What Authorization Code Flow Is
According to the OAuth authorization code grant flow, an authorization server sends a temporary (authorization) code to a client. The code is exchanged for a token. This flow is available for confidential clients, for example, web applications with a backend that can store credentials securely. This way, the client can obtain one or more of the following token types:
The authorization code proves to the authorization server that the client requesting a token is permitted to do so. The user consents that the client can access the resource before the authorization server passes the code.
Authorize Apps Using Authorization Code Flow
Cloudentity comes with multi-tenant authorization server as a service that supports the authorization code flow.
Single-page apps cannot leverage it unless they use the Proof Key of Code Exchange (PKCE).
How Authorization Code Flow Works
For proper and secure flow of authorization code grant, the following is recommended:
-
Configure the redirection endpoint for the client application before making calls.
-
Limit the scope the client application can access when calling the
/authorize
and/token
endpoints.
The example diagram above illustrates the interactions that occur during the OAuth authorization code grant flow.
-
A user tries to access the application (the client).
-
The client application calls the authorization server’s
authorize
endpoint.Sample call to the authorize endpoint with Cloudentity as an authorization server
curl --location \ --get \ --url "https://$TENANT_ID.$REGION_ID.authz.cloudentity.io/$TENANT_ID/$WORKSPACE_ID/oauth2/authorize" \ --data-urlencode "response_type=code" \ --data-urlencode "client_id=$CLIENT_ID"
-
The authorization server responds with the redirect URI. The user gets redirected to the consent form, if any.
-
The user authenticates with their identity source and gives their consent.
-
The authorization server issues an authorization code.
-
The client application requests authentication to the token endpoint using the authentication method configured and the authorization code provided in the previous step.
- The
grant_type
value in the API call must beauthorization_code
.
Sample call to the token endpoint with Cloudentity as an authorization server
curl --request POST \ --url "https://$TENANT_ID.$REGION_ID.authz.cloudentity.io/$TENANT_ID/$WORKSPACE_ID/oauth/token" \ --data-raw "grant_type=authorization_code&code=$CODE&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET"
- The
-
The authorization server validates the authorization code, client ID, and client secret.
-
The authorization server returns the token.
-
The client application requests protected resources from the resource server and submits the token it received in the previous step.
-
The resource server validates the token and responds with the requested resources.