Authorization Code Flow



  • Called Three-legged because this flow enables checking the identity of the three involved actors i.e. OAuth Server, Resource Owner, and Client
  • This flow is usually used by server-side applications which the client secret and tokens can be securely stored and protected
  • This flow is not recommended for client-side applications where client secret and tokens cannot be securely stored

Access Flow

  1. Get the Authorization Code at the authorization endpoint
  2. Get the Token at the token endpoint
  3. Use the Access Token to access the resource at the resource endpoint

Authorization Endpoint Flow


  1. Resource owner uses the client to access the resource
  2. Client sends request to OAuth server asking for Authorization Code at the authorization endpoint
  3. OAuth server shows the login page to the Resource Owner on the browser
  4. Resource owner enters username and password and submit to the OAuth Server to validate
  5. OAuth server show consent page to the Resource Owner with the requested resources
  6. Resource Owner provides consent back to the OAuth server
  7. OAuth Server sends HTTP response with status 302 and the Authorization Code back to the browser so it redirects back to the client. Client finally gets the Authorization Code.

Token Endpoint Flow