Understanding OAuth2.0 Authorization Code Grant Flow

This article introduces the most classic and widely used OAuth2.0 grant type: the Authorization Code Grant . It aims to cut through the many confusing tutorials on the web by presenting a clear, step‑by‑step explanation.

What is OAuth2.0? OAuth2.0 is an authorization protocol that allows a client (e.g., Douban) to obtain limited access to a resource server on behalf of a user, without exposing the user's credentials to the client. The protocol relies on a trusted authorization server (e.g., QQ) to issue an authorization code and later an access token.

Example scenario (Douban + QQ) : Step 1: The user clicks “Login with QQ” on Douban, which triggers a request to http://www.douban.com/leadToAuthorize . Douban responds with a redirect URL pointing to QQ’s authorization endpoint. Step 2: The browser follows the redirect to http://www.qq.com/authorize?callback=www.douban.com/callback . The user logs into QQ and authorizes Douban. QQ then redirects back to the callback URL with a code parameter. Step 3: Douban receives the code , exchanges it for an access_token , and uses the token to request the user’s profile information from QQ. Finally, Douban logs the user in and displays the home page.

The article includes several diagrams (shown as images) that illustrate the “god‑view” of the flow, the HTTP requests and redirects, and the internal token exchange steps.

Implementation : A minimal demo project is provided on GitHub (https://github.com/sunym1993/dataU-OAuth.git/). The project contains two modules—one simulating Douban (the client) and the other simulating QQ (the authorization server). Running both modules reproduces the three‑step flow described above.

Images illustrating each step are embedded throughout the article:

The demo’s UI is intentionally simple, showing the three stages of the flow with screenshots.

Finally, the article includes a copyright notice stating that the content is sourced from the web and belongs to the original author, with a link to the original blog post.