Authorization Code Flow in OAuth

  • Authorization Code Flow, aka 3 Legged returns an Authorization Code to the Client, which can then be exchanged for an ID Token and an Access Token directly.
  • Once the user authorizes the request to access protected resource , the request is redirected back to a registered endpoint to get the Authorization Code.
  • Authorization code is then exchanged with Authorization server to get an Access token.
  • This Access token is then used to access the protected resources.
  • This provides the benefit of not exposing any tokens to the User Agent and possibly other malicious applications with access to the User Agent.
  • The user agent application is used by the client applications in the user’s device example a web browser.
  • The Authorization Code Flow goes through the following steps.
    • Client redirects the user to Authorization Server (/authorize endpoint)
    • Auth Server redirects the user to login and provide consent for client application to access the protected resource
    • Authorization Server obtains End-User Consent.
    • Authorization Server sends the End-User back to the Client with an Authorization Code.
    • Client sends this code to the Authorization Server (/oauth/token endpoint) along with the application’s Client ID and Client Secret.
    • Authorization Server verifies the code, Client ID, and Client Secret.
    • Authorization Server responds with an ID Token and Access Token (and optionally, a Refresh Token).
    • Client can use the access token to access protected resources
    • Resource server serves the request if a valid access token is present

Referring to the example shared in the previous OAuth posts – Post 1 & Post 2 . The flow for client (greet.com) to access the contact list of user from contactlist.com will be as below

Thank you !

3 thoughts on “Authorization Code Flow in OAuth

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s