Authorization Basics

OAuth 2.0 Authorization Code Flow

Learn what an authorization code grant is and what its process is. Find out what type of applications can use the authorization code grant flow in a safe and secure manner.

In a Nutshell

The Cloudentity OAuth authorization code grant flow type can be used for obtaining access tokens, refresh tokens, or OIDC tokens. It can be used by confidential clients, for example, web applications, that are able to store their authorization code safely to exchange it for a token later on.

The authorization code is a temporary code that proves to Cloudentity that the client requesting for a token is authorized to do so. This code is provided to the client by Cloudentity after the user has successfully provided their consent.

This grant flow is designed to be used by applications that have a back-end parts. It is not possible to use the authorization code grant flow by a single-page application unless it uses the Proof Key of Code Exchange (PKCE).

Prerequisites

To use the Cloudentity authorization code grant flow type, the client must match the following criteria:

  • It must be able to interact with the resource owner’s user-agent, for example, a web browser.

  • It must be capable of receiving incoming requests (via redirection) from the authorization server.

Flow in Depth

Abstract Protocol Flow

The example flow diagram above illustrates the interactions that occur in the Cloudentity OAuth authorization code grant flow.

  1. A user tries to access the application (the client).

  2. The client redirects a user to the authorize endpoint.

    Note

    The client must inform Cloudentity of its desired grant type by using the response_type parameter. For the authorization code grant flow type, the value of the response_type parameter must be code.

  3. Cloudentity authenticates the user and displays a consent screen if there is an authorization scope to be granted.

    Note

    Cloudentity does not display consent screen when there is no authorization scope to be granted.

  4. The user gives their consent.

  5. Cloudentity issues an authorization code.

    Note

    After Cloudentity generates the authorization code, it is redirected to the redirection endpoint configured for the registered client. If no redirection endpoint was specified during the client registration (it is not recommended), it can be provided using the redirect_uri parameter in the request to the authorize endpoint.

  6. The client requests authentication to the token endpoint using authorization code provided in the previous step.

    Read More

    To learn more about token endpoint authentication methods, see the client authentication documentation.

  7. Cloudentity validates the request.

  8. Cloudentity returns the token.

  9. The client requests protected resources from the resource server and submits the token it received in the previous step.

  10. The resource server validates the token and responds with requested resources.