OAuth Authorization Code Grant Flow
Authorization code flow is the most flexible of the three supported authorization flows and is the recommended method of obtaining an access token for the API.The Authorization Code grant type is used by web and mobile apps. This authorization flow is best suited to applications that have access to secure, private storage such as web applications deployed on a server.
Access tokens, obtained using authorization code flow, provide permissions for your application to manipulate documents and other resources on behalf of a user (Resource Owner) and make requests for all API resources. Access tokens while having a limited lifetime, can be renewed with a refresh token. A refresh token is valid indefinitely and provides ability for your application to schedule tasks on behalf of a user without their interaction.
Authorization Code Flow diagram:
Following are the parameters in HTTP request using Authorization Code Grant Flow.
Authorization code flow is the most flexible of the three supported authorization flows and is the recommended method of obtaining an access token for the API.The Authorization Code grant type is used by web and mobile apps. This authorization flow is best suited to applications that have access to secure, private storage such as web applications deployed on a server.
Access tokens, obtained using authorization code flow, provide permissions for your application to manipulate documents and other resources on behalf of a user (Resource Owner) and make requests for all API resources. Access tokens while having a limited lifetime, can be renewed with a refresh token. A refresh token is valid indefinitely and provides ability for your application to schedule tasks on behalf of a user without their interaction.
Authorization Code Flow diagram:
Following are the parameters in HTTP request using Authorization Code Grant Flow.
- response_type=code - Indicates that your server expects to receive an authorization code
- client_id - The client ID you received when you first created the application
- redirect_uri - Indicates the URI to return the user to after authorization is completed.
- scope - One or more scope values indicating which parts of the user's account you wish to access.
- state - A random string generated by your application, which you'll verify later. This value must match the value your application supplied in the URL creation step to protect against CSRF attacks.
In the Authorization Code grant Flow, when the user clicks on the Login Button, The application should warn users & they will be asked to authorize using their user account before initiating an action that requires authorization because user's web browsers will redirect to another site. This phase is called the consent phase.
The webapp then initiates the Authorization code request to the /Authorize Endpoint of the Authorization Server using the above mentioned parameters.
Once it receives the Authorization Code from it then hits the /token Endpoint with Client_Id + Shared_Secret + Authorization Code . The Auth Server validates the client_Id, shared_secret & the access Code, once validated Auth Server issues the Access Token.
The app then can use the access token to access the resource server data.
A successful refresh response body is JSON data containing the replacement access token. The JSON object contains the same properties as the result of the original access token response.
Note: A new refresh token may be issued during the process to obtain a new access token. Your application should discard the previous refresh token and store the new value. Ensure your application stores the new value securely.
No comments:
Post a Comment