Skip to main content

OAuth 2.0 Authorization Code Flow

The Authorization Code Flow is a secure OAuth 2.0 method where an authorization server issues a temporary authorization code to a client application. The client exchanges this code for tokens, such as:

This flow is designed for confidential clients, like web applications with secure backends for storing credentials. The user must consent to resource access before the authorization server issues the code. Single-page apps can only use this flow with PKCE.

How Authorization Code Flow works

The following diagram illustrates the key interactions between the user, client application, authorization server, and resource server during the OAuth 2.0 Authorization Code Flow.

Authorization_Code_Flow.svg

This sequence of steps provides a detailed breakdown of how the Authorization Code Flow operates based on the interactions shown in the diagram.

  1. User Access. User accesses the client application.

  2. Authorization Request. Client application sends an authorization request to the authorization server.

    Sample call to the authorize endpoint:

    curl --location \
--get \
--url "https://$TENANT_ID.$REGION_ID.authz.cloudentity.io/$TENANT_ID/$WORKSPACE_ID/oauth2/authorize" \
--data-urlencode "response_type=code" \
--data-urlencode "client_id=$CLIENT_ID"

  3. Consent Display. Authorization server displays the consent form to the user.

  4. User Consent. User reviews and provides consent to the authorization server.

  5. Authorization Code Issued. Authorization server issues an authorization code to the client application.

  6. Token Request. Client application sends a request to the authorization server for a token, including the authorization code.

    Sample call to the token endpoint:

    curl --request POST \
--url "https://$TENANT_ID.$REGION_ID.authz.cloudentity.io/$TENANT_ID/$WORKSPACE_ID/oauth/token" \
--data-raw "grant_type=authorization_code&code=$CODE&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET"

  7. Token Validation. Authorization server validates the token request, including the authorization code, client ID, and and client secret.

  8. Token Issued. Authorization server returns the token to the client application.

  9. API Call. Client application calls the resource server’s API with the token.

  10. Data Returned. Resource server validates the token and responds with the requested data.

Best practices

  • Redirection Endpoints. Configure the redirection endpoint for the client application before making calls.

  • Scope Management. Limit the scope the client application can access when calling the /authorize and /token endpoints.

In this section: