Authorization Code
After receiving the
authorization_code
, the Client makes an additional request to the Authorization Server using theauthorization_code
,client_id
, andclient_secret
in exchange for an access token.The
authorization_code
is intended to be temporary and only used once.
If you see
response_type=code
parameter in theOAuth
flow, it means theAuthorization Code Grant
is being used.Only used with
server-side
web applications as the source code of the application is not available to the public, thus not exposing theclient_secret
.Uses both
back-channel
andfront-channel
communication in the flow.
Flow in Action
Client sends Resource Owner (aka User) to the Authorization Server.
Resource Owner authenticates to the Authorization Server and is presented with a choice of whether to authorize the Client making the request.
Client is able to ask for a subset of functionality aka scopes which the Resource Owner can further diminish or accept.
Once the Resource Owner authorizes the Client, the Client can then request an access token from the Authorization Server.
Client can then use the access token with the protected resource.
Throughout this process, at no time are the Resource Owner's credentials exposed to the Client.
Last updated