Walk through the OAuth 2.0 Authorization Code flow at a high level — what happens from "click login" to "app gets a token"?
The app bounces the user to the authorization server to log in, gets back a short-lived authorization code, then secretly swaps that code (plus its client secret) for tokens behind the scenes.
* OAuth 2.0 Authorization Code: front-channel code, back-channel token, then the API call. *
The 10 steps in the diagram, grouped:
- Click login — user clicks login in the web app.
- Authorization Code Request → app redirects browser to the AS
/authorizeendpoint. - Redirect to login prompt — AS shows its own login/consent page.
- Authenticate & Consent — user logs in at the AS and approves.
- Authorization Code — AS redirects back to the app with a one-time code.
- Code + Client ID + Client Secret → /token — app sends these to the AS.
- Validate — AS checks the code, client ID, and secret.
- ID Token + Access Token — AS returns the tokens.
- Request user data with Access Token — app calls the API.
- Response — API returns the requested data.
The clever part: the password is only ever entered at the authorization server (step 4) — the web app never sees it.
Tip: Steps 1–5 happen in the browser (front channel); steps 6–8 happen server-to-server (back channel). That split is why some steps are invisible to a browser proxy (see the "why can't I see steps 5–8 in ZAP?" card).
Go deeper:
Auth0 — Authorization Code Flow — the same front-channel/back-channel exchange, with sequence diagrams from Auth0, the identity provider used here.