Authn.tech
Home
  • SAML 2.0
  • OAuth 2.0
  • OIDC
  • WebAuthn / Passkey
  • MFA / TOTP
  • LDAP
  • All Tools
  • JWT Decode
  • JWT Sign
  • JWK Gen
  • JWK → PEM
  • PEM → JWK
  • PKCE Gen
  • OIDC Discovery
  • TOTP
  • WebAuthn
  • SAML Codec
  • SAML Metadata
  • SAML Response
  • X.509 Cert
  • PEM Inspect
  • Base64URL
  • LDAP Filter
  • Overview & Roles
  • OIDC Mock
  • SAML Mock
  • Mail Server
  • LDAP Directory
  • OIDC Login Demo
  • SAML Login Demo
  • 简体中文
  • English
  • Deutsch
GitHub
Home
  • SAML 2.0
  • OAuth 2.0
  • OIDC
  • WebAuthn / Passkey
  • MFA / TOTP
  • LDAP
  • All Tools
  • JWT Decode
  • JWT Sign
  • JWK Gen
  • JWK → PEM
  • PEM → JWK
  • PKCE Gen
  • OIDC Discovery
  • TOTP
  • WebAuthn
  • SAML Codec
  • SAML Metadata
  • SAML Response
  • X.509 Cert
  • PEM Inspect
  • Base64URL
  • LDAP Filter
  • Overview & Roles
  • OIDC Mock
  • SAML Mock
  • Mail Server
  • LDAP Directory
  • OIDC Login Demo
  • SAML Login Demo
  • 简体中文
  • English
  • Deutsch
GitHub
  • OAuth 2.0

    • OAuth 2.0 Overview
    • Core Concepts
    • Typical Flows
    • Typical Parameters and Response Reference

Typical Parameters and Response Reference

This page is a quick reference guide, consolidating request parameters, response fields, and error codes for each endpoint. For flow context see Typical Flows, for concept explanations see Core Concepts.

Authorization Endpoint Request Parameters

GET /authorize, parameters placed in query string (values need URL encoding):

ParameterRequiredDescription
response_typeRequiredFor authorization code flow, fixed to code (token is Implicit, deprecated)
client_idRequiredClient identifier obtained at registration
redirect_uriConditionally requiredCallback address, must match registered value character-for-character exactly; required if multiple URIs registered
scopeRecommendedSpace-delimited permission range list (URL encoded space is %20 or +)
stateRecommended (should be treated as required in practice)Cryptographically random value, returned unchanged in callback, client must verify, prevents CSRF
code_challengeRecommended (required in OAuth 2.1)PKCE challenge value: BASE64URL(SHA256(code_verifier))
code_challenge_methodRecommendedAlways use S256; plain only for legacy compatibility, avoid

Authorization success callback: {redirect_uri}?code={authorization_code}&state={original_state}.

Token Endpoint Request Parameters

POST /token, Content-Type: application/x-www-form-urlencoded. Confidential Clients require client authentication (e.g., Authorization: Basic ...); Public Clients include client_id in the body.

grant_type=authorization_code

ParameterRequiredDescription
grant_typeRequiredauthorization_code
codeRequiredAuthorization code returned from authorization endpoint, one-time use only
redirect_uriConditionally requiredIf included in authorization request, must be included and value must match exactly
code_verifierRequired for PKCEOriginal random string used to generate challenge (43–128 characters)
client_idRequired for Public ClientIdentifies client when no client authentication

grant_type=refresh_token

ParameterRequiredDescription
grant_typeRequiredrefresh_token
refresh_tokenRequiredPreviously issued Refresh Token
scopeOptionalCan only reduce, cannot exceed original authorization scope

grant_type=client_credentials

ParameterRequiredDescription
grant_typeRequiredclient_credentials
scopeOptionalPermission range requested

(Must use client authentication, limited to Confidential Clients only.)

grant_type=urn:ietf:params:oauth:grant-type:device_code

ParameterRequiredDescription
grant_typeRequiredurn:ietf:params:oauth:grant-type:device_code
device_codeRequireddevice_code returned from device authorization endpoint
client_idRequired for Public ClientClient identifier

Token Success Response Fields

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store

{
  "access_token": "2YotnFZFEjr1zCsicMWpAA",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",
  "scope": "calendar.read profile"
}
FieldRequiredDescription
access_tokenRequiredAccess token; client should treat as opaque string
token_typeRequiredUsually Bearer; case-insensitive (may return bearer), be careful when comparing
expires_inRecommendedValidity period in seconds; client should treat as expired early (e.g., 30 seconds), not wait for 401
refresh_tokenOptionalRefresh token; not issued in Client Credentials mode; returns new value on each refresh when rotation enabled
scopeConditionally requiredMust be returned if actual granted scope differs from request; client should use this as the source of truth

Response must include Cache-Control: no-store to prevent token caching.

