5. Authorization Request

5. Authorization Request

The client constructs the authorization request URI by adding the following parameters to the query component of the authorization endpoint URI using the application/x-www-form-urlencoded format:

request

: REQUIRED unless request_uri is specified. The Request Object (Section 2.1) that holds authorization request parameters stated in Section 4 of [RFC6749] (OAuth 2.0). If this parameter is present in the authorization request, request_uri MUST NOT be present.

request_uri

: REQUIRED unless request is specified. The absolute URI, as defined by RFC 3986 [RFC3986], that is the Request Object URI (Section 2.2) referencing the authorization request parameters stated in Section 4 of [RFC6749] (OAuth 2.0). If this parameter is present in the authorization request, request MUST NOT be present.

client_id

: REQUIRED. OAuth 2.0 [RFC6749] client_id. The value MUST match the request or request_uri Request Object's (Section 2.1) client_id.

The client directs the resource owner to the constructed URI using an HTTP redirection response or by other means available to it via the user agent.

For example, the client directs the end user's user agent to make the following HTTPS request:

GET /authz?client_id=s6BhdRkqt3&request=eyJhbG..AlMGzw HTTP/1.1
Host: server.example.com

The value for the request parameter is abbreviated for brevity.

The Authorization Request Object MUST be one of the following:

(a) JWS signed

(b) JWS signed and JWE encrypted

The client MAY send the parameters included in the Request Object duplicated in the query parameters as well for backward compatibility, etc. However, the authorization server supporting this specification MUST only use the parameters included in the Request Object.

See 5.1. Passing a Request Object by Value and 5.2. Passing a Request Object by Reference.