O'Reilly logo

Getting Started with OAuth 2.0 by Ryan Boyd

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 2. Server-Side Web Application Flow

In the Web Application flow (also known as the Authorization Code flow), the resource owner is first redirected by the application to the OAuth authorization server at the API provider. The authorization server checks to see if the user has an active session. If she does, the authorization server prompts her for access to the requested data. After she grants access, she is redirected back to the web application and an authorization code is included in the URL as the code query parameter:

http://www.example.com/oauth_callback?code=ABC1234

Because the code is passed as a query parameter, the web browser sends it along to the web server that is acting as the OAuth client. This authorization code is then exchanged for an access token using a server-to-server call from the application to the authorization server. This access token is used by the client to make API calls.

Sound confusing? Figure 2-1 shows the flow step-by-step, based on a diagram from the specification.

Server-side Web Application flow: Step-by-step
Figure 2-1. Server-side Web Application flow: Step-by-step

When Should the Authorization Code Flow Be Used?

The Authorization Code flow should be used when

  • Long-lived access is required.

  • The OAuth client is a web application server.

  • Accountability for API calls is very important and the OAuth token shouldn’t be leaked to the browser, where the user may have access to it.

Security Properties ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required