- Authorization Code Flow, aka 3 Legged returns an Authorization Code to the Client, which can then be exchanged for an ID Token and an Access Token directly.
- Once the user authorizes the request to access protected resource , the request is redirected back to a registered endpoint to get the Authorization Code.
- Authorization code is then exchanged with Authorization server to get an Access token.
- This Access token is then used to access the protected resources.
- This provides the benefit of not exposing any tokens to the User Agent and possibly other malicious applications with access to the User Agent.
- The user agent application is used by the client applications in the user’s device example a web browser.
- The Authorization Code Flow goes through the following steps.
- Client redirects the user to Authorization Server (/authorize endpoint)
- Auth Server redirects the user to login and provide consent for client application to access the protected resource
- Authorization Server obtains End-User Consent.
- Authorization Server sends the End-User back to the Client with an Authorization Code.
- Client sends this code to the Authorization Server (/oauth/token endpoint) along with the application’s Client ID and Client Secret.
- Authorization Server verifies the code, Client ID, and Client Secret.
- Authorization Server responds with an ID Token and Access Token (and optionally, a Refresh Token).
- Client can use the access token to access protected resources
- Resource server serves the request if a valid access token is present
Referring to the example shared in the previous OAuth posts – Post 1 & Post 2 . The flow for client (greet.com) to access the contact list of user from contactlist.com will be as below

Thank you !
Nice 👍
Thanks a lot !!!