LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

Walk through the OAuth 2.0 Authorization Code flow at a high level — what happens from "click login" to "app gets a token"?

The app bounces the user to the authorization server to log in, gets back a short-lived authorization code, then secretly swaps that code (plus its client secret) for tokens behind the scenes.

Ten-step flow: login click, /authorize, consent, one-time code, back-channel token swap, then API call.

* OAuth 2.0 Authorization Code: front-channel code, back-channel token, then the API call. *

The 10 steps in the diagram, grouped:

  1. Click login — user clicks login in the web app.
  2. Authorization Code Request → app redirects browser to the AS /authorize endpoint.
  3. Redirect to login prompt — AS shows its own login/consent page.
  4. Authenticate & Consent — user logs in at the AS and approves.
  5. Authorization Code — AS redirects back to the app with a one-time code.
  6. Code + Client ID + Client Secret → /token — app sends these to the AS.
  7. Validate — AS checks the code, client ID, and secret.
  8. ID Token + Access Token — AS returns the tokens.
  9. Request user data with Access Token — app calls the API.
  10. Response — API returns the requested data.

The clever part: the password is only ever entered at the authorization server (step 4) — the web app never sees it.

Tip: Steps 1–5 happen in the browser (front channel); steps 6–8 happen server-to-server (back channel). That split is why some steps are invisible to a browser proxy (see the "why can't I see steps 5–8 in ZAP?" card).

Go deeper:

From Quiz: INTROL / Web Authentication: Cookies, OAuth 2.0 / OIDC & WebAuthn | Updated: Jul 05, 2026