Authorization Code Flow

Overview

The Authorization Code Flow is the most secure OAuth 2.0 grant type for web applications. It enables applications to obtain an access token to access protected resources.

Flow Steps

Client Initiates Flow

curl -X POST "http://localhost:8080/realms/myrealm/protocol/openid-connect/token" \
   -H "Content-Type: application/x-www-form-urlencoded" \
   -d "grant_type=client_credentials&client_id=your-client-id&client_secret=your-client-secret"

&redirect_uri=https://your-app.com/callback &scope=read:user
&state=random_state_string ```

2. **User Authenticates & Authorizes**

- User logs in to authorization server
- Grants/denies permissions to the application

3. **Authorization Code Return**

```http
GET https://your-app.com/callback
    ?code=AUTHORIZATION_CODE
    &state=random_state_string

Exchange Code for Token

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
&code=AUTHORIZATION_CODE
&redirect_uri=https://your-app.com/callback
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET

Token Response

{
  "access_token": "ACCESS_TOKEN",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "REFRESH_TOKEN",
  "scope": "read:user"
}

Security Considerations

Always validate state parameter
Use HTTPS for all endpoints
Store client_secret securely
Implement PKCE for mobile/native apps
Set short authorization code expiry

Error Responses

{
  "error": "invalid_request",
  "error_description": "Required parameter is missing",
  "error_uri": "https://your-docs.com/errors"
}

Implementation Example

app.get("/auth", (req, res) => {
  const authURL =
    `${authServerURL}/oauth/authorize?` +
    `response_type=code&` +
    `client_id=${clientID}&` +
    `redirect_uri=${encodeURIComponent(redirectURI)}&` +
    `state=${generateRandomState()}&` +
    `scope=read:user`;
  res.redirect(authURL);
});

Flow Steps

Client Initiates Flow

curl -X POST "http://localhost:8080/realms/myrealm/protocol/openid-connect/token" \
   -H "Content-Type: application/x-www-form-urlencoded" \
   -d "grant_type=client_credentials&client_id=your-client-id&client_secret=your-client-secret"

&redirect_uri=https://your-app.com/callback &scope=read:user &state=random_state_string ``` 2. **User Authenticates & Authorizes** - User logs in to authorization server - Grants/denies permissions to the application 3. **Authorization Code Return** ```http GET https://your-app.com/callback ?code=AUTHORIZATION_CODE &state=random_state_string

Exchange Code for Token

POST /oauth/token Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=AUTHORIZATION_CODE &redirect_uri=https://your-app.com/callback &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET

Token Response

{ "access_token": "ACCESS_TOKEN", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "REFRESH_TOKEN", "scope": "read:user" }

Implementation Example

app.get("/auth", (req, res) => { const authURL = `${authServerURL}/oauth/authorize?` + `response_type=code&` + `client_id=${clientID}&` + `redirect_uri=${encodeURIComponent(redirectURI)}&` + `state=${generateRandomState()}&` + `scope=read:user`; res.redirect(authURL); });