Glossary / Authorization
Authorization Code Flow
The authorization code flow is an OAuth 2.0 grant type in which a client application receives a short-lived authorization code that it exchanges for an access token, keeping the token out of the browser.
Also: auth code flow
The authorization code flow is defined in OAuth 2.0 as a way for a client application to obtain an access token through a two-step exchange. First, the authorization server authenticates the user and redirects the browser back to the client with a one-time authorization code. The client then sends that code, along with its own credentials, directly to the token endpoint in a back-channel request and receives the access token in return.
Because the access token is never exposed in the browser’s address bar or history, the authorization code flow is considered more secure than the now-deprecated implicit flow. When combined with PKCE, it also protects public clients such as single-page applications and mobile apps that cannot safely store a client secret.
For CIAM, the authorization code flow is the recommended grant for customer-facing login, balancing security with the redirect-based user experience that web and mobile applications rely on.
Sources
- IETF RFC 6749, The OAuth 2.0 Authorization Framework: https://datatracker.ietf.org/doc/html/rfc6749
Related terms
Standards
- IETF RFC 6749