Authorization Code Flow

The Authorization Code Flow is a security protocol used in OAuth 2.0 to allow third-party applications to access a user's resources without exposing their credentials.

In this flow, the client application redirects the user to the authorization server, where they log in and approve the client's access request. After approval, the authorization server sends an authorization code to the client, which it exchanges for an access token and optionally a refresh token. This access token is then used to make authorized requests to the resource server on behalf of the user.

Users typically encounter the Authorization Code Flow when they're asked to log in to a third-party application or service using their credentials from another platform, such as signing into a website with their Google or Facebook account. This flow is commonly used in scenarios where a user wants to grant access to their resources (like data or services) to a third-party application without sharing their credentials directly.

The main difference between the Authorization Code Flow and the Authorization Code Flow with PKCE (Proof Key for Code Exchange) lies in the security mechanisms used to prevent certain attacks, particularly against mobile and native applications.

In the standard Authorization Code Flow, the client receives an authorization code after the user authenticates with the authorization server. The client then exchanges this code for an access token. However, this flow is vulnerable to authorization code interception attacks, where an attacker can intercept the authorization code and use it to obtain an access token.

Authorization Code Flow with PKCE adds an additional layer of security by using a dynamically generated secret, the code verifier, to authenticate the authorization request. This makes it more secure, especially in environments where it's difficult to securely store client secrets, such as mobile or native applications.

To create a grant type using Authorization Code Flow:

手順

  1. Complete steps 1-6 from create OAuth connection section.
  2. Select the Grant Type as Client Credentials Flow.

    Select Authorization Code Flow or Authorization Code Flow with PKCE to separate user authentication from token issuance, enhancing security, as they grant type supports refresh tokens for long-lived access without exposing sensitive credentials.

  3. Complete steps 8-18 from Create OAuth connection section.