Overview

According to the OAuth authorization code grant flow, an authorization server sends a temporary (authorization) code to a client. The code is exchanged for a token. This flow is available for confidential clients, for example, web applications with a backend that can store credentials securely. This way, the client can obtain one or more of the following token types:

• Access tokens
• Refresh tokens
• ID tokens

Steps

1. A user tries to access the application (the client).
2. The client calls the authorization server's authorize endpoint.

curl --location \
--get \
--url "https://$TENANT_ID.$REGION_ID.authz.cloudentity.io/$TENANT_ID/$WORKSPACE_ID/oauth2/authorize" \
--data-urlencode "response_type=code" \
--data-urlencode "client_id=$CLIENT_ID"
            

3. The authorization server responds with the redirect URI. The user gets redirected to the login & content form (if any).
4. The user authenticates with his credentials and gives his consent.
5. The authorization server issues an authorization code.
6. The client application requests authentication to the token endpoint using the authentication method configured and the authorization code provided in the previous step.

   The grant_type value in the API call must be authorization_code.

curl --request POST \
--url "https://$TENANT_ID.$REGION_ID.authz.cloudentity.io/$TENANT_ID/$WORKSPACE_ID/oauth/token" \
--data-raw "grant_type=authorization_code&code=$CODE&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET"
            

7. The authorization server validates the authorization code.
8. The authorization server returns the token.
9. The client application requests protected resources (API / Azure Resources) from the resource server and submits the token it received in the previous step.
10. The resource server validates the token and responds with the requested resources.

Use Case

• You are developing an enterprise web application that needs to read user profiles and calendar events from Microsoft 365 using the Microsoft Graph API. To ensure secure access to the user's Microsoft 365 data, you implement the Authorization Code Grant Flow, allowing your web application to obtain an access token on behalf of the user.
• You are building a web application that allows users to manage their data stored in Azure Blob Storage. To ensure secure access to the user's Azure resources, you implement the Authorization Code Grant Flow, which provides a secure way for your web application to obtain an access token on behalf of the user.