Authorization Code Grant Flow in OAuth 2.0

 


Introduction

The Authorization Code Grant is one of the most commonly used and secure OAuth 2.0 flows. It is designed primarily for server-side applications where the client can safely store a client secret. This article breaks down the Authorization Code Grant step-by-step, detailing each phase of the flow to help you implement it effectively.

What is the Authorization Code Grant?

The Authorization Code Grant allows an application to obtain an access token from an authorization server. This flow is characterized by a two-step process that involves obtaining an authorization code and then exchanging it for an access token. This separation enhances security by preventing the access token from being exposed to the user agent.

Step-by-Step Procedure Flow




Step 1: Client Registration

Before initiating the flow, the client application must register with the authorization server. During this registration, the client obtains a Client ID and Client Secret, along with specifying the Redirect URI where the authorization server will send the user after authentication.

Step 2: User Redirection to Authorization Server

The client application redirects the user to the authorization server's authorization endpoint. This request typically includes several parameters:

  • response_type: Set to code to indicate that the application is requesting an authorization code.
  • client_id: The Client ID obtained during registration.
  • redirect_uri: The URI to which the authorization server will redirect the user after authorization.
  • scope: A space-separated list of scopes that define the access level requested.
  • state: A unique string to maintain state between the request and callback (used to prevent CSRF attacks).

Example Request:

GET <BaseURL>/as/authorization.oauth2?response_type=code&client_id=CLIENT_NAME&
redirect_uri=YOUR_REDIRECT_URI&scope=read&state=YOUR_STATE

Step 3: User Authentication and Consent

Upon receiving the request, the authorization server presents the user with a login page if they are not already authenticated. After successful authentication, the server prompts the user to grant or deny permission for the client application to access their resources.

Step 4: Authorization Code Response

If the user grants permission, the authorization server redirects the user back to the specified redirect_uri with two query parameters:

  • code: The authorization code that the client can exchange for an access token.
  • state: The original state parameter sent by the client to maintain consistency.

Example Response:

HTTP/1.1 302 Found
Location: YOUR_REDIRECT_URI?code=AUTHORIZATION_CODE&state=YOUR_STATE

Step 5: Token Exchange

The client application now has an authorization code and can exchange it for an access token. This is done by making a POST request to the authorization server’s token endpoint, including the following parameters:

  • grant_type: Set to authorization_code.
  • code: The authorization code received in the previous step.
  • redirect_uri: The same redirect URI used in the initial request.
  • client_id: The Client ID.
  • client_secret: The Client Secret.

Example Request:

POST /token Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=AUTHORIZATION_CODE&redirect_uri=REDIRECT_URI&
client_id=CLIENT_ID&client_secret=CLIENT_SECRET

Step 6: Access Token Response

If the request is valid, the authorization server responds with an access token, and possibly a refresh token. The access token is used to make authorized API requests on behalf of the user.

Example Response:


{ "access_token": "ACCESS_TOKEN", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "REFRESH_TOKEN" }

Step 7: Accessing Protected Resources

The client can now use the access token to access protected resources by including it in the HTTP Authorization header of API requests.

Example Request:


GET /resource Authorization: Bearer ACCESS_TOKEN

Step 8: Token Expiration and Refresh

Access tokens have a limited lifespan. If the access token expires, the client can use the refresh token (if provided) to obtain a new access token without requiring user interaction.


Conclusion

The Authorization Code Grant type is a powerful and secure way to implement OAuth 2.0 authorization for web applications. By following the outlined steps, developers can ensure a secure flow that protects user credentials and access tokens. Understanding this flow is essential for anyone looking to implement OAuth 2.0 in their applications effectively.

For further information or assistance, feel free to reach out or explore additional resources on OAuth 2.0 implementation.

Share on Google Plus

About Satya

Satya is an IAM Engineer and the Editor of Techstotle.com. He possesses a deep passion for Identity and Access Management (IAM) technologies, with a particular focus on PingFederate and PingAM. Satya is dedicated to demystifying these complex technologies and making them accessible to a wider audience. Techstotle.com serves as a one-stop shop for the latest IAM insights, featuring comprehensive tutorials on PingFederate and PingAM. Join Satya on this journey of tech exploration as he empowers you to navigate the ever-evolving world of IAM.

0 comentários:

Post a Comment