Please enable JavaScript.
Coggle requires JavaScript to display documents.
oauth-authorization code grant - Coggle Diagram
oauth-authorization code grant
resources
https://www.rfc-editor.org/rfc/rfc6749#section-4.1
what
used for
access token
refresh token
optimized for confidential client
redirection based flow
client
must be capable of
communicating with resource owner's user agent
web browser
receive redirection response from authorization server
flow steps
client initiates flow
direct resource owner's user agent to authorization server endpoint
client includes
identifier
requested scope
local state
a redirection URI
authorization server redirects user-agent here
authorization server
authenticate resource owner
via user-agent
get resource owner's consent for client's access request
consent
yes
redirect user-agent to URI provided in step 1.
redirection URI includes
authorization code
any local state provided by client earlier
no
client
send request to authorization server's token endpoint
includes
authorization code
redirection URI used to get authz code
gets back access token
authorization server
authenticate client
validates authorization code
validated redirection URI
responds back with access token
optionally a refresh token