Overview#Authorization Code Flow is the OAuth 2.0 Protocol Flow for the Authorization Code Grant Type which would typically be used for website type applications.
Authorization Code Flow is also called 3-legged OAuth and is a relatively high Level Of Assurance.
The authorization Code Grant type is used to obtain both access_tokens and refresh_tokens and is optimized for confidential clients. Since this is a redirection-based flow, the client must be capable of interacting with the Resource Owner's user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the Authorization Server.
+----------+ | Resource | | Owner | | | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)-- & Redirection URI ---->| | | User- | | Authorization | | Agent -+----(B)-- User authenticates --->| Server | | | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Authorization Code ---------' | | Client | & Redirection URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token) Figure 3: Authorization Code FlowNote: The lines illustrating steps (A), (B), and (C) are broken into two parts as they pass through the user-agent.
The flow illustrated in Figure 3 includes the following steps:OAuth Client initiates the flow by directing the user-agent to the Authorization_endpoint with an Authorization Request wihich includes:
- OAuth Scope
- Redirect_uri which the Authorization Server will send the user-agent back once access is granted (or denied).
(B) #The Authorization Server authenticates the Resource Owner (via the user-agent) (Authentication Method is undefined in OAuth 2.0) and establishes whether the Resource Owner grants or denies the OAuth Client's Authorization Request. Resource Owner grants access, the Authorization Server redirects the user-agent back to the OAuth Client using the redirect URI provided in the Authorization Request earlier (or the during OAuth 2.0 Client Registration). The URL redirection URI includes an Authorization Code and any local state provided by the OAuth Client earlier.
(D) #The OAuth Client requests an Access Token from the Authorization Server's token_endpoint by including the Authorization Code received in the previous step. When making the request, the OAuth Client authenticates with the Authorization Server. The OAuth Client includes the redirect URI used to obtain the Authorization Code for verification.
(E) #The Authorization Server:
- authenticates the OAuth Client
- validates the Authorization Code
- ensures that the redirect URI received matches the URI used to redirect the OAuth Client in step (C).
Known in Advance #Some basic conditions must exist in advance:
- The OAuth Client MUST be aware of the correct Authorization Server associated with the Resource Server
- The OAuth Client MUST have registered with the correct Authorization Server and provided them with his:
- The OAuth Client MUST know the Authorization_endpoint.
- The specifications do not indicate any communication between the Authorization Server associated with the Resource Server.
- After Authentication the Resource Owner is asked if she wants to grant access to their Resource Server to the OAuth Client.
- If the Resource Owner accepts, the Authorization Server creates an Authorization Code, representing the authorization.
It is essential that the OAuth Client check the scope returned from the Access Token request and verify that it contains the necessary scopes. While your application specified (when requesting an authorization Code) what scopes it would like, the user may have chosen to deny access to certain scopes. For example, the user may have chosen to authenticate only, but not to provide access to the other scopes.
- Authentication of the OAuth Client
- Authorization by the Resource Owner (user) to to access the Resource Server.
More Information#There might be more information for this subject on one of the following:
- Authorization Code
- Authorization Code Grant
- Grant Types
- Hybrid Flow
- Identity Token
- OAuth 2.0 Protocol Flows
- OAuth Dynamic Client Registration Metadata
- OpenID Connect Authentication Response
- OpenID Connect Authorization Flow