OAuth 2.0 - Authorization Code


The authorization code will be issued by the authorization server which allows accessing the authorization request and grants access to the client application to fetch the owner resources.

  • The resource owner can be redirected to the client application with the authorization code by directing the owner to the authorization server using the client application.

  • The important role of the authorization code is to authenticate the client and access the token directly without passing it to the owner's user agent.

The following diagram shows the process of authorization code.

OAuth 2.0 Authorization Code

Step 1 − First, the user accesses the resources of the resource owner by using the client application.

Step 2 − Next, the client application will be provided with the client id and client password during registering the redirect URI (Uniform Resource Identifier).

Step 3 − Then, the user logs in via the client application on the authorization server such as Google, Facebook, Twitter, etc.

Step 4 − The authenticating server redirects the user to a redirect Uniform Resource Identifier (URI) using the authorization code which the owner of the client application registers the redirect URI.

Step 5 − After registration, the user accesses the redirect URI from the client application.

Step 6 − The client application will be provided with the authentication code, client id and client password, and sends them to the authorization server.

Step 7 − The client ID and client password is unique to the client application on the authorization server. The authorization server sends an access token to the client application.

Step 8 − The user will be allowed to login to the application.

Step 9 − The user logs in and accesses the client application using these credentials via the authorization server.

Step 10 − It then sends an access token to the resource server.

Step 11 − Resource server is the server hosting resources such as Facebook, Google, Twitter, etc. which verifies the access token.

Step 12 − Next, the client application accesses the resources stored on the resource server. The resource server returns the resources to the client application.

Step 13 − Next, the client application provides the resources to the user.