--- title: /oauth2/authorize description: The /oauth2/authorize endpoint is the OAuth 2.0 authorization endpoint defined in RFC 6749. component: pingam version: 8.1 page_id: pingam:am-oauth2:oauth2-authorize-endpoint canonical_url: https://docs.pingidentity.com/pingam/8.1/am-oauth2/oauth2-authorize-endpoint.html keywords: ["OAuth 2.0", "Endpoints", "Authorization", "REST API"] page_aliases: ["oauth2-guide:oauth2-authorize-endpoint.adoc"] section_ids: request_parameters: Request parameters responses: Responses --- # /oauth2/authorize The `/oauth2/authorize` endpoint is the OAuth 2.0 authorization endpoint defined in [RFC 6749](https://www.rfc-editor.org/info/rfc6749). Use this endpoint to gather consent and authorization from the resource owner for the following flows: * Authorization code grant ([OAuth 2.0 and OIDC](oauth2-authz-grant.html)) * Authorization code grant with PKCE ([OAuth 2.0 and OIDC](oauth2-authz-grant-pkce.html)) * Authorization code grant with PAR ([OAuth 2.0](oauth2-authz-grant-par.html)) * Implicit grant ([OAuth 2.0 and OIDC](oauth2-implicit-grant.html)) Specify the realm in the request URL; for example: ```none https://am.example.com:8443/am/oauth2/realms/root/realms/alpha/authorize ``` ## Request parameters The authorization endpoint supports the following parameters: | Parameter | Description | Required | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | | `acr_values` | The OpenID Connect authentication context class reference values. | Yes, if [required by the OpenID Connect provider](../am-oidc1/oidc-authentication-requirements.html) | | `authorization_details` | Additional fine-grained authorization requirements, as specified in [RFC 9396: OAuth 2.0 Rich Authorization Requests](https://www.rfc-editor.org/rfc/rfc9396.html). | No. Accepted only if [remote consent](oauth2-remote-consent.html) is configured. | | `claims` | The user attributes to be returned in the ID token. | No | | `client_id` | Uniquely identifies the application making the request. | Yes | | `code_challenge` | The code verifier generated for the PKCE flow. | Yes, for the [Authorization code grant with PKCE](oauth2-authz-grant-pkce.html) flow | | `code_challenge_method` | The method to derive the code challenge. | Yes, when the `code_challenge` is hashed (recommended) | | `csrf` | The SSO token string linking the request to the user session to protect against Cross-Site Request Forgery attacks. | Yes, when gathering consent without a remote consent service | | `decision` | Specifies whether the resource owner consents to the requested access. | Yes, when gathering consent unless consent is already saved for the scope | | `id_token_hint` | Previously issued ID token passed as a hint about the end user's session with the client. | No | | `login_hint` | String value that can be set to the ID the user uses to log in. | No | | `nonce` | String value that associates the client session with the ID token. | Yes, for the [Implicit grant](oauth2-implicit-grant.html) flow for OIDC | | `prompt` | Specifies whether to prompt the end user for authentication and consent. | No | | `redirect_uri` | The URI to return the resource owner to after authorization is complete. | No | | `response_mode` | Specifies the mechanism for returning response parameters. | No | | `response_type` | The type of response expected from the authorization server. | Yes | | `request` | The JWT request object. | Yes, for JAR request and OIDC flows requiring a request object and providing no `request_uri` | | `request_uri` | For PAR or OIDC flows, a reference to JWT request object(s). | Yes, for JAR request and OIDC flows requiring a request object and providing no `request` | | `save_consent` | Specifies whether to store a resource owner's consented scopes. | No | | `scope` | The scopes linked to the permissions requested by the client from the resource owner. | No | | `service` | The authentication journey to use when authenticating the resource owner. | No | | `state` | The value to maintain state between the request and the callback. | No, but strongly recommended | | `ui_locales` | The end user's preferred languages for the user interface. | No | ## Responses | HTTP status | Description | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `302 Found` | Success. AM redirects the resource owner's browser to the `redirect_uri`, appending the authorization code (or token, for the implicit grant) and any `state` value as query parameters. | | `400 Bad Request` | The request is malformed. For example, a required parameter is missing or an unsupported value is supplied. | | `401 Unauthorized` | AM could not authenticate the resource owner or the client. When an error occurs at the authorization endpoint, AM returns 401 rather than redirecting to the client's redirect\_uri with an error parameter as described in RFC 6749. This behavior is intentional and provides additional security by not disclosing error details to potentially unvalidated redirect URIs. |