Error Responses

Token Endpoint Errors (RFC 6749 §5.2)

HTTP status usually 400 (client authentication failure is 401), JSON body:

HTTP/1.1 400 Bad Request
Content-Type: application/json
Cache-Control: no-store

{
  "error": "invalid_grant",
  "error_description": "Authorization code is expired or already used"
}
Error CodeMeaningCommon Triggers
invalid_requestRequest missing parameters, duplicate parameters, or format errorMissing grant_type; body not form-encoded but JSON
invalid_clientClient authentication failure (HTTP 401)client_secret incorrect/rotated; authentication method doesn't match registration
invalid_grantAuthorization credential invalidAuthorization code expired/used; redirect_uri mismatch; Refresh Token revoked or rotated; PKCE verifier validation failed
unauthorized_clientThis client not allowed to use this grant_typeClient registration didn't enable the corresponding grant type
unsupported_grant_typeAS doesn't support this grant_typeSpelling error; AS hasn't enabled Device Flow etc.
invalid_scopescope invalid, unknown, or out of rangeRequested non-existent scope; refresh tried to escalate

error_description (human-readable explanation) and error_uri (documentation link) are optional fields; don't rely on their content in code logic.

Authorization Endpoint Errors (RFC 6749 §4.1.2.1)

Errors returned via redirect back to redirect_uri: {redirect_uri}?error=access_denied&state=.... (However, if client_id or redirect_uri itself is invalid, the AS must not redirect, and display error page to user directly.)

Error CodeMeaning
invalid_requestRequest parameters missing or invalid
unauthorized_clientClient not allowed to use this response_type
access_deniedUser or AS denied authorization (user clicked "deny")
unsupported_response_typeUnsupported response_type
invalid_scopeRequested scope invalid
server_errorAS internal error (equivalent 500, but delivered via redirect)
temporarily_unavailableAS temporarily overloaded or under maintenance (equivalent 503)

Device Flow Polling-specific Errors (RFC 8628)

Error CodeMeaningClient Action
authorization_pendingUser hasn't completed authorizationContinue polling at interval
slow_downPolling too fastIncrease interval by 5 seconds before continuing
expired_tokendevice_code expiredInitiate device authorization request again
access_deniedUser denied authorizationTerminate flow, prompt user

grant_type Overview

grant_type ValueNameStatusScenario
authorization_codeAuthorization Code FlowRecommended (must use PKCE)All scenarios involving users
client_credentialsClient Credentials FlowRecommendedM2M, service calls
refresh_tokenRefresh TokenRecommendedToken refresh
urn:ietf:params:oauth:grant-type:device_codeDevice AuthorizationRecommended (when applicable)Input-constrained devices
urn:ietf:params:oauth:grant-type:jwt-bearerJWT Bearer (RFC 7523)Specific scenariosFederated identity, service account impersonation
urn:ietf:params:oauth:grant-type:token-exchangeToken Exchange (RFC 8693)Specific scenariosMicroservice token delegation/downscoping
passwordPassword FlowDeprecatedUse Authorization Code + PKCE
(response_type=token)Implicit (not grant_type, authorization endpoint issues token directly)DeprecatedUse Authorization Code + PKCE

Three Ways to Carry Bearer Token (RFC 6750)

MethodExampleEvaluation
Authorization request headerAuthorization: Bearer 2YotnFZFEjr1zCsicMWpAAOnly recommended. Not in logs/history, supports any HTTP method
Form body parameteraccess_token=2Yotn... (in form-encoded body)Not recommended. Only for legacy scenarios unable to set headers
URL query parameterGET /api?access_token=2Yotn...Prohibited. Token ends up in access logs, browser history, Referer header; RFC 6750 itself discourages it; RFC 9700 explicitly prohibits

When RS rejects a request, it should return WWW-Authenticate header:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="api", error="invalid_token", error_description="The access token expired"
RS Error CodeHTTP StatusMeaning
invalid_request400Request format error (e.g., token in two places)
invalid_token401Token expired, revoked, or invalid → client should refresh or re-authorize
insufficient_scope403Token valid but scope insufficient

Troubleshooting Quick Reference

SymptomMost Likely Cause
Authorization endpoint shows error page directly, no redirect backclient_id doesn't exist, or redirect_uri doesn't match registered value (check protocol, port, trailing slash, case)
Callback returns error=access_deniedUser denied authorization; or AS policy denied (user lacks permission, client disabled)
Token exchange fails with invalid_grantAuthorization code already used (callback triggered twice?) or expired; redirect_uri doesn't match authorization request; PKCE verifier doesn't match challenge
Token exchange fails with invalid_client (401)secret incorrect or rotated; using client_secret_post but AS only accepts Basic (or vice versa); Basic header didn't URL-encode id/secret
Error: invalid_requestBody used JSON instead of application/x-www-form-urlencoded; parameter passed multiple times
Refresh fails with invalid_grantRefresh Token expired/revoked; rotation scenario with old token (concurrent refresh not locked); user changed password triggering global revocation
RS returns 401 invalid_tokenAccess Token expired → perform refresh; clock skew causing JWT nbf/exp validation to fail; RS configured issuer/audience mismatch
RS returns 403 insufficient_scopeDidn't request that scope during authorization, or user didn't approve; check actual scope field in token response
Device Flow constantly authorization_pendingUser hasn't completed authorization; verify displayed verification_uri and user_code are correct
Intermittent success/failureMulti-instance AS deployment has asynchronous session/storage; load balancer redirected to different environment; client clock skew

Related Pages

  • OAuth 2.0 Overview
  • Core Concepts
  • Typical Flows
Last updated: 7/6/26, 7:49 AM
Contributors: linux, Claude Opus 4.8
Prev
Typical Flows