Authorization code flow

We use the OAuth Authorization Code flow (see the picture below) to authenticate users with Onegini IDP. This means that the login process consists of two steps:

  1. Obtaining an authorization code a.k.a access grant
  2. Exchanging the authorization code for the access token

As a guideline to understand what is happening in the flow we use the following image. The image depicts the login flow from the OAuth 2.0 specification:

     +----------+
     | Resource |
     |   Owner  |
     |          |
     +----------+
          ^
          |
         (B)
     +----|-----+          Client Identifier      +---------------+
     |         -+----(A)-- & Redirection URI ---->|               |
     |  User-   |                                 | Authorization |
     |  Agent  -+----(B)-- User authenticates --->| Server        |
     |          |                                 |               |
     |         -+----(C)-- Authorization Code ---<|               |
     +-|----|---+                                 +---------------+
       |    |                                         ^      v
      (A)  (C)                                        |      |
       |    |                                         |      |
       ^    v                                         |      |
     +---------+                                      |      |
     |         |>---(D)-- Authorization Code ---------'      |
     |  Client |          & Redirection URI                  |
     |         |                                             |
     |         |<---(E)----- Access Token -------------------'
     +---------+

The Resource Owner is the end-user who wants to authenticate using Onegini IDP. The User-Agent is the browser of the end-user. The Client is the application you are integrating OAuth into. The Authorization Server is Onegini IDP.

Onegini provides an SDK to implement this flow in a Java application.