--- title: /oauth2/authorize description: The /oauth2/authorize endpoint is the OAuth 2.0 authorization endpoint defined in RFC 6749. component: pingoneaic page_id: pingoneaic:am-oauth2:oauth2-authorize-endpoint canonical_url: https://docs.pingidentity.com/pingoneaic/am-oauth2/oauth2-authorize-endpoint.html keywords: ["OAuth 2.0", "Endpoints", "Authorization", "REST API"] page_aliases: ["oauth2-guide:oauth2-authorize-endpoint.adoc"] section_ids: request_parameters: Request parameters responses: Responses --- # /oauth2/authorize The `/oauth2/authorize` endpoint is the OAuth 2.0 authorization endpoint defined in [RFC 6749](https://www.rfc-editor.org/info/rfc6749). Use this endpoint to gather consent and authorization from the resource owner for the following flows: * Authorization code grant ([OAuth 2.0 and OIDC](oauth2-authz-grant.html)) * Authorization code grant with PKCE ([OAuth 2.0 and OIDC](oauth2-authz-grant-pkce.html)) * Authorization code grant with PAR ([OAuth 2.0](oauth2-authz-grant-par.html)) * Implicit grant ([OAuth 2.0 and OIDC](oauth2-implicit-grant.html)) Specify the realm in the request URL; for example: ```none https:///am/oauth2/realms/root/realms/alpha/authorize ``` ## Request parameters The authorization endpoint supports the following parameters: | Parameter | Description | Required | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | | `acr_values` | The OpenID Connect authentication context class reference values. | Yes, if [required by the OpenID Connect provider](../am-oidc1/oidc-authentication-requirements.html) | | `authorization_details` | Additional fine-grained authorization requirements, as specified in [RFC 9396: OAuth 2.0 Rich Authorization Requests](https://www.rfc-editor.org/rfc/rfc9396.html). | No. Accepted only if [remote consent](oauth2-remote-consent.html) is configured. | | `claims` | The user attributes to be returned in the ID token. | No | | `client_id` | Uniquely identifies the application making the request. | Yes | | `code_challenge` | The code verifier generated for the PKCE flow. | Yes, for the [Authorization code grant with PKCE](oauth2-authz-grant-pkce.html) flow | | `code_challenge_method` | The method to derive the code challenge. | Yes, when the `code_challenge` is hashed (recommended) | | `csrf` | The SSO token string linking the request to the user session to protect against Cross-Site Request Forgery attacks. | Yes, when gathering consent without a remote consent service | | `decision` | Specifies whether the resource owner consents to the requested access. | Yes, when gathering consent unless consent is already saved for the scope | | `id_token_hint` | Previously issued ID token passed as a hint about the end user's session with the client. | No | | `login_hint` | String value that can be set to the ID the user uses to log in. | No | | `nonce` | String value that associates the client session with the ID token. | Yes, for the [Implicit grant](oauth2-implicit-grant.html) flow for OIDC | | `prompt` | Specifies whether to prompt the end user for authentication and consent. | No | | `redirect_uri` | The URI to return the resource owner to after authorization is complete. | No | | `response_mode` | Specifies the mechanism for returning response parameters. | No | | `response_type` | The type of response expected from the authorization server. | Yes | | `request` | The JWT request object. | Yes, for JAR request and OIDC flows requiring a request object and providing no `request_uri` | | `request_uri` | For PAR or OIDC flows, a reference to JWT request object(s). | Yes, for JAR request and OIDC flows requiring a request object and providing no `request` | | `save_consent` | Specifies whether to store a resource owner's consented scopes. | No | | `scope` | The scopes linked to the permissions requested by the client from the resource owner. | No | | `service` | The authentication journey to use when authenticating the resource owner. | No | | `state` | The value to maintain state between the request and the callback. | No, but strongly recommended | | `ui_locales` | The end user's preferred languages for the user interface. | No | ## Responses | HTTP status | Description | | ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `302 Found` | Success. Advanced Identity Cloud redirects the resource owner's browser to the `redirect_uri`, appending the authorization code (or token, for the implicit grant) and any `state` value as query parameters. | | `400 Bad Request` | The request is malformed. For example, a required parameter is missing or an unsupported value is supplied. | | `401 Unauthorized` | Advanced Identity Cloud could not authenticate the resource owner or the client. When an error occurs at the authorization endpoint, Advanced Identity Cloud returns 401 rather than redirecting to the client's redirect\_uri with an error parameter as described in RFC 6749. This behavior is intentional and provides additional security by not disclosing error details to potentially unvalidated redirect URIs. |