To initiate the process, the client application will redirect the user to the authorization endpoint. This redirect will contain the applicable attributes URL encoded and included in the query string component of the URL.

Using the above parameters as an example, the application will redirect the user to the following URL:



This will initiate an authentication process using the browser (user agent). Once the user successfully completes the authorization request, they will be redirected with an authorization code to the redirect_uri value defined in the authorization request (if included) otherwise the user will be returned to the redirect_uri defined when the client was configured.

Note: For mobile scenarios, the redirect_uri may be a custom URL scheme that will cause the code to be returned to the native application.

Using the example above, a successful authorization request will result in the resource owner redirected to the following URL with the authorization code included as a code query string parameter:

  • If the authorization request also included a state value, this will also be included on this callback.
  • An error condition from the authentication / authorization process will be returned to this callback URI with error and error_description parameters.

The client will then extract the code value from the response and, optionally, verify that the state value matches the value provided in the authorization request