Software Engineering :: Web :: Development :: Authorization :: OAuth :: Flows :: Authorization Code Grant
⪼ Made with 💜 by Polyglot.
Web Application w/ Server Backend
- OAuth 2.0 RFC 6749, section 4.1
- When to use the Authorization Code Flow
- Auth0 - How Authorization Code Flow works
Native Mobile Application: PKCE (RFC 7636) is an extension to the Authorization Code flow to prevent CSRF and authorization code injection attacks.
The main benefit of using a BFF is the BFF's ability to act as a confidential client. Therefore, the BFF MUST act as a confidential client. Furthermore, the BFF SHOULD use the OAuth 2.0 Authorization Code grant with PKCE to initiate a request for an access token. Detailed recommendations for confidential clients can be found in oauth-security-topics Section 2.1.1.
sequenceDiagram
User->>+Authorization Server: Request authorization
Authorization Server->>+User: Redirect to login
User->>+Authorization Server: Enter credentials
Authorization Server->>+Client: Redirect with authorization code
Client->>+Backend Server: authorization code
Backend Server->>+Authorization Server: Request access token with authorization code
Authorization Server->>+Backend Server: Provide access token
Client->>Backend Server: Request resource with access token
Backend Server->>Resource Server: Request resource with access token
Resource Server->>Backend Server: Provide requested resource
Backend Server->>Client: Provide requested resource
- The complete guide to protecting your APIs with OAuth2 (part 1)
- The Authorization Code grant (in excruciating detail) Part 2 of 2