Authorization code grant

If you use a traditional webapp (server-side) and your source code isn’t available publicly, you can use the Authorization Code Flow. This flows exchanges an Authorization Code for a token.

For more in-depth implementation details, check out Authentication (Web Application).

Flow

auth without pkce flow

  1. A user logs in from your app.

  2. ReachFive’s SDK redirects the user to the ReachFive Authorization Server /oauth/authorize endpoint.

  3. ReachFive’s Authorization Server redirects the user to the login and auth prompt.

  4. The user authenticates through one of the login options.

    Users may see a consent page listing the permissions ReachFive will give to the regular web application.

  5. ReachFive’s Authorization Server redirects the user back to the application with an authorization code.

    This is for one-time use only.

  6. ReachFive’s SDK sends the code to the ReachFive Authorization Server /oauth/token endpoint along with the app’s Client ID and Client Secret.

  7. ReachFive’s Authorization Server verifies the code, Client ID, and Client Secret.

  8. ReachFive’s Authorization Server responds with an ID Token and Access Token.

    This could also be a refresh token.

  9. Your app can then use the Access Token to call an API to access information about the user.

  10. Your API responds with the requested data.