, each requiring specific parameters. ### Method POST ### Endpoint /token ### Parameters #### Form-Encoded Parameters - **grant_type** (string) - REQUIRED - Identifier of the grant type (e.g., `authorization_code`, `refresh_token`, `client_credentials`). - **client_id** (string) - OPTIONAL - The client identifier, needed for certain authentication methods or public clients. ### Request Example ``` POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb &code_verifier=3641a2d12d66101249cdf7a79c000c1f8c05d2aafcf14bf146497bed ``` ```