Authorization Code

In the authorization code flow, the owner of the data is the user who is using the application. The OAuth server authenticates the user and requests the user to grant the client access to the data. The client application does not have access to the user's credential and the scope of the data access is known to the user. The OAuth provider also authenticates the client using the client ID and secret before an access token is given to the client.

For details of authentication code flow, refer to "Authorization Code Grant," Section 4.1 of RFC 6749, in the "The OAuth 2.0 Authorization Framework" available at the following location:

https://tools.ietf.org/html/draft-ietf-oauth-v2-31

The following is an example scenario of this flow:

  • A user uses an application developed by a third party developer that will access photos uploaded to an OAuth server.
  • The third party developer registers the application with the OAuth server.
  • The user uses the application to view the uploaded photos.
  • The application requests an access token using authentication flow before retrieving the photo.

Refer to the following APIs: