An application uses OAuth to get access to several API resources on behalf of an end user.
What are two valid parameters to send to the authorization server as part of the first step of an authorization code grant flow? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.AC.
OAuth is a widely used standard protocol for secure authorization and access to resources in modern web and mobile applications. In the context of an OAuth authorization code grant flow, there are several steps involved, including the initial request for authorization from the user, the exchange of an authorization code for an access token, and the use of the access token to access protected resources.
When an application uses OAuth to access API resources on behalf of an end user, it must first obtain authorization from the user through the authorization code grant flow. During the first step of this flow, the application sends a request to the authorization server with certain parameters to initiate the authorization process. The authorization server responds with an authorization code that the application can use to obtain an access token for the requested resources.
Two valid parameters that the application can send to the authorization server as part of the first step of an authorization code grant flow are:
URI to which the authorization server will send the user-agent back when access is granted or denied (Option A): This is a required parameter in the authorization code grant flow. The application must provide a redirect URI to which the authorization server will send the user-agent back after the user grants or denies access. This URI must match the one that the application has registered with the authorization server.
List of scopes that correspond to the API resources to which the application is requesting access (Option D): This parameter specifies the specific permissions that the application is requesting for the user's resources. Each scope represents a specific permission, such as read or write access to a particular resource. The application must include one or more scopes in its authorization request to specify the level of access it needs.
Option B (list of the API resources that the application is requesting to access) and Option E (name of the application under which the application registered as an OAuth integration) are not valid parameters to send to the authorization server in the first step of the authorization code grant flow. The list of resources being requested is specified by the scopes parameter, and the name of the application is not required in the authorization request. Option C (secret generated by the authorization server during application registration) is not relevant to the initial authorization request; it is used later in the flow to authenticate the application.