Authentication
3 cards
1 / 3✓ 0✗ 0
mid
How does the OAuth 2.0 Authorization Code Flow work?
tap to flip
midauth
Client -> Auth Server (login) -> Authorization Code -> Exchange for Access Token -> API calls.
1) Client redirects user to Auth Server. 2) User authenticates and consents. 3) Auth Server returns authorization code to redirect_uri. 4) Client exchanges code + client_secret for access_token + refresh_token. 5) Client uses access_token for API calls. PKCE extension for SPA/mobile (no client_secret).
When yes
Third-party auth (Google, GitHub), SSO, any application with user login
When no
Machine-to-machine (use Client Credentials flow)
Interview tip
Always use Authorization Code + PKCE. Implicit flow is deprecated
Alt:SAMLOIDC (OAuth2 + identity)API keys