OAuth 2.0 authorization code flow
The authorization code flow is a secure method in OAuth 2.0. It issues a temporary authorization code to a client application. The client uses this code to get tokens:
This flow suits confidential clients, such as web applications that securely store credentials. The user must approve access before the authorization server issues the code. Single-page apps must use Proof Key of Code Exchange (PKCE) to use this flow.
How authorization code flow works
This flow involves the user, client application, authorization server, and resource server.
User access. User opens the client application.
Authorization request. Client application sends a request to the authorization server.
Sample request to the
/authorizeendpoint:curl --location \ --get \ --url "https://$TENANT_ID.$REGION_ID.connect.secureauth.com/$TENANT_ID/$WORKSPACE_ID/oauth2/authorize" \ --data-urlencode "response_type=code" \ --data-urlencode "client_id=$CLIENT_ID"
Consent display. Authorization server shows a consent form.
User consent. User approves access.
Authorization code issued. Server returns an authorization code to the client application.
Token request. Client application sends the code to the server to get tokens.
Sample request to the
/tokenendpoint:curl --request POST \ --url "https://$TENANT_ID.$REGION_ID.connect.secureauth.com/$TENANT_ID/$WORKSPACE_ID/oauth/token" \ --data-raw "grant_type=authorization_code&code=$CODE&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET"
Token validation. Authorization server checks the authorization code, client ID, and and client secret.
Token issued. Authorization server returns the tokens.
API call. Client application uses the token to call the resource server.
Data returned. Resource server validates the token and sends the data.
Best practices
Redirection endpoints. Set up the redirect URL for the client application before making requests.
Scope management. Limit scopes when requesting tokens to reduce access risk.