Authorization Code Flow

Authorization Code Flow

The Authorization Code Flow (defined in OAuth 2.0 RFC 6749, section 4.1), involves exchanging an authorization code for a token.

This flow can only be used for confidential applications (such as Regular Web Applications) because the application's authentication methods are included in the exchange and must be kept secure.

---

How Authorization Code Flow Works

1. User selects Login within the application.

2. Login 3.0 SDK redirects the user to the Login 3.0 Authorization Server (/authorize endpoint).

3. Login 3.0 Authorization Server redirects the user to a login and authorization prompt.

4. User authenticates using one of the configured login options and may see a consent prompt listing the permissions Login 3.0 will grant to the application.

5. Login 3.0 Authorization Server redirects the user back to the application with a single-use authorization code.

6. Login 3.0 SDK sends the authorization code, the application's client ID, and the application's credentials (such as client secret or Private Key JWT) to the Login 3.0 Authorization Server (/oauth/token endpoint).

7. Login 3.0 Authorization Server verifies the authorization code, the application's client ID, and the application's credentials.

8. Login 3.0 Authorization Server responds with an ID token and access token (and optionally, a refresh token).

9. The application can use the access token to call an API to access information about the user.

10. The API responds with the requested data.

---

How to Implement Authorization Code Flow

The easiest way to implement the Authorization Code Flow is to follow the Login 3.0 Quickstarts for Regular Web Applications.

Alternatively, you can use the Authentication API to implement the Authorization Code Flow. For more information, read:

• Add Login Using the Authorization Code Flow

• Call Your API Using the Authorization Code Flow