2.2. Successful Response

2.2. Successful Response

If the verification is successful, the server MUST generate a request URI and provide it in the response with a 201 HTTP status code. The following parameters are included as top-level members in the message body of the HTTP response using the application/json media type as defined by [RFC8259].

request_uri

: The request URI corresponding to the authorization request posted. This URI is a single-use reference to the respective request data in the subsequent authorization request. The way the authorization process obtains the authorization request data is at the discretion of the authorization server and is out of scope of this specification. There is no need to make the authorization request data available to other parties via this URI.

expires_in

: A JSON number that represents the lifetime of the request URI in seconds as a positive integer. The request URI lifetime is at the discretion of the authorization server but will typically be relatively short (e.g., between 5 and 600 seconds).

The format of the request_uri value is at the discretion of the authorization server, but it MUST contain some part generated using a cryptographically strong pseudorandom algorithm such that it is computationally infeasible to predict or guess a valid value (see Section 10.10 of [RFC6749] for specifics). The authorization server MAY construct the request_uri value using the form urn:ietf:params:oauth:request_uri:<reference-value> with <reference-value> as the random part of the URI that references the respective authorization request data.

The request_uri value MUST be bound to the client that posted the authorization request.

The following is an example of such a response:

HTTP/1.1 201 Created
Content-Type: application/json
Cache-Control: no-cache, no-store

{
 "request_uri":
   "urn:ietf:params:oauth:request_uri:6esc_11ACC5bwc014ltc14eY22c",
 "expires_in": 60
}