Authorization Code Request - OAuth 2.0 Simplified (2024)

Table of Contents
Request Parameters Verifying the authorization code grant Example Security Considerations FAQs

The authorization code grant is used when an application exchanges an authorization code for an access token. After the user returns to the application via the redirect URL, the application will get the authorization code from the URL and use it to request an access token. This request will be made to the token endpoint.

Request Parameters

The access token request will contain the following parameters.

grant_type (required)

The grant_type parameter must be set to “authorization_code”.

code (required)

This parameter is the authorization code that the client previously received from the authorization server.

See Also
Co to jest token uwierzytelniający?Developing Live Experience

redirect_uri (possibly required)

If the redirect URI was included in the initial authorization request, the service must require it in the token request as well. The redirect URI in the token request must be an exact match of the redirect URI that was used when generating the authorization code. The service must reject the request otherwise.

code_verifier (required for PKCE support)

If the client included a code_challenge parameter in the initial authorization request, it must now prove it has the secret used to generate the hash by sending it in the POST request. This is the plaintext string that was used to calculate the hash that was previously sent in the code_challenge parameter.

client_id (required if no other client authentication is present)

If the client is authenticating via HTTP Basic Auth or some other method, then this parameter is not required. Otherwise, this parameter is required.

If the client was issued a client secret, then the server must authenticate the client. One way to authenticate the client is to accept another parameter in this request, client_secret. Alternately the authorization server can use HTTP Basic Auth. Technically the spec allows the authorization server to support any form of client authentication, and mentions public/private key pair as an option. In practice, most consumer servers support the simpler methods of authenticating clients using either or both of the methods mentioned here. For more advanced methods of authenticating the client, refer to RFC 7523 which defines a method of using a signed JWT as client authentication.

Verifying the authorization code grant

After checking for all required parameters, and authenticating the client if the client was issued credentials, the authorization server can continue verifying the other parts of the request.

The server then checks if the authorization code is valid, and has not expired. The service must then verify that the authorization code provided in the request was issued to the client identified. Lastly, the service must ensure the redirect URI parameter present matches the redirect URI that was used to request the authorization code.

For PKCE support, the authorization server should calculate the SHA256 hash of the code_verifier presented in this token request, and compare that with the code_challenge presented in the authorization request. If they match, the authorization server can be confident that it’s the same client making this token request that made the original authorization request.

If everything checks out, the service can generate an access token and respond.

Example

The following example shows an authorization grant request for a confidential client.

POST /oauth/token HTTP/1.1Host: authorization-server.comgrant_type=authorization_code&code=xxxxxxxxxxx&redirect_uri=https://example-app.com/redirect&code_verifier=Th7UHJdLswIYQxwSg29DbK1a_d9o41uNMTRmuH0PM8zyoMAQ&client_id=xxxxxxxxxx&client_secret=xxxxxxxxxx

See Access Token Response for details on the parameters to return when generating an access token or responding to errors.

Security Considerations

Preventing replay attacks

If an authorization code is used more than once, the authorization server must deny the subsequent requests. This is easy to accomplish if the authorization codes are stored in a database, since they can simply be marked as used.

If you are implementing self-encoded authorization codes, as in our example code, you’ll need to keep track of the tokens that have been used for the lifetime of the token. One way to accomplish this by caching the code in a cache for the lifetime of the code. This way when verifying codes, we can first check if they have already been used by checking the cache for the code. Once the code reaches its expiration date, it will no longer be in the cache, but we can reject it based on the expiration date anyway.

If a code is used more than once, it should be treated as an attack. If possible, the service should revoke the previous access tokens that were issued from this authorization code.

Authorization Code Request - OAuth 2.0 Simplified (2024)

FAQs

What is OAuth 2.0 in layman's terms? ›

Principles of OAuth2.0

OAuth 2.0 is an authorization protocol and NOT an authentication protocol. As such, it is designed primarily as a means of granting access to a set of resources, for example, remote APIs or user data. OAuth 2.0 uses Access Tokens.

Read On
What is an example of OAuth 2.0 authentication? ›

For example, an application can use OAuth 2.0 to obtain permission from users to store files in their Google Drives.

Discover More Details
How to make an oauth2 request? ›

Steps to connect using OAuth 2.0
  1. Step 1: Construct an Authorize URL. ...
  2. Step 2: GET oauth2/authorize. ...
  3. Step 3: POST oauth2/token - Access Token. ...
  4. Step 4: Connect to the APIs. ...
  5. Step 5: POST oauth2/token - refresh token. ...
  6. Step 6: POST oauth2/revoke - Revoke Token.

Continue Reading
How to authorize with OAuth? ›

Using OAuth 2.0 for Web Server Applications
  1. Step 1: Set authorization parameters.
  2. Step 2: Redirect to Google's OAuth 2.0 server.
  3. Step 3: Google prompts user for consent.
  4. Step 4: Handle the OAuth 2.0 server response.
  5. Step 5: Exchange authorization code for refresh and access tokens.

See Details
What is the authorization code in OAuth2? ›

The OAuth 2.0 authorization code grant type, or auth code flow, enables a client application to obtain authorized access to protected resources like web APIs. The auth code flow requires a user-agent that supports redirection from the authorization server (the Microsoft identity platform) back to your application.

Find Out More
How does OAuth 2.0 work in Rest API? ›

OAuth 2.0 is a standard for implementing delegated authorization, and authorization is based on the access token required to access a resource. The access token can be issued for a given scope, which defines what the access token can do and what resources it can access.

