Skip to main content

Authorization Code

The purpose of the Authorization Code flow is to acquire an Access Token, which can be added as Bearer token to REST calls made towards a Resource Server.

This flow may be used by classic Web applications which have server-side processing and are able to store an OAuth 2.0 client secret in a safe place.

SPA and native applications should use the more secure Authorization Code flow with PKCE instead.

Authorization Code flow

  1. The user clicks Login in the Web App.

  2. The App redirects the user to the Identity Cloud Authorization endpoint. Example URL 1:

    See Authorization endpoint for a description of the query parameters.

  3. Identity Cloud shows a login page.

  4. The user authenticates by entering their credentials.

  5. Upon successful authentication, the authorization endpoint generates an Authorization Code and redirects the user to the return_uri. The Authorization Code is handed over as a query parameter code.

    Example URL 1:
  6. Your app sends the code to the Identity Cloud Token endpoint. The grant_type must be authorization_code and the redirect_uri must be allowed for this application. For security reasons, the call should be done by a server-side component as it includes the client_secret.

    Example POST request 1:

    POST /auth/oauth2/token HTTP/1.1
  7. The token endpoint returns an Access Token. Depending on the scopes requested in step 2 additional tokens will be returned:

    1. ID Token: scope openid
    2. Refresh Token: scope offline_access

    Example JSON response 1:


    The access token and ID token are JWT tokens, while the refresh token is opaque.

1 line-breaks have been added to make the example more readable.