0
0
Rest APIprogramming~10 mins

Authorization code flow in Rest API - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Concept Flow - Authorization code flow
User requests login
Redirect to Authorization Server
User logs in and consents
Authorization Server sends code
Client sends code + client secret to Token Endpoint
Token Endpoint validates and returns Access Token
Client uses Access Token to access resource
This flow shows how a client app gets an authorization code, exchanges it for an access token, and then accesses protected resources.
Execution Sample
Rest API
1. User -> Client: Request login
2. Client -> Auth Server: Redirect with client_id
3. Auth Server -> User: Login & consent
4. Auth Server -> Client: Authorization code
5. Client -> Auth Server: Code + client_secret
6. Auth Server -> Client: Access token
7. Client -> Resource Server: Access token
Step-by-step message exchange in the authorization code flow.
Execution Table
StepActorActionData SentResponse/Result
1User -> ClientUser requests loginLogin requestClient prepares redirect
2Client -> Auth ServerRedirect user to auth serverclient_id, redirect_uri, scopeAuth server shows login page
3User -> Auth ServerUser logs in and consentsUser credentials, consentAuth server validates user
4Auth Server -> ClientSend authorization codeAuthorization codeClient receives code
5Client -> Auth ServerExchange code for tokenAuthorization code, client_secretAuth server validates and returns access token
6Auth Server -> ClientReturn access tokenAccess tokenClient stores token
7Client -> Resource ServerAccess resourceAccess tokenResource server returns data
8-End-Flow complete
💡 Flow ends after client uses access token to access resource successfully.
Variable Tracker
VariableStartAfter Step 4After Step 6Final
authorization_codeNoneReceived from auth serverUsed and invalidatedNone (used)
access_tokenNoneNoneReceived from auth serverStored for resource access
user_logged_inFalseTrueTrueTrue
Key Moments - 3 Insights
Why does the client send the authorization code along with the client secret to the token endpoint?
Because the client secret proves the client is authorized to exchange the code for a token, preventing misuse. See execution_table step 5.
Why can't the client use the authorization code directly to access resources?
The authorization code is just a temporary code to get the access token. Only the access token can be used to access resources. See execution_table steps 4 and 7.
What happens if the user does not consent during login?
The authorization server will not issue an authorization code, so the flow stops early. This is implied before step 4 in the execution_table.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, at which step does the client receive the authorization code?
AStep 5
BStep 4
CStep 6
DStep 7
💡 Hint
Check the 'Data Sent' and 'Response/Result' columns at step 4.
According to variable_tracker, what is the state of 'access_token' after step 4?
AReceived from auth server
BStored for resource access
CNone
DUsed and invalidated
💡 Hint
Look at the 'access_token' row under 'After Step 4' column.
If the client secret is missing when exchanging the code, what would happen in the flow?
AToken endpoint rejects the request
BAccess token is still issued
CAuthorization code is sent again
DUser is asked to login again
💡 Hint
Refer to key_moments about client secret importance and execution_table step 5.
Concept Snapshot
Authorization Code Flow:
1. User logs in via client redirect.
2. Auth server sends code to client.
3. Client exchanges code + secret for access token.
4. Client uses token to access resources.
Key: Code is short-lived, secret proves client identity.
Full Transcript
The Authorization Code Flow is a way for a client app to get permission to access user data securely. First, the user asks to log in. The client sends the user to the authorization server with its ID. The user logs in and agrees to share data. The server sends a temporary code back to the client. The client then sends this code along with its secret to the server's token endpoint. If valid, the server returns an access token. The client uses this token to get data from the resource server. This flow protects user data by requiring the client secret and exchanging a short-lived code for a token.