The authorization code grant type (flow) works with an intermediate credential called a authorization code.
It is a indirect and redirection-based flow that is optimized for confidential clients.
The client asks first for an authorization code that it is then used to obtain an access tokens (an optionally a refresh tokens) to get access to the protected resources. More on the flow ? See authorization code flow details
The authorization code is obtained by using an authorization endpoint (authorization server component) as an intermediary between the client and resource owner (end-user).
Instead of requesting authorization directly from the resource owner,
The flow includes the following steps
The client (app) initiates the flow by directing the resource owner's user-agent (end user using a browser) to the authorization endpoint.
See authorization endpoint authorization request
The client includes in this request:
The authorization endpoint (authorization server component):
Assuming the resource owner grants access, the authorization endpoint (authorization server component) redirects the user-agent back to the client using the redirection URI.
The redirection URI includes:
Example:
https://example.com/redirection/path?code=xxxxx&state=xxxxx
Real example:
http://localhost:22726/?
state=BVBGzPxmRgi6MNgj9Hmq
&code=4/0AX4XfWhcZSdBvBXanPSGA5VYYjz0
&scope=email%20openid%https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/docs.test%20https://www.googleapis.com/auth/drive%20https://www.googleapis.com/auth/drive.photos.readonly
&authuser=0
&prompt=consent
https://localhost:62345/?
code=xxxx
&scope=openid+offline_access+r_ide_auth
&state=xxx
They are generally given back in the URL query.
It expose then the authorization code to:
That's why the authorization code is temporary.
Example in javascript where the URL is processed and the authorization code is deleted from the history.
// get the query string portion of the current url.
const queryString = window.location.search;
if (queryString.includes("code=") && queryString.includes("state=")) {
// Process the query parameters, get the token ...
process();
// Update the ui with the new auth state
updateUI();
// Remove the querystring parameters from the redirect
window.history.replaceState({}, document.title, redirectPath);
}
The client requests an access token from the authorization server's token endpoint by including the authorization code received in the previous step.
When making the request, the client authenticates with the token_endpoint (authorization server).
The client (app) includes the redirection URI used to obtain the authorization code for verification.
The token endpoint (authorization server component):
If valid, the token endpoint (authorization server component) responds back with an access token and, optionally, a refresh token.
Example of a call to
https://tenant.example.com/oauth/token
could result into
{
"access_token":"yhEvm8U6uG0gPmoUDuLn3bENGIMceiFz",
"id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZ.... JWT",
"scope":"openid profile email",
"expires_in":86400,
"token_type":"Bearer"
}