OAuth 2.0 - Obtaining End-User Authorization


The authorization response can be used to get the access token for accessing the owner resources in the system using the authorization code. The access token is given by the authorization server when it accepts the client ID, client password and authorization code sent by the client application.

The authorization code will be issued by the authorization server, which allows accessing the request by using the following parameters −

  • Code − It is a required parameter that specifies the authorization code produced by the authorization server. The lifetime of the authorization code is maximum 10 minutes and the authorization code cannot be used more than once. The authorization server rejects the request and cancels all tokens that are issued previously based on the authorization code, if the client application uses the authorization code more than once.

  • State − It is a required parameter, if the authorization code is available in the authorization request.

The authorization server provides authorization code and grants access to the client application by using the following format −


It is the default MIME (Multipurpose Internet Mail Extensions) type of your request, which must be encoded in a such way that control names and values are escaped, space characters are replaced by the '+' sign, name/value pairs are separated from each other by '&', etc.