OAuth2 Authorization Code Flow is the most secure and commonly used OAuth2 grant type for web applications with a server-side component. The authorization code is exchanged for tokens in a server-to-server request, keeping the client secret secure.
┌──────────┐ ┌───────────────┐
│ User │ │ Auth Server │
└────┬─────┘ └───────┬───────┘
│ │
│ 1. Click "Login" │
├───────────────────────►┌─────────┐ │
│ │ Client │ │
│ 2. Redirect to Auth └────┬────┘ │
│◄────────────────────────────┘ │
│ │
│ 3. Login & Authorize │
├───────────────────────────────────────────►│
│ │
│ 4. Redirect with code │
│◄───────────────────────────────────────────┤
│ │
│ 5. Exchange code for token │
│ (server-to-server) │
│ ┌─────────┐ │
│ │ Client ├──────────────────►│
│ │ Server │◄──────────────────┤
│ └─────────┘ 6. Access Token │// Step 2: Authorization Request
GET /authorize?
response_type=code&
client_id=abc123&
redirect_uri=https://app.com/callback&
scope=profile email&
state=xyz789
// Step 5: Token Exchange (server-side)
POST /token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=AUTH_CODE_HERE&
redirect_uri=https://app.com/callback&
client_id=abc123&
client_secret=SECRET