Authorization Code

• After receiving the authorization_code, the Client makes an additional request to the Authorization Server using the authorization_code, client_id, and client_secret in exchange for an access token.

  • The authorization_code is intended to be temporary and only used once.

• If you see response_type=code parameter in the OAuth flow, it means the Authorization Code Grant is being used.

• Only used with server-side web applications as the source code of the application is not available to the public, thus not exposing the client_secret.

• Uses both back-channel and front-channel communication in the flow.

Flow in Action

1. Client sends Resource Owner (aka User) to the Authorization Server.

2. Resource Owner authenticates to the Authorization Server and is presented with a choice of whether to authorize the Client making the request.

3. Client is able to ask for a subset of functionality aka scopes which the Resource Owner can further diminish or accept.

4. Once the Resource Owner authorizes the Client, the Client can then request an access token from the Authorization Server.

5. Client can then use the access token with the protected resource.

Throughout this process, at no time are the Resource Owner's credentials exposed to the Client.