Authorization Code
- Optimized for confidential clients
Get authorization code (public)
- Requested by frontend application
-
Sends a request to the to the
authorization server, where the resource owner will enter its credentials -
response_type: must be "code". Means that client is performing an Oauth 2.0 Authorization Code Workflow. Returns the authorization code to the redirect uri redirect_uri: where to send the code toclient_id: public identifier of the applicationscope: which permissions the application is requestingstate: random string (prevent CSRF attacks)
curl -X GET "https://authorization-server.com/oauth2/authorize
?response_type=code
&client_id=client-id
&scope=email+offline_access
&redirect_uri=https://client.com/callback/"
- The
authorization codeis sent back to theredirect_url(which is part of the application). E.g., https://client.com/callback?code=12345
Get access token (confidential)
- Requested by backend application
- The client uses the code received from the authorization server to get an access token
- The authorization server
authenticates the client,validates the authorization codeandverify the redirection uri
curl -X POST https://authorization-server.com/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded; charset=utf-8" \
-H "Accept: application/json" \
-d "grant_type=authorization_code
&redirect_uri=https://client.com/callback/
&code=12345"
{
"token_type": "bearer",
"expires_in": "3600",
"access_token": "123456abcdef",
"refresh_token": "abcdef123456" // optional
}
Get resource
curl -X GET https://resource-server.com/file.txt \
-H "Authorization: Bearer $TOKEN"