1. Introduction
In this tutorial, we will dive into one of the most widely used OAuth 2.0 grant types, designed specifically for secure authorization in web applications. The Authorization Code Grant is an essential tool for server-side applications that require a robust and secure way to obtain access tokens on behalf of users.
2. OAuth 2 Authorization Code Grant
You’ve encountered this type of authorization flow when allowing a mobile app or website to access your Facebook or Google account, for instance. This is a redirection-based flow. To use it, the client application—such as a website—must be able to handle redirects from the authorization server. Additionally, the application needs to securely store the OAuth client secret, which will be used to exchange the authorization code for an access token. If the client application cannot ensure the confidentiality of the OAuth client secret, it should avoid using the Authorization Code Grant. Instead, it should consider using the PKCE-enhanced Authorization Code Grant.
For applications such as single-page JavaScript applications or mobile apps, it is recommended to use the PKCE-enhanced Authorization Code Grant flow. This flow provides added security for scenarios where client secrets cannot be kept confidential. If your application is a server-side web application and it can securely store the OAuth client secret on the server, then the Authorization Code Grant can be used.
Let us see the OAuth2 Authorization Code grant with the help of an example.
- A website visitor allows a website to connect to his Facebook or Google account and fetch some data. User will click on the link to connect to his account and website will redirect user to an authorization server Url.
- This Url will have few request parameters. Some of the request parameters are:
Response type: The value of this request parameter is exactly the string ‘code’. That’s why this authorization process is referred to as a code grant, as it implies that the client application expects to receive an authorization code from the authorization server.
State: Another request parameter included in the process is called “state,” which is a randomly generated alphanumeric string created by our application and included in the request. The authorization server will return this state parameter, and it must match exactly. Upon receiving the response, we need to compare the state value we sent with the one returned by the authorization server. Both values must be identical. If they differ, it indicates that someone else may have initiated the request.
Redirect Uri: This is the address where the authorization server will redirect the user after successful authorization. The client application must be able to handle this redirection properly.
Scope: Scope is a list of permissions, such as reading photos or reading videos. It specifies the type of data the client application is allowed to access on the user’s behalf.
Client Id: The client Id is not a user Id. Instead, it identifies our client application. The client application must first register with the authorization server to receive both an identifier and a client secret key before communication can occur. - Once the authorization server receives and validates the request, it will display a login page where the user must enter their username and password to authenticate with the server.
- After the user successfully authenticates with the authorization server, the server will generate a short-lived authorization code and redirect the user to the specified redirect URI. It will append two query string parameters: code and state.
The code parameter will contain a temporary authorization code, typically valid for no more than ten minutes. This code must be unique and used only once. The state parameter will hold the same value sent by the client application in the original request. We must verify that the state value returned matches the one we initially provided to ensure its validity.
3. Understanding OAuth 2 Authorization Code Grant
We’ll understand the OAuth 2 authorization code grant flow with the help of another figure.
- The process starts when the user clicks on a link to grant the website permission to interact with the authorization server on their behalf.
- The website will then forward this request to the authorization server.
- The authorization server will first need to authenticate the user, so it will display a login page and prompt the user to enter their credentials.
- User logs in.
- Once the user logs in successfully, the authorization server will display a consent page asking whether they authorize the website to access the requested information on their behalf.
- The user will click the “Allow” button to indicate to the authorization server that they grant the website permission to access the requested information.
- Once the authorization server receives the user’s consent, it will generate the authorization code and append it to the redirect URI from the original request. It will then redirect the user to that URI with the authorization code attached.
- Once the client application or website receives the authorization code, it must exchange this code for an access token. This will be an HTTP POST request in which the client application sends the authorization code it received, along with its own credentials, such as the client ID and client secret key, to the authorization server.
- The authorization server will validate the request, and if everything is correct, it will respond with an access token and a refresh token.
- With the access token in hand, the client application can now send requests to the resource server to retrieve user data or to perform operations on the user’s behalf.
- The resource server will contact the authorization server to validate the access token.
- The authorization server will validate the access token and inform the resource server of the outcome.
- If the access token is valid, the resource server will proceed with the operation requested by the client application.
4. Conclusion
In conclusion, the OAuth 2.0 Authorization Code Grant is a robust and secure method for handling user authorization and granting access to protected resources. By following this flow, client applications can obtain authorization codes, exchange them for access tokens, and perform operations on behalf of users. This process involves multiple steps, including user authentication, consent, and validation of tokens, ensuring that both user data and access permissions are managed securely. Understanding and implementing the Authorization Code Grant flow enables developers to build applications that effectively and safely interact with authorization servers and resource servers.