The Authorization Code Flow returns an Authorization Code to the Client, a code that the Client can exchange for an ID Token, an Access Token and a Refresh Token (optional) directly with the OIDC Authorization Server, at the Token Endpoint. This procedure provides the benefit of not exposing any tokens to the User Agent (and possibly other malicious applications with access to the User Agent). For the Authentication Server to trust the Client before exchanging any authentication data regarding the End-User the Server can authenticate the Client. Authentication Code Flow is therefore suitable for Clients that can securely maintain a Client Secret between themselves and the OIDC Authentication Server.
The Authorization Code Flow steps for performing authentication to log in the End-User (or to determine that the End-User is already logged in), is listed here;
- The User Agent requests resources
- Client prepares an Authentication Request and sends the request to the OIDC Authorization Server
- The End-User is authenticated
- Authorization Grant Code is requested
- OIDC Authorization Server obtains End-User consent (optional)
- If consent is asked for but denied, the End-User will not be authorized and will not be able to get the access to his resources. The login will be stopped.
- If consent is asked for and accepted, the End-User will be authorized. Continue to step 6.
- OIDC Authorization Server send the End-User back to the Client with an Authorization Code
- Client request a response using the Authorization Code at the Token Endpoint (OIDC Authorization Server)
- Client receives a response that contains an ID Token, an Access Token and a Refresh Token (optional) in the response body (among other parameters)
- Client validates the ID Token, retrieves the End User’s Subject Identifier and request resources