From the course: Web Security: OAuth and OpenID Connect (2019)
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Overview: Authorization code flow
From the course: Web Security: OAuth and OpenID Connect (2019)
Overview: Authorization code flow
- [Instructor] The first grant type we'll cover is the Authorization Code Flow. Of all them it's my favorite as it tends to be the most secure by default. But instead of talking about it, let's just see the steps of the flow. In practice this is what it looks like. You navigate to a page and request to log in. Next, the server sends you to the identity provider or an authorization server that you both trust and you perform the authentication and grant the authorizations requested. You don't immediately get back an access token, instead you get back an authorization code, or auth code. Now the web application can use the auth code, the client ID and the client secret to hit the token endpoint and get back the access and refresh tokens and it's done entirely via the backend. And that's it. Now the security benefits of this are very clear. The end user briefly sees the auth code, but since it's a one-time use code and…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Contents
-
-
-
-
-
-
(Locked)
Overview: Authorization code flow1m 37s
-
(Locked)
When should I use this?1m 4s
-
(Locked)
PKCE Overview1m 54s
-
(Locked)
When should I use PKCE?1m 22s
-
(Locked)
Build an example: Web app or Postman4m 31s
-
(Locked)
Build an example: Native app or SPA2m 38s
-
(Locked)
Security considerations2m 15s
-
(Locked)
-
-
-
-
-
-
-