Check the user's website for a link with a rel-value of "authorization_endpoint":
<link rel="authorization_endpoint" href="http://indieauth.example.org/">
Use this URL as endpoint for processing.
TODO: MUST HTTP links be supported?
Using an Authorization Service
You can use an existing authorization service such as indieauth.com if you don't want to build your own authorization service.
Creating an Authorization Endpoint
An authorization endpoint must be able to both generate authorization codes as well as verify authorization codes.
The endpoint MUST return a
header for all requests.
It can be used to verify that it's really an endpoint
Generating Authorization Codes
Verifying Authorization Codes
Why are auth codes verified with a POST instead of a GET
If auth codes are sent as a GET request in the query string, they may leak to log files or the HTTP "referer". The decision was made by the OAuth 2.0 working group to use POST requests and the HTTP Authorization header for sending these sensitive tokens and auth codes.
No, the authorization code must not be used more than once. If the code is used more than once, the authorization server must deny the request. A maximum lifetime of 10 minutes is recommended for the authorization codes, although many implementations have a lifetime of 30-60 seconds.
No, but you can use the "state" parameter to encode or reference additional application-specific parameters. The state parameter will be passed around and was designed for this purpose as well as to prevent CSRF attacks.
Does the auth server have to support the state parameter
Yes, the state parameter can be used by the client to maintain state between the request and the callback, so the auth server must support it. It is also used to prevent CSRF attacks.