OAuth authorization code flow

The Authorization Code Flow is a security protocol used in OAuth 2.0 to allow third-party applications to access a user's resources without exposing their credentials.

In this flow, the client application redirects the user to the authorization server, where they log in and approve the client's access request. After approval, the authorization server sends an authorization code to the client, which it exchanges for an access token and optionally a refresh token. This access token is then used to make authorized requests to the resource server on behalf of the user.

This flow is commonly used in scenarios where a user wants to grant access to their resources (like data or services) to a third-party application without sharing their credentials directly.

The main difference between the Authorization Code Flow and the Authorization Code Flow with PKCE (Proof Key for Code Exchange) lies in the security mechanisms used to prevent certain attacks, particularly against mobile and native applications.

In the standard Authorization Code Flow, the client receives an authorization code after the user authenticates with the authorization server. The client then exchanges this code for an access token. However, this flow is vulnerable to authorization code interception attacks, where an attacker can intercept the authorization code and use it to obtain an access token.

Authorization Code Flow with PKCE adds an additional layer of security by using a dynamically generated secret, the code verifier, to authenticate the authorization request. This makes it more secure, especially in environments where it is difficult to securely store client secrets, such as mobile or native applications.

To create a grant type using Authorization Code Flow:

Procedimento

  1. Complete steps 1-6 from Create OAuth connection.
  2. Select the Grant Type as Authorization Code Flow or Authorization Code Flow with PKCE to separate user authentication from token issuer. This enhances security because the grant type supports refresh tokens for long-lived access without exposing sensitive credentials. Review the following permissions when using Authorization Code Flow with Microsoft 365 Outlook package: See Permissões para o aplicativo.
    • Mail.Read
    • Mail.ReadWrite
    • Mail.Send
    • MailboxSettings.Read
    • MailboxSettings.ReadWrite
    • offline_access
    • openid
    • User.Read
    • User.ReadBasic.All
    You must use the authentication method Client Secret Post in parallel with Authorization Code Flow with PKCE grant type, else you will get a validation error.
  3. Complete steps 8-18 from Create OAuth connection.