Authorization Basics

3 mins read

OAuth 2.0 Authorization Code Flow

Learn what an authorization code grant is and what its process is. Find out what type of applications can use the authorization code grant flow in a safe and secure manner.

What Authorization Code Flow Is

According to the OAuth authorization code grant flow, an authorization server sends a temporary (authorization) code to a client. The code is exchanged for a token. This flow is available for confidential clients, for example, web applications with a backend that can store credentials securely. This way, the client can obtain one or more of the following token types:

The authorization code proves to the authorization server that the client requesting a token is permitted to do so. The user consents that the client can access the resource before the authorization server passes the code.

Authorize Apps Using Authorization Code Flow

Cloudentity comes with multi-tenant authorization server as a service that supports the authorization code flow.

Single-page apps cannot leverage it unless they use the Proof Key of Code Exchange (PKCE).

How Authorization Code Flow Works

For proper and secure flow of authorization code grant, the following is recommended:

  • Configure the redirection endpoint for the client application before making calls.

  • Limit the scope the client application can access when calling the /authorize and /token endpoints.

sequenceDiagram autoNumber participant User participant Client application participant Authorization server participant Resource server (API) activate User User->>Client application: Access activate Client application activate Authorization server Client application->>Authorization server: Request authorization deactivate Client application Authorization server->>User: Display consent User->>Authorization server: Give consent deactivate User Authorization server->>Client application: Issue authorization code activate Client application Client application->>Authorization server: Request token Authorization server->>Authorization server: Validate the request Authorization server->>Client application: Return token deactivate Authorization server Client application->>Resource server (API): Call API with token activate Resource server (API) Resource server (API)->>Client application: Return data deactivate Resource server (API) deactivate Client application

The example diagram above illustrates the interactions that occur during the OAuth authorization code grant flow.

  1. A user tries to access the application (the client).

  2. The client application calls the authorization server’s authorize endpoint.

    Sample call to the authorize endpoint with Cloudentity as an authorization server

    curl --location \
    --get \
    --url "https://$TENANT_ID.$$TENANT_ID/$WORKSPACE_ID/oauth2/authorize" \
    --data-urlencode "response_type=code" \
    --data-urlencode "client_id=$CLIENT_ID"
  3. The authorization server responds with the redirect URI. The user gets redirected to the consent form, if any.

  4. The user authenticates with their identity source and gives their consent.

  5. The authorization server issues an authorization code.

  6. The client application requests authentication to the token endpoint using the authentication method configured and the authorization code provided in the previous step.

    • The grant_type value in the API call must be authorization_code.

    Sample call to the token endpoint with Cloudentity as an authorization server

    curl --request POST \
    --url "https://$TENANT_ID.$$TENANT_ID/$WORKSPACE_ID/oauth/token" \
    --data-raw "grant_type=authorization_code&code=$CODE&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET"
  7. The authorization server validates the authorization code, client ID, and client secret.

  8. The authorization server returns the token.

  9. The client application requests protected resources from the resource server and submits the token it received in the previous step.

  10. The resource server validates the token and responds with the requested resources.

Updated: Sep 8, 2023