Authorization Code Grant Type

Use this grant type when you want to obtain an authorization code by using an authorization server as an intermediary between the client application and the resource owner.

The following diagram displays the Authorization Code Grant Type flow.

A diagram that illustrates the authorization code grant type flow.
In this OAuth flow:
  1. A user clicks a link in a web server client application, requesting access to protected resources.

  2. The client application redirects the browser to the Oracle Identity Cloud Service authorization endpoint oauth2/v1/authorize with a request for an authorization code.

  3. Oracle Identity Cloud Service Authorization Server returns an authorization code to the client application through a browser redirect after the resource owner gives consent.

  4. The client application subsequently exchanges the authorization code for an access token, and often a refresh token.

  5. Oracle Identity Cloud Service Authorization Server returns the access token to the client application.

  6. The client application uses the access token in an API call to obtain protected data.


    Resource owner credentials are never exposed to the client.
Function Available
Requires client authentication No
Requires client to have knowledge of user credentials No
Browser-based end user interaction Yes
Can use an external Identity Provider for authentication Yes
Refresh token is allowed Yes
Access token is in the context of the end user Yes

See an example Authorization Code Grant Type flow.