If the user approves the request, the authorization endpoint generates an
authorization code and builds the redirect back to the client.
The redirect is built by starting with the redirect_uri in the request, and
adding the following parameters to the query component of the redirect URL:
code: The authorization code generated by the authorization endpoint. The
code MUST expire shortly after it is issued to mitigate the risk of leaks, and MUST be valid for only one use.
A maximum lifetime of 10 minutes is recommended.
state: The state parameter MUST be set to the exact value that the client
set in the request.
iss: The issuer identifier for client validation. This is optional in
OAuth 2.0 servers, but required in IndieAuth servers. See also the
authorization_response_iss_parameter_supported parameter in
IndieAuth Server Metadata.
Builds the URL for the authorization callback.
If the user approves the request, the authorization endpoint generates an authorization code and builds the redirect back to the client.
The redirect is built by starting with the
redirect_uriin the request, and adding the following parameters to the query component of the redirect URL:code: The authorization code generated by the authorization endpoint. The code MUST expire shortly after it is issued to mitigate the risk of leaks, and MUST be valid for only one use. A maximum lifetime of 10 minutes is recommended.state: The state parameter MUST be set to the exact value that the client set in the request.iss: The issuer identifier for client validation. This is optional in OAuth 2.0 servers, but required in IndieAuth servers. See also theauthorization_response_iss_parameter_supportedparameter in IndieAuth Server Metadata.See