Skip to main content

Authorization Code Flow (Explicit)

The Authorization Code Flow (Explicit) is one of the most secure OAuth 2.0 grant types. It is designed for applications where maintaining the confidentiality of the source code is critical. To prevent authorization code interception, it is primarily used by web applications with a backend server or native applications that implement Proof Key for Code Exchange (PKCE).

This flow ensures that user credentials are never shared directly with the client and that the client's secret is securely stored on the server. It is ideal for scenarios requiring a high level of security, such as applications that need to access protected resources on behalf of a user.

This document describes the steps to implement the Authorization Code Flow with LoginRadius. It details the protocol flow, use cases, and practical steps for successfully integrating this flow with your application.

Best Suited For

This flow is ideal for server-side applications where the source code remains confidential. It requires securely storing a client secret, making it suitable for web applications with a backend or native PKCE apps.

Protocol Flow

  1. Authorization Request: The client (service provider) requests authorization from the LoginRadius Authorization Server.
  2. Authorization Response: Upon successful authorization, the user is redirected to the redirect URI with a code parameter.
  3. Token Exchange: The client exchanges the code for access and refresh tokens.
  4. Access Resources: The client uses the access token to access protected resources hosted on the Resource Server.

Implementation Steps for Authorization Code Flow

Step 1: Get Authorization Code

Redirect users to the authorization URL to initiate the authorization flow.

API Endpoint:

https://{HD/CD}/service/oauth/{OAuthAppName}/authorize?client_id={OAuth Client ID}&redirect_uri={Callback URL}&scope={Scope}&response_type=code&state={random long string}

Note:

  • HD: Hosted Domain (e.g., https://<LoginRadius Site Name>.hub.loginradius.com).
  • CD: Custom Domain.

API Method: GET.

Query Parameters:

  • client_id: OAuth Client ID.
  • redirect_uri: The whitelisted callback URL for redirecting users after authorization.
  • scope: (Optional) Defines access permissions.
  • state: (Optional) Ensures request integrity by passing a random string.
  • response_type: Set the code for the Authorization Code Flow.

Example Response:

YOUR_CALLBACK_URI?code={unique_code}

Refer to the documentation for additional query parameters supported in the authorization endpoint.

Step 2: Exchange Authorization Code for Access Token

After obtaining the authorization code, exchange it for an access token by sending a POST request to the token endpoint.

API Endpoint:

https://{HD/CD}/api/oauth/{OAuthAppName}/token

Request Body Parameters:

  • client_id: OAuth Client ID.
  • client_secret: LoginRadius API secret.
  • grant_type: Set to authorization_code.
  • code: The authorization code received in Step 1.
  • redirect_uri: The callback URL used in Step 1.

API Method: POST.

Example Request Body:

{
  "client_id": "your_client_id",
  "client_secret": "your_client_secret",
  "grant_type": "authorization_code",
  "code": "your_authorization_code",
  "redirect_uri": "https://your_callback_url"
}

API Response:

{
  "access_token": "{LoginRadius Access Token}",
  "token_type": "{type}",
  "expires_in": {seconds till expiration},
  "refresh_token": "{Refresh Token}"
}

Step 3: Use the Access Token

Once you have the access token, you can use it with any LoginRadius API that supports token-based authentication. The access token is valid until it expires or is revoked.

Following these steps, you can securely implement the Authorization Code Flow for OAuth 2.0 with LoginRadius in your applications.