Authorization CodeΒΆ
To request an access token, the external application will have to provide a button such as ‘Sign in with Quasydoc’. When clicking this button, the user will be redirected to a login screen from Quasydoc.
The user then has to authenticate with his Quasydoc user credentials. When the login is successful, the Quasydoc OAuth 2.0 server returns an authorization code to the client.
Next, the client application has to make a request to the Token endpoint. The token endpoint will verify the authorization code and, if verification is successful, return an access token.
The authorization code cannot be reused to request another access token.
+----------+
| Resource |
| Owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)-- & Redirection URI ---->| |
| User- | | Authorization |
| Agent -+----(B)-- User authenticates --->| Server |
| | | |
| -+----(C)-- Authorization Code ---<| |
+-|----|---+ +---------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+---------+ | |
| |>---(D)-- Authorization Code ---------' |
| Client | & Redirection URI |
| | |
| |<---(E)----- Access Token -------------------'
+---------+ (w/ Optional Refresh Token)
Together with the access token, a refresh token will be sent to the client. When the access token expires, the client can use the refresh token in order to obtain a new access token.
To avoid having to use the authorization flow every time an access token expires, the refresh token flow can be used.