The authorization code protocol is part of OAuth 2.0 defined in (OAuth 2.0 RFC 6749, section 4.1). It involves the exchange of an authorization code for a token.
NOTE
It implies some security risks, so you should only use it after a security assessment.
This flow can only be used for applications, which can protect the client secret:
- Native app: Can not securely store the client secret, as it's possible to decompile the application.
- Single-page app: Can not securely store the client secret, as the full code is exposed in the user's browser
In that scenarios, Authorization Code Grant with Proof Key for Code Exchange (PKCE) must be used.
---
title: Authorization Code Grant
---
sequenceDiagram
actor User
User->>App: Click sign-in link (1)
activate App
App->>Identity Provider: Authorization code request (2)
deactivate App
Identity Provider-->>User: Redirect to login/authorization prompt (3)
User-->>Identity Provider: Authenticate (3)
Identity Provider->>App: Authorization code (3)
activate App
App->>Identity Provider: Authorization code & client secret (4)
Note right of Identity Provider: Validate authorization code &<br/>client secret
Identity Provider->>App: Access token and ID token (4)
deactivate App
App->>Your API: Request protected data with access token (5)
- The user clicks sign-in within the application.
signinRedirect()orsigninPopup()must be used to start the flow.- The identity provider authenticates the user and stores the code_challenge and redirects the user back to the application with an authorization code.
signinCallback()handles this callback by sending this authorization code and client secret to the identity provider and receiving in return the access token and ID token.- The access token is now accessible via
getUser()?.access_tokenand inserted into the requests to your protected API.