Authorization Code Flow in OAuth

  • Authorization Code Flow, aka 3 Legged returns an Authorization Code to the Client, which can then be exchanged for an ID Token and an Access Token directly.
  • Once the user authorizes the request to access protected resource , the request is redirected back to a registered endpoint to get the Authorization Code.
  • Authorization code is then exchanged with Authorization server to get an Access token.
  • This Access token is then used to access the protected resources.
  • This provides the benefit of not exposing any tokens to the User Agent and possibly other malicious applications with access to the User Agent.
  • The user agent application is used by the client applications in the user’s device example a web browser.
  • The Authorization Code Flow goes through the following steps.
    • Client redirects the user to Authorization Server (/authorize endpoint)
    • Auth Server redirects the user to login and provide consent for client application to access the protected resource
    • Authorization Server obtains End-User Consent.
    • Authorization Server sends the End-User back to the Client with an Authorization Code.
    • Client sends this code to the Authorization Server (/oauth/token endpoint) along with the application’s Client ID and Client Secret.
    • Authorization Server verifies the code, Client ID, and Client Secret.
    • Authorization Server responds with an ID Token and Access Token (and optionally, a Refresh Token).
    • Client can use the access token to access protected resources
    • Resource server serves the request if a valid access token is present

Referring to the example shared in the previous OAuth posts – Post 1 & Post 2 . The flow for client ( to access the contact list of user from will be as below

Thank you !

3 thoughts on “Authorization Code Flow in OAuth

Leave a Reply