OAuth authorization code flow
- Updated: 2024/10/01
OAuth authorization code flow
The Authorization Code Flow is a security protocol used in OAuth 2.0 to allow third-party applications to access a user's resources without exposing their credentials.
In this flow, the client application redirects the user to the authorization server, where they log in and approve the client's access request. After approval, the authorization server sends an authorization code to the client, which it exchanges for an access token and optionally a refresh token. This access token is then used to make authorized requests to the resource server on behalf of the user.
This flow is commonly used in scenarios where a user wants to grant access to their resources (like data or services) to a third-party application without sharing their credentials directly.
The main difference between the Authorization Code Flow and the Authorization Code Flow with PKCE (Proof Key for Code Exchange) lies in the security mechanisms used to prevent certain attacks, particularly against mobile and native applications.
In the standard Authorization Code Flow, the client receives an authorization code after the user authenticates with the authorization server. The client then exchanges this code for an access token. However, this flow is vulnerable to authorization code interception attacks, where an attacker can intercept the authorization code and use it to obtain an access token.
Authorization Code Flow with PKCE adds an additional layer of security by using a dynamically generated secret, the code verifier, to authenticate the authorization request. This makes it more secure, especially in environments where it is difficult to securely store client secrets, such as mobile or native applications.
To create a grant type using Authorization Code Flow: