Understanding OAuth2.0 Authorization Code Flow: A Step‑by‑Step Guide
This article demystifies the OAuth2.0 Authorization Code Grant by explaining its core concepts, illustrating the login flow with real‑world examples like Douban and QQ, and providing a simple GitHub demo project to help developers implement the protocol correctly.
1. Introduction
This article introduces the most classic and widely used OAuth2.0 authorization mode: the Authorization Code Grant . The author wants to cut through the many confusing explanations online and focus on the essential "what, why, how" of OAuth2.0.
2. What is OAuth2.0
OAuth2.0 explained – the Douban and QQ story
OAuth is simply an authorization protocol . When a client (e.g., Douban) wants to let a user log in with a third‑party account (e.g., QQ), it follows the protocol to obtain permission.
Step 1: Click "Login with QQ" on Douban.
Step 2: Redirect to QQ login page, enter credentials, and authorize.
Step 3: Redirect back to Douban and login succeeds.
From a user’s perspective this looks like a simple QQ login, but from a developer’s perspective there are two redirects and an exchange of authorization data.
OAuth2.0 from a "God" perspective
In the example, Douban acts as the client , QQ as the authorization server , and OAuth2.0 is the protocol that enables the client to obtain permission without trusting the server directly.
The diagram above maps the three steps to the flow: the client sends an authorization request, the server authenticates the user and returns a code , and the client exchanges the code for a token.
Step 1 details: Clicking the QQ login button sends a request to http://www.douban.com/leadToAuthorize, which responds with a redirect URL pointing to QQ’s authorization endpoint.
The browser follows the redirect to http://www.qq.com/authorize?callback=www.douban.com/callback. The callback parameter tells QQ where to return after the user authorizes.
Step 2 details: QQ presents a login page. After the user logs in and authorizes, QQ redirects back with a code parameter.
Step 3 details: The client receives the code via the callback URL, then makes two server‑to‑server calls: one to exchange the code for an access token , and another to retrieve user information with that token. Finally, the client creates a session for the user.
3. Implementing OAuth2.0
After understanding the flow, the implementation becomes straightforward. The author provides a minimal GitHub demo (https://github.com/sunym1993/dataU-OAuth.git) containing two modules—Douban and QQ—that can be started independently.
The demo shows three simple screens representing the three steps of the flow.
Step 1:
Step 2:
Step 3:
Source: https://www.cnblogs.com/flashsun/p/7424071.html
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
ITFLY8 Architecture Home
ITFLY8 Architecture Home - focused on architecture knowledge sharing and exchange, covering project management and product design. Includes large-scale distributed website architecture (high performance, high availability, caching, message queues...), design patterns, architecture patterns, big data, project management (SCRUM, PMP, Prince2), product design, and more.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.