Chapter 2. Server-Side Web Application Flow
In the Web Application flow (also known as the Authorization Code
flow), the resource owner is first redirected by the application to the
OAuth authorization server at the API provider. The authorization server
checks to see if the user has an active session. If she does, the
authorization server prompts her for access to the requested data. After she
grants access, she is redirected back to the web application and an
authorization code is included in the URL as the code query parameter:
http://www.example.com/oauth_callback?code=ABC1234
Because the code is passed as a
query parameter, the web browser sends it along to the web server that is
acting as the OAuth client. This authorization code is then exchanged for an
access token using a server-to-server call from the application to the
authorization server. This access token is used by the client to make API
calls.
Sound confusing? Figure 2-1 shows the flow step-by-step, based on a diagram from the specification.
Figure 2-1. Server-side Web Application flow: Step-by-step
When Should the Authorization Code Flow Be Used?
The Authorization Code flow should be used when
Long-lived access is required.
The OAuth client is a web application server.
Accountability for API calls is very important and the OAuth token shouldn’t be leaked to the browser, where the user may have access to it.
Get Getting Started with OAuth 2.0 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
