Authorization Code

The Authorization Code grant is similar to the implicit grant type, however, there is an additional step that requires a user to "authorize" the partner access to their user data. For comparison, this flow is very similar to other well-known IDP authorization process's.

The authorization code is obtained by using an authorization server as an intermediary between the Client and Resource Owner. Instead of requesting authorization directly from the Resource Owner, the Client directs the Resource Owner to an authorization server, which in turn directs the Resource Owner back to the Client with the Authorization Code.

Before directing the Resource Owner back to the Client with the Authorization Code, the Authorization Server authenticates the Resource Owner and obtains authorization. Because the Resource Owner only authenticates with the Authorization Server, the Resource Owner's credentials are never shared with the Client. For more information, refer to Authorization Code Grant.

Once the access_token is returned, the Userinfo endpoint may now be called with the access_token to retrieve details about the User. For more information about /userinfo, refer to Userinfo Endpoint Information.

Sample Authorization Code Request:

POST {{url}}/oauth/authorize?
      response_type=code
      &client_id=someClientId
      &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb?
      &scope=openid%20profile%20user_profile%20additional_info
      &state=af0ifjsldkj

Sample JSON Response:

HTTP/1.1 302 Found
Location:
    https://client.example.org/cb?
    code=SplxlOBe....S6WxSbIA
    &state=af0ifjsldkj

Sample Token Request

POST /auth/token HTTP/1.1
      Host: {{url}}
      Content-Type: application/json
      Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
      grant_type=authorization_code
      &code=SplxlOBe....S6WxSbIA
      &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb?

Sample JSON Response:

{
  "access_token":"eyJhbGciOiJSUzIi.......3gZthv7Y",
  "token_type":"Bearer",
  "refresh_token": "8xLOxBtZp8",
  "expires_in":599,
  "id_token":"eyJhbGciOiJSUzIi.......m5cr2cNNk"
}