What is an authorization request?
Depending on the context, the term “authorization request” can refer to different things. In this article, we will focus on the definition in the OAuth 2.0 specification.
In OAuth 2.0, there are several grant types (flows) that define how a Client can obtain authorization from a user to access protected resources.
![Note] “Authorization requests” are often confused with “authentication requests” in the context of OpenID Connect (OIDC) . See Authentication request for OIDC-specific details.
How does an authorization request work?
When a client (application) wants to access protected resources on behalf of a user, it initiates an authorization request to the Authorization server . The client should indicate the requested grant type along with necessary parameters in the request.
Here are some typical grant types (flows) for end-user authorization in OAuth 2.0:
- Authorization code flow : The most recommended flow for authorization end-users. It is usually used with Proof Key for Code Exchange (PKCE) for better security and is suitable for most applications.
- Implicit flow : A simplified flow that is deprecated in OAuth 2.1 due to security concerns.
- Resource owner password credentials (ROPC) grant : A grant (flow) where the user’s credentials are exchanged directly for an access token. This flow is not recommended due to security risks.
There are also other extensions, such as the Device flow for devices with limited input capabilities. Each flow has its own characteristics and use cases. For most web applications, the authorization code flow is the recommended choice.
Machine-to-machine authorization is typically done using the Client credentials flow which doesn’t involve user interaction.
For example, a client (application) may request authorization to access a user’s Google Drive files. Here’s a simplified sequence diagram of the authorization code flow:
Once the Access token is obtained, the client can use it to access the user’s Google Drive files on behalf of the user.
Key parameters in an authorization request
The OAuth 2.0 authorization request typically includes the following parameters:
response_type
: The type of response the client expects. Common values arecode
for the authorization code flow andtoken
for the implicit flow.client_id
: The client identifier issued by the authorization server.redirect_uri
: The URI where the authorization server sends the user after the authorization process.scope
: The requested scopes (permissions) for the access token.resource
: The optional parameter that specifies the Resource indicator for the requested resources. The authorization server needs to support RFC 8707 to use this parameter.
The above parameters are non-exhaustive. The actual parameters and their values depend on the grant type and the specific requirements of the application.