IDSync — identity software buyer platform
Run Stack Finder

Standards

Authorization Code Flow

The Authorization Code Flow is the OAuth 2.0 grant in which a client redirects the user to the authorization server, receives a one-time code at a registered redirect_uri, and exchanges that code (with PKCE and/or a client secret) for tokens — the standard flow for almost every modern app.

Last reviewed 5/30/2026

Key points

  • Two round trips: authorize redirect → callback with code → POST to /token → access token (+ ID token, refresh token).
  • Always pair with PKCE (mandatory for public clients, recommended for all).
  • Replaces the deprecated Implicit Flow for SPAs and mobile.
  • Use the state parameter (CSRF) and nonce (OIDC replay protection).
  • OAuth 2.1 and OIDC define this as the default and recommended grant type.

What is the Authorization Code Flow?

The Authorization Code Flow is the OAuth 2.0 grant type that virtually every web, mobile, and SPA app should use. It's a two-step dance designed so that powerful tokens never live in the browser URL bar or browser history.

How it works (with PKCE)

  1. Client generates a random code_verifier and computes code_challenge = SHA256(code_verifier).
  2. Browser redirect to /authorize with: response_type=code, client_id, redirect_uri, scope, state (CSRF), nonce (OIDC), code_challenge, code_challenge_method=S256.
  3. User authenticates at the authorization server (passkey, password+MFA, SSO).
  4. Authorization server redirects back to redirect_uri with ?code=<one-time>&state=<echo>.
  5. Client verifies state matches, then POSTs to /token: grant_type=authorization_code, code, redirect_uri, code_verifier, and (for confidential clients) client_id + client_secret.
  6. Token endpoint returns access_token, optionally id_token (OIDC), and optionally refresh_token.

Why this dance

  • The code is one-time, short-lived (≤60s typically), and useless without the verifier.
  • The tokens are delivered over a back-channel POST, not in URL fragments — they never appear in browser history, referrer headers, or server logs.
  • The state parameter prevents CSRF on the callback.
  • The nonce parameter (OIDC) prevents ID-token replay.

Common misconceptions

  • "Implicit Flow is faster." It's deprecated. Use Auth Code + PKCE.
  • "Client secret protects everything." Not for public clients (SPAs, mobile) — they can't keep one. That's exactly why PKCE exists.
  • "state is optional." Treat it as required. Skipping it opens you to CSRF on the callback.

Editorial note

If you're integrating OAuth from scratch, use a vetted library (oauth4webapi, MSAL, openid-client, AppAuth). The flow is simple in principle and full of footguns in practice.

Standards & references