Bird
Raised Fist0
Rest APIprogramming~5 mins

Authorization code flow in Rest API

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction

The authorization code flow helps apps get permission to access user data safely. It keeps user passwords private by using a temporary code.

When a web app needs to access user data from another service securely.
When you want users to log in using their existing accounts from services like Google or Facebook.
When you want to keep user passwords safe and not handle them directly.
When your app needs long-term access tokens without asking the user every time.
When you want to follow a standard way to get permission from users.
Syntax
Rest API
1. Redirect user to authorization server with client_id and redirect_uri.
2. User logs in and approves access.
3. Authorization server sends a code to redirect_uri.
4. App sends code, client_id, client_secret, and redirect_uri to token endpoint.
5. Server returns access token to app.

The authorization code is a temporary code that your app exchanges for an access token.

The redirect_uri must match what you registered with the authorization server.

Examples
This URL sends the user to the authorization server to approve access.
Rest API
GET https://auth.example.com/authorize?response_type=code&client_id=abc123&redirect_uri=https://myapp.com/callback&scope=read
This request exchanges the authorization code for an access token.
Rest API
POST https://auth.example.com/token
Headers: Content-Type: application/x-www-form-urlencoded
Body: code=AUTH_CODE&client_id=abc123&client_secret=secret&redirect_uri=https://myapp.com/callback&grant_type=authorization_code
Sample Program

This program shows the main steps: sending the user to authorize, getting the code, and exchanging it for an access token.

Rest API
import requests

# Step 1: Redirect user to this URL (simulate by printing)
auth_url = (
    "https://auth.example.com/authorize?"
    "response_type=code&"
    "client_id=abc123&"
    "redirect_uri=https://myapp.com/callback&"
    "scope=read"
)
print(f"Go to this URL to authorize: {auth_url}")

# Step 2: After user authorizes, they get a code (simulate input)
authorization_code = input("Enter the authorization code you received: ")

# Step 3: Exchange code for access token
response = requests.post(
    "https://auth.example.com/token",
    data={
        "grant_type": "authorization_code",
        "code": authorization_code,
        "redirect_uri": "https://myapp.com/callback",
        "client_id": "abc123",
        "client_secret": "secret"
    }
)

if response.status_code == 200:
    token_data = response.json()
    print(f"Access token: {token_data.get('access_token')}")
else:
    print(f"Failed to get token: {response.status_code}")
OutputSuccess
Important Notes

The authorization code flow is safer than sending tokens directly in the browser.

Always keep your client_secret private and never share it in public code.

Redirect URIs must be exact matches to prevent attacks.

Summary

The authorization code flow lets apps get permission without handling passwords.

It uses a temporary code that the app exchanges for an access token.

This flow is common for web apps needing secure access to user data.

Practice

(1/5)
1. What is the main purpose of the authorization code in the Authorization Code Flow?
easy
A. To exchange it for an access token securely
B. To directly access user data
C. To authenticate the user with a password
D. To refresh the access token automatically

Solution

  1. Step 1: Understand the role of the authorization code

    The authorization code is a temporary code given after user consent, not the token itself.

  2. Step 2: Identify what the app does with the code

    The app sends this code to the authorization server to get an access token securely.

  3. Final Answer:

    To exchange it for an access token securely -> Option A

  4. Quick Check:

    Authorization code = temporary code for token exchange [OK]
Hint: Authorization code is a temporary code, not a token [OK]
Common Mistakes:
  • Thinking the code directly accesses data
  • Confusing code with user password
  • Assuming code refreshes tokens
2. Which HTTP method is typically used by the app to exchange the authorization code for an access token?
easy
A. DELETE
B. GET
C. PUT
D. POST

Solution

  1. Step 1: Recall the token exchange request

    The app sends the authorization code to the token endpoint to get an access token.

  2. Step 2: Identify the HTTP method used

    This request uses POST because it sends data securely in the request body.

  3. Final Answer:

    POST -> Option D

  4. Quick Check:

    Token exchange uses POST method [OK]
Hint: Token exchange sends data securely, so use POST [OK]
Common Mistakes:
  • Using GET which exposes data in URL
  • Confusing PUT or DELETE with token exchange
  • Assuming token exchange is a simple GET request
3. Given this simplified token exchange request in Python: 
import requests
response = requests.post('https://auth.example.com/token', data={
    'code': 'abc123',
    'client_id': 'myapp',
    'client_secret': 'secret',
    'redirect_uri': 'https://myapp.com/callback',
    'grant_type': 'authorization_code'
})
print(response.json().get('access_token'))
What will this code print if the exchange is successful?
medium
A. The authorization code 'abc123'
B. The access token string from the server
C. An error message about invalid client
D. None

Solution

  1. Step 1: Understand the request purpose

    The code sends a POST request to exchange the authorization code for an access token.

  2. Step 2: Analyze the printed output

    If successful, the server returns JSON with an 'access_token' key, which is printed.

  3. Final Answer:

    The access token string from the server -> Option B

  4. Quick Check:

    response.json()['access_token'] = access token [OK]
Hint: Successful exchange returns access token, not code [OK]
Common Mistakes:
  • Printing the code instead of token
  • Expecting error message on success
  • Not accessing JSON correctly
4. In the Authorization Code Flow, a developer wrote this code snippet to exchange the code: 
response = requests.get('https://auth.example.com/token', params={
    'code': 'abc123',
    'client_id': 'myapp',
    'client_secret': 'secret',
    'redirect_uri': 'https://myapp.com/callback',
    'grant_type': 'authorization_code'
})
What is the main issue with this code?
medium
A. Incorrect redirect URI format
B. Missing the authorization code parameter
C. Using GET instead of POST for token exchange
D. Client secret should not be sent

Solution

  1. Step 1: Check HTTP method for token exchange

    The token exchange requires a POST request to send sensitive data securely.

  2. Step 2: Identify the problem in the code

    The code uses GET with query parameters, which is insecure and not standard for this flow.

  3. Final Answer:

    Using GET instead of POST for token exchange -> Option C

  4. Quick Check:

    Token exchange must use POST, not GET [OK]
Hint: Token exchange always uses POST, not GET [OK]
Common Mistakes:
  • Using GET exposes secrets in URL
  • Forgetting to send client secret
  • Assuming redirect URI format is wrong
5. A web app uses Authorization Code Flow with PKCE (Proof Key for Code Exchange). Which additional step does PKCE add to improve security?
hard
A. The app sends a code verifier with the token request to prove it initiated the flow
B. The app uses client secret only without authorization code
C. The user enters their password twice during login
D. The app skips the authorization code and uses implicit flow

Solution

  1. Step 1: Understand PKCE purpose

    PKCE adds a code verifier and challenge to prevent interception of the authorization code.

  2. Step 2: Identify the added step in the flow

    The app sends the code verifier with the token request to prove it started the flow and prevent attacks.

  3. Final Answer:

    The app sends a code verifier with the token request to prove it initiated the flow -> Option A

  4. Quick Check:

    PKCE adds code verifier step for security [OK]
Hint: PKCE adds code verifier to token request for security [OK]
Common Mistakes:
  • Thinking PKCE removes authorization code
  • Confusing PKCE with password prompts
  • Assuming PKCE uses implicit flow