Skip to content

Instantly share code, notes, and snippets.

@fbatista
Created May 13, 2011 20:04
Show Gist options
  • Save fbatista/971221 to your computer and use it in GitHub Desktop.
Save fbatista/971221 to your computer and use it in GitHub Desktop.
Oauth2 Flow
+----------+
| |
| User |
| |
+----------+
^
|
(B)
+----+------+ Client Identifier +---------------+
| +----(A)--- & Redirect URI ------>| |
| | | Oauth2 |
| Browser +----(B)-- User authenticates --->| Provider |
| | | (web app) |
| |<---(C)-- Authorization Code ----+ |
+------+----+ +---------+-----+
^ | ^ |
| (C) | |
(A) | | |
| v | |
+-+----------+ | |
| +----(D)-- Client Credentials, -----' |
| Oauth2 | Authorization Code, |
| Consumer | & Redirect URI |
|(mobile app)| |
| |<---(E)----- Access Token ----------------'
+------------+ (w/ Optional Refresh Token)
Figure 3: Authorization Code Flow
The flow illustrated in Figure 3 includes the following steps:
(A) The client initiates the flow by directing the resource owner's
user-agent to the authorization endpoint. The client includes
its client identifier, requested scope, local state, and a
redirection URI to which the authorization server will send the
user-agent back once access is granted (or denied).
(B) The authorization server authenticates the resource owner (via
the user-agent) and establishes whether the resource owner
grants or denies the client's access request.
(C) Assuming the resource owner grants access, the authorization
server redirects the user-agent back to the client using the
redirection URI provided earlier. The redirection URI includes
an authorization code and any local state provided by the client
earlier.
(D) The client requests an access token from the authorization
server's token endpoint by authenticating using its client
credentials, and includes the authorization code received in the
previous step. The client includes the redirection URI used to
obtain the authorization code for verification.
(E) The authorization server validates the client credentials, the
authorization code, and ensures the redirection URI received
matches the URI used to redirect the client in step (C). If
valid, responds back with an access token.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment