Authorization Code Flow
Overview
The Authorization Code Flow in OpenID Connect (OIDC) is a secure OAuth 2.0 grant type designed for server-side applications that can securely store a client secret. It is ideal for applications that require user authentication and access to protected resources. The flow involves obtaining an authorization code from the authorization endpoint and then exchanging it for tokens (access token, ID token, and refresh token) at the token endpoint. This flow is widely used in OIDC scenarios where a high level of security is necessary.
Steps to Implement Authorization Code Flow
https://<siteurl>/service/oidc/{oidcAppName}/authorize?client_id={OIDC Client ID}&redirect_uri={Callback URL}&scope=openid&response_type=code&state={random long string}&nonce={unique nonce}
- Required Query Parameters:
- client_id: The OIDC client ID.
- redirect_uri: URL to which the server will send the response.
- scope: Must include openid (additional scopes can be specified as needed).
- response_type: Set to code.
- state: A random string for CSRF protection.
- nonce: Unique value to prevent replay attacks.
REDIRECT_URI?code={authorization code}&state={original state value}
POST https://<siteurl>/api/oidc/{oidcAppName}/token
Request Body:
{
"client_id": "<OIDC Client ID>",
"client_secret": "<Client Secret>",
"redirect_uri": "<Callback URL>",
"grant_type": "authorization_code",
"code": "<authorization code>"
}
Response:
{
"access_token": "<token>",
"id_token": "<id token>",
"refresh_token": "<refresh token>",
"expires_in": <seconds>
}
The Authorization Code Flow (OIDC) is a secure and efficient method for handling user authentication and authorization in server-side applications. Following the abovementioned steps, you can securely authenticate users, obtain essential tokens, and access protected resources. This flow ensures that sensitive credentials are never exposed and allows for seamless integration with LoginRadius for OpenID Connect-based authentication.