← Lessons

quiz vs the machine

Gold1430

System Design

OAuth2 Authorization Code Flow

Delegated access where a code is exchanged server side for tokens.

6 min read · core · beat Gold to climb

Delegated access without sharing passwords

OAuth2 lets a user grant an application limited access to their data on another service without sharing their password. The authorization code flow is the standard pattern for apps with a server backend.

The participants are:

  • The resource owner, the user.
  • The client, the application requesting access.
  • The authorization server, which authenticates the user and issues tokens.
  • The resource server, which holds the protected data.

The exchange in two legs

First the client redirects the user to the authorization server, which authenticates them and asks for consent. On approval it redirects back with a short lived authorization code in the URL.

Second the client exchanges that code, from its back channel, for an access token. Sending the code over a server side request keeps the token out of the browser URL and history.

The two leg design matters: the code in the redirect is useless alone because exchanging it requires the client's secret over a trusted back channel.

Key idea

The authorization code flow trades a short lived code, delivered in a redirect, for tokens over a back channel, so tokens never appear in the browser URL.

Check yourself

Answer to earn rating on the learn ladder.

1. What is exchanged for the access token in this flow?

2. Why exchange the code on the back channel rather than in the browser?