The Authorization Request

When a web application needs to authenticate a user, it must direct the browser to the URL of the authorization_endpoint, specified in the application metadata. This request is also referred to as the authorization request.

  • The request must include the scope openid in the scope parameter.
  • The response_type parameter must include code. It may also include id_token, or token to get an id_token or an access token in the authorization response.
  • The request must also include the nonce and the redirect_uri parameters.

The following is an example of a sample request: