Authorization Code Grant in Action
A client demonstrating all steps of an OAuth 2.0 Authorization Code Grant Flow.
Important note: This demo client is just for demonstrating purposes. All the mandatory validations and recommended security precautions of a production-ready OAuth 2.0 client library are missing here.
So do NOT use any code of this client for production!
Authorization code grant flow in detail
The authorization code grant is the flow mostly used in today's applications adopting OAuth 2.0. It is used for resource owner authorization in many internet services like for example SlideShare or StackOverflow.
For single page applications the latest best-practice drafts by the IETF mandates using this grant (with the addition of PKCE) instead of the implicit grant.
This demo implements a server-side web application using spring mvc + thymeleaf. Even for such web application type the IETF recommends to add PKCE to the authorization code grant.
Enterprise applications usually add OpenID Connect 1.0 on top of OAuth 2.0 for implementing real authentication scenarios.
To see all details for this grant flow see the corresponding section of the OAuth 2.0 Authorization Framework Spec.
The flow starts with the authorization request, this redirects to the authorization server. Here the user logs in using his credentials (and optionally approves a consent page)
After successfully logging in a 302 HTTP redirect request with the authorization code is being sent through to the browser which redirects to the callback entry point provided by the client application
Now the client application send a token request to the authorization server to exchange the authorization code into an access token.
You can see each of these steps in the demo client application of this intro lab. Usually only step 1 is visible to a user of the client. Steps 2 and 3 are only visible here to visualize the whole flow.
In addition, the demo client can also
call the token introspection endpoint to verify if a token is still valid
and can retrieve a new access token by using a refresh token
Run the demo application
To start the demo:
Make sure Custom Spring Authorization Server is running correctly, see Setup for details.
Browse to localhost:9095/client to start the demo client
You can use one of the following users to login:
bwayne
bruce.wayne@example.com
wayne
USER
ckent
clark.kent@example.com
kent
USER
pparker
peter.parker@example.com
parker
ADMIN, USER
If you remain in step 2 for a long time (where you have retrieved the authorization code) then you will get an error when proceeding to step 3 (exchanging the code for an access token). This is because the authorization code timed out.
According to the OAuth2 specification:
The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once.
The spring authorization server follows this recommendation and uses a really short authorization code lifetime.
You can also try more features of this demo by specifying these spring profiles:
Without any profile: The demo just runs OAuth 2 mode and only gets an access token
With profile
login: This demo enforces a re-login independent of an existing session at the authorization server.With profile
oidc: This demo runs in OpenID Connect mode and also gets an ID tokenWith profile
pkce: This demo enables Proof Key for Code Exchange (PKCE) instead of using client_secret for getting a token.
Last updated