Calling APIs from Server-side Web Apps
The OAuth 2.0 grant that regular web apps utilize in order to access an API, is the Authorization Code Grant.
The Authorization Code Grant (defined in RFC 6749, section 4.1) is a redirect-based flow where the User Agent receives an
authorization_code from the Authorization Server and transfers this to the Client. The Client will then interact with the Authorization Server and exchange the
authorization_code for an
access_token (and optionally also a
refresh_token). The Client can now use this
access_token to call the Resource Server on behalf of the Resource Owner.
- The Client initiates the flow and redirects the user to the Authorization Server
- The user authenticates
- The Authorization Server redirects the user to the Client with an
authorization_codein the querystring
- The Client sends the
authorization_codetogether with the Redirect Uri and the Client Id/Client Secret to the Authorization Server
- The Authorization Server validates this information and returns an
access_token(and optionally a
- The Client can use the
access_tokento call the Resource Server on behalf of the user
The first time the user goes through this flow a consent page will be shown where the permissions are listed that will be given to the Client*(eg: post messages, list contacts, ...).
- Allow the Client to make calls to the Resource Server on behalf of the Resource Owner (Delegation)
- The Client is typically a traditional web application