Tell Me More
What is a real life example of OAuth2? ›

A real life example with a Web Page

The guys in Google made a webpage that contains some Javascript code. With this code they want to access, FROM THE WEB PAGE, to the list of the files in the Google Drive of an end-user. No server interaction is involved and this is the crucial part of the Implicit Grant flow.

Show Me More
Is OAuth authentication or authorization? ›

OAuth is about authorization and not authentication. Authorization is asking for permission to do stuff. Authentication is about proving you are the correct person because you know things.

Explore More
What is the difference between authentication and authorization? ›

Authentication confirms that users are who they say they are. Authorization gives those users permission to access a resource. While authentication and authorization might sound similar, they are distinct security processes in the world of identity and access management (IAM).

Continue Reading
What is an authorization request? ›

An authorization request is the operation that allows to accept or refuse a transaction.

Show Me More

What is the difference between basic authentication and OAuth2? ›

Opposed to OAuth, Basic Authentication is a more straightforward, yet less secure method embedded within the HTTP framework. It involves transmitting a username and password with every request, often encoded in Base64. This method, while simple, risks exposing user credentials more openly.

Read The Full Story
What is OAuth and how does it work? ›

OAuth is an open standard for authorization. It lets users authorize third-party access to their servers without handing out their username and password. Read this blog to also find about OAuth 2.0 as an authorization framework for delegated access to web APIs.

See Details
Which API uses OAuth 2.0 for authorization? ›

Google APIs use the OAuth 2.0 protocol for authentication and authorization. Google supports common OAuth 2.0 scenarios such as those for web server, client-side, installed, and limited-input device applications. To begin, obtain OAuth 2.0 client credentials from the Google API Console.

Get More Info Here
What is the most common form of OAuth2 authentication? ›

Authorization Code Grant is the most widely used grant type to authorize the client. In this scenario, the authorization server will return a single-use authorization code to the client, which is then exchanged for an access token.

Continue Reading
What is the difference between API and OAuth2? ›

OAuth2 vs API keys

Here are some of the benefits of OAuth2 over the API key: Access token is tied to a specific user, not an app. User credentials are never exposed to an app, authentication is done in a single place – Authorization Server.

View More
What is the difference between SSO and OAuth? ›

In summary, SSO is used for authenticating users, while OAuth is used for granting access to resources. OAuth can be used as part of an SSO solution, but it is not a replacement for SSO.

View Details
Top Articles
Credit Card Fraud Detection: What Is It and How it Works
Enhancing payment use case growth. Cryptopowered by Mercuryo
Spasa Parish
Rentals for rent in Maastricht
159R Bus Schedule Pdf
Sallisaw Bin Store
Black Adam Showtimes Near Maya Cinemas Delano
Www.myschedule.kp.org
Ascension St. Vincent's Lung Institute - Riverside
Understanding British Money: What's a Quid? A Shilling?
Xenia Canary Dragon Age Origins
Momokun Leaked Controversy - Champion Magazine - Online Magazine
Maine Coon Craigslist
How Nora Fatehi Became A Dancing Sensation In Bollywood 
‘An affront to the memories of British sailors’: the lies that sank Hollywood’s sub thriller U-571
Tyreek Hill admits some regrets but calls for officer who restrained him to be fired | CNN
Haverhill, MA Obituaries | Driscoll Funeral Home and Cremation Service
Rogers Breece Obituaries
Ems Isd Skyward Family Access
Elektrische Arbeit W (Kilowattstunden kWh Strompreis Berechnen Berechnung)
Omni Id Portal Waconia
Kellifans.com
Banned in NYC: Airbnb One Year Later
Four-Legged Friday: Meet Tuscaloosa's Adoptable All-Stars Cub & Pickle
Model Center Jasmin
Ice Dodo Unblocked 76
Is Slatt Offensive
Labcorp Locations Near Me
Storm Prediction Center Convective Outlook
Experience the Convenience of Po Box 790010 St Louis Mo
Fungal Symbiote Terraria
modelo julia - PLAYBOARD
Poker News Views Gossip
Abby's Caribbean Cafe
Joanna Gaines Reveals Who Bought the 'Fixer Upper' Lake House and Her Favorite Features of the Milestone Project
Tri-State Dog Racing Results
Navy Qrs Supervisor Answers
Trade Chart Dave Richard
Lincoln Financial Field Section 110
Free Stuff Craigslist Roanoke Va
Wi Dept Of Regulation & Licensing
Pick N Pull Near Me [Locator Map + Guide + FAQ]
Crystal Westbrooks Nipple
Ice Hockey Dboard
Über 60 Prozent Rabatt auf E-Bikes: Aldi reduziert sämtliche Pedelecs stark im Preis - nur noch für kurze Zeit
Wie blocke ich einen Bot aus Boardman/USA - sellerforum.de
Infinity Pool Showtimes Near Maya Cinemas Bakersfield
Dermpathdiagnostics Com Pay Invoice
How To Use Price Chopper Points At Quiktrip
Maria Butina Bikini
Busted Newspaper Zapata Tx
Latest Posts
A Complete Real Estate Due Diligence Checklist | The Motley Fool
So finden Sie den passenden Forex Broker
Article information

Author: Terence Hammes MD

Last Updated:

Views: 5882

Rating: 4.9 / 5 (49 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Terence Hammes MD

Birthday: 1992-04-11

Address: Suite 408 9446 Mercy Mews, West Roxie, CT 04904

Phone: +50312511349175

Job: Product Consulting Liaison

Hobby: Jogging, Motor sports, Nordic skating, Jigsaw puzzles, Bird watching, Nordic skating, Sculpting

Introduction: My name is Terence Hammes MD, I am a inexpensive, energetic, jolly, faithful, cheerful, proud, rich person who loves writing and wants to share my knowledge and understanding with you.