pub async fn authorize(
pool: Data<PgPool>,
__arg1: OAuthValidated<AuthorizeQuery>,
user: Option<AuthUser>,
app_conf: Data<ApplicationConfiguration>,
) -> ControllerResult<HttpResponse>Expand description
Handles the /authorize endpoint for OAuth 2.0 and OpenID Connect with PKCE support.
This endpoint:
- Validates the incoming authorization request parameters.
- Verifies the client, redirect URI, and requested scopes.
- Enforces PKCE requirements (
code_challengeandcode_challenge_method) for public clients or clients configured withrequire_pkce = true. - If the user is logged in and has already granted the requested scopes, issues an authorization code and redirects back to the client.
- If the user is logged in but missing consent for some scopes, redirects them to the consent screen.
- If the user is not logged in, redirects them to the login page.
Note: DPoP (Demonstrating Proof-of-Possession) is not used at this endpoint. DPoP binding
occurs at the /token endpoint when exchanging authorization codes for access tokens.
Follows:
- RFC 6749 Section 3.1 — Authorization Endpoint
- Supports both GET (query parameters) and POST (form-encoded body) methods
- RFC 7636 (PKCE) — Proof Key for Code Exchange
- OpenID Connect Core 1.0 Section 3
§Examples
GET /api/v0/main-frontend/oauth/authorize?response_type=code&client_id=test-client-id&redirect_uri=http://localhost&scope=openid%20profile%20email&state=random123&nonce=secure_nonce_abc&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256 HTTP/1.1POST /api/v0/main-frontend/oauth/authorize HTTP/1.1
Content-Type: application/x-www-form-urlencoded
response_type=code&client_id=test-client-id&redirect_uri=http://localhost&scope=openid%20profile%20email&state=random123&nonce=secure_nonce_abc&code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM&code_challenge_method=S256Successful redirect:
HTTP/1.1 302 Found
Location: http://localhost?code=SplxlOBeZQQYbYS6WxSbIA&state=random123