OAuth 2.0 Authorization Code Grant

OAuth 2.0 provides a number of security flows (or grant types) to allow an application access to user's data in another application. In this blog, we will look at the OAuth 2.0 grant: authorization code grant.

Firstly, we need to review a number of definitions:

• Client: This is the application that the user is currently interacting with. For example, let's assume we are looking at the fictitious funky blogging site: www.myfunkyblog.com. The client wants to communicate with another application and retrieve something about the user from there. For example, they could want to retrieve their favorite photo! Let's assume the fictitious megaphotosharing.com as the service that the client wishes to access.
• Client ID: This is an ID that identifies the client. It can be passed around openly in Web URLs, etc.
• Client secret ID: This is a secret ID that only the client knows. This is kept server side and will be used in requests to the application for which access is sought. It cannot be passed around in Web URLs.
• Resource owner: This is usually the human who is using the client application. The resource owner has data in another application (e.g. megaphotosharing.com) that the client (myfunkyblog.com) wishes to access. The goal is to facilitate that sharing without the need for the resource owner, a.k.a. the human to ever pass their megaphotosharing.com password to myfunkyblog.com. Note: the resource owner doesn't have to be a human, but, according to the OAuth spec, when it is a human, it can also be referred to as the end-user.
• Resource Server: This hosts the protected resources of the resource owner that the client is interested in. So, this is the megaphotosharing.com server that has the resource owner photos that the myfunkyblog.com is also interested in.
• Authorisation Server: The server, who issues a token to myfunkyblog.com after the resource owner has successfully authenticated and allowed myfunkyblog.com, obtains some of it from megaphotosharing.com. Sometimes, the authorization server and the resource server are effectively the same, but they don't have to be.
• Access token: A special type of token is in the myfunkyblog.com authorization server, which gives megaphotosharing.com access to the protected resources. It will contain scope, lifetime, and other access attributes.

Use Cases

So, the use case is that the client (myfunkyblog.com) wants to access information about
the resource owner (the human) from another application — megaphotosharing.com.

Client Registration

The first thing that the client must do is register with the service (megaphotosharing.com),
providing its name, website, etc. The service will return a secret client code.
The client keeps this private and is responsible for ensuring that only it knows it. Usually,
it will encrypt and persist it in the client on the backend. The service will
also receive a client ID. Unlike the client secret, this is public and can be passed around
in URLs.

Flow

Now, let's get to the actual flow. The user is browsing around myfunkyblog.com and accesses a part of the site where myfunkyblog.com wants to know the end-user's favorite photo.

A pop-up screen appears to the end-user. This will have the following URL:

https://megaphotosharing.com/oauth/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=CALLBACK_URL&scope=read

Key parts of this URL:

• megaphotosharing.com: This is the domain for the authorization server.
• response_type=code: This is the required parameter used to enable the client and inform the authorization server the desired grant type. An alternative value would be the "token." This is for the implicit flow."Code" means that the client wants an authorization code, which will be returned after the resource owner logs in. This authorization code will be used in a subsequent request by the client.
• client_id: This contains the required parameter used to identify the client. Remember: this is public and can be passed to and from a web browser.
• redirect_uri: This is an optional parameter. It enables the client to dynamically specify the URL that the auth server should redirect to. In some flows, this isn't needed; there is only one redirect URI, and this is registered by the client with the service during client registration.
• scope: This is an optional parameter. It specifies the level of access that the application is requesting. In this case, it is just a read. The auth server uses this to inform the user/resource owner what the client is trying to do.

Then, the user logs into megaphotosharing.com, who tells the user what the Client wants to do. If the user selects ok, megaphotosharing.com redirects to the redirect URI passed up.

https://myfunkyblog.com/callback?code=212132kjhkhj

Notice how the client ID is passed over the web in a URL, and the authorization code is passed back over the web.

The client, then, uses the returned authorization code, its client ID, client secret, and the grant type to make a POST request server-to-Server to get an Access Token. This happens all on the back end.

https://megaphotosharing.com/v1/oauth/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&grant_type=authorization_code&code= 212132kjhkhj&redirect_uri=CALLBACK_URL

• client id and client secret identify the client. This is a back-end request, and hence, it is okay to pass the client_secret, which would obviously never pass to or from the browser.
• grant_type: This must be set to  authorization_code. As it indicates, the authorization code grant is the grant used to indicate the flow that the client is using — it can also be used by the server for the types of flows available. If the client was using the Client Credentials Grant, this value would be "client_credentials." If the client was using "Resource Owner Password Credentials Grant," the value would be "password."
• code: 212132kjhkhj: The actual authorization code was returned from the initial authorization request from the authorization server. This is required.
• redirect_uri: If the redirect_uri   was included in the authorization request, this value must be the same as the value used in that request.

The client, then, receives back an access token. It will look something like this:

{"access_token":"ACCESS_TOKEN","token_type":"bearer","expires_in":2592000,"refresh_token":"REFRESH_TOKEN","scope":"read","uid":1001013121222}

Now, it will use this to access some of the resource owner's resource data.

So What's the Big Deal?

• There are obviously some big advantages for users not having to tell one website its password for another site.
• This reduces the number of passwords a user needs to remember.
• This also allows richer websites by allowing disparate applications to talk to each other.

Why Do People Find It Confusing?

There are a number of reasons why people find OAuth 2.0 confusing:

• There are a few different flows or grants.  The authorization code grant is just one.  Sometimes, when you Google explanations for OAuth 2.0, you get explanations for different grants without making it clear what is and isn't being explained. Hence, this is why I put the authorization code grant in the title.  
• Terminology.  I'll just speak for myself.  But, if I am reading quickly, I am likely to:
•  Confuse "Client" with the end-user
• Get confused between the resource server and the authorization server
• Consistenty — a lot of places implement OAuth 2.0 or something very similar to OAuth, but they will refer to things differently along the way.  For example, go to quora.com and try to login to Google.  You are taken to: ?

https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=917071888555.apps.googleusercontent.com&as=rdWeinbqWJbt6ChoW2f3Fg&destination=https%3A%2F%2Fwww.quora.com&approval_state=!ChRyQlhnbEYzai1xQTliNlNmTEVmNRIfZ3doM2hlRVIycGdiMEVBN1JaNXdOM085MERXLVVCWQ%E2%88%99ANKMe1QAAAAAW2i2to0SOyO2_w3k3O4gjwUKQLGNmZ2h&oauthgdpr=1&xsrfsig=AHgIfE8EzSxvWfzyxou0dwLDxv4GhD6e5g&flowName=GeneralOAuthFlow

There's noresponse_type in that URL. OAuth is an authorization spec.  It is usually used with an authentication spec, like Open Connect, but that is actually a separate spec.