/oauth/authorizeOAuth 2.0 authorization endpoint (POST method). After user confirms authorization, returns 302 redirect when redirect_uri is provided; returns JSON authorization code otherwise. Supports PKCE, PAR, and automatic consent saving. References: RFC 6749 §4.1.1-4.1.2.1 (Authorization Code Grant), RFC 7636 (PKCE), RFC 9126 (PAR).
Accepts an empty JSON object {}
| Status | Description | Schema |
|---|---|---|
| 200 | Authorization code (when no redirect_uri) | handler.authorizeCodeResponse |
| 302 | Redirect to callback URL with OAuth error (invalid_request/invalid_client/access_denied) | string |
| 400 | invalid_request_uri: PAR request invalid/expired/already used. Reference: RFC 9126. | dto.OAuthErrorResponse |
| 403 | access_denied: user_id does not match authenticated user | dto.OAuthErrorResponse |
| 500 | server_error: authorization server internal error. Reference: RFC 6749 §5.2. | dto.OAuthErrorResponse |
OAuth standard error response
| Field | Type | Required | Example | Constraints | Description |
|---|---|---|---|---|---|
error |
string |
No | invalid_request |
Error code | |
error_description |
string |
No | Missing required parameter |
Error description | |
error_uri |
string |
No | https://docs.example.com/errors |
Error URI | |
state |
string |
No | state-123 |
Status |
| Field | Type | Required | Example | Constraints | Description |
|---|---|---|---|---|---|
code |
string |
No | |||
state |
string |
No |