← Lessons

quiz vs the machine

Gold1470

Security

The OAuth Authorization Code Flow

Delegating access without sharing passwords, using a one time code exchange.

6 min read · core · beat Gold to climb

The Goal

The authorization code flow lets a user grant an application limited access to their data at a provider without revealing their password. The app receives a short lived authorization code that it exchanges for tokens on the back channel.

The Steps

  • The app redirects the user to the authorization server with a requested scope.
  • The user authenticates and consents at the provider.
  • The provider redirects back with a one time code.
  • The app exchanges the code plus its client secret for an access token over a server to server call.

Why It Is Secure

  • The token exchange happens on the back channel, hiding tokens from the browser URL.
  • PKCE adds a proof key so a stolen code cannot be redeemed by an attacker, vital for public clients.
  • The state parameter ties the response to the original request to prevent CSRF.

Key idea

The authorization code flow swaps a one time code for tokens on the back channel, and PKCE plus state protect that exchange from interception and forgery.

Check yourself

Answer to earn rating on the learn ladder.

1. What does the app exchange the authorization code for?

2. What does PKCE protect against?

3. What is the state parameter used for?