In the Web Application flow (also known as the Authorization Code
flow), the resource owner is first redirected by the application to the
OAuth authorization server at the API provider. The authorization server
checks to see if the user has an active session. If she does, the
authorization server prompts her for access to the requested data. After she
grants access, she is redirected back to the web application and an
authorization code is included in the URL as the
code query parameter:
code is passed as a
query parameter, the web browser sends it along to the web server that is
acting as the OAuth client. This authorization code is then exchanged for an
access token using a server-to-server call from the application to the
authorization server. This access token is used by the client to make API
Sound confusing? Figure 2-1 shows the flow step-by-step, based on a diagram from the specification.
The Authorization Code flow should be used when
Long-lived access is required.
The OAuth client is a web application server.
Accountability for API calls is very important and the OAuth token shouldn’t be leaked to the browser, where the user may have access to it.