Skip to main content

OAuth 2.0 Authorization Code Flow

Learn what an authorization code grant is and what its process is. Find out what type of applications can use the authorization code grant flow in a safe and secure manner.

What Authorization Code Flow Is

According to the OAuth authorization code grant flow, an authorization server sends a temporary (authorization) code to a client. The code is exchanged for a token. This flow is available for confidential clients, for example, web applications with a backend that can store credentials securely. This way, the client can obtain one or more of the following token types:

The authorization code proves to the authorization server that the client requesting a token is permitted to do so. The user consents that the client can access the resource before the authorization server passes the code.

Single-page apps cannot leverage it unless they use the PKCE.

How Authorization Code Flow Works

For proper and secure flow of authorization code grant, the following is recommended:

  • Configure the redirection endpoint for the client application before making calls.

  • Limit the scope the client application can access when calling the /authorize and /token endpoints.

Authorization_Code_Flow.svg

The example diagram above illustrates the interactions that occur during the OAuth authorization code grant flow.

  1. A user tries to access the application (the client).

  2. The client application calls the authorization server's authorize endpoint.

    Sample call to the authorize endpoint with SecureAuth as an authorization server

    curl --location \
--get \
--url "https://$TENANT_ID.$REGION_ID.authz.cloudentity.io/$TENANT_ID/$WORKSPACE_ID/oauth2/authorize" \
--data-urlencode "response_type=code" \
--data-urlencode "client_id=$CLIENT_ID"

  3. The authorization server responds with the redirect URI. The user gets redirected to the consent form, if any.

  4. The user authenticates with their identity source and gives their consent.

  5. The authorization server issues an authorization code.

  6. The client application requests authentication to the token endpoint using the authentication method configured and the authorization code provided in the previous step.

    • The grant_type value in the API call must be authorization_code.

    Sample call to the token endpoint with SecureAuth as an authorization server

    curl --request POST \
--url "https://$TENANT_ID.$REGION_ID.authz.cloudentity.io/$TENANT_ID/$WORKSPACE_ID/oauth/token" \
--data-raw "grant_type=authorization_code&code=$CODE&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET"

  7. The authorization server validates the authorization code, client ID, and client secret.

  8. The authorization server returns the token.

  9. The client application requests protected resources from the resource server and submits the token it received in the previous step.

  10. The resource server validates the token and responds with the requested resources.

In this section: