How Does the OAuth 2.0 Authorization Code Grant Authentication Method Work?

The OAuth 2.0 Authorization Code Grant authentication method provides a token to the user of your extension, which allows them to access a service. This is the most common OAuth authentication method and is used by many service providers, like Google and Dropbox.

Services that support the Authorization Code Grant method have an authorization endpoint, a token endpoint, a client ID and secret, and a scope. See Connect to Google Drive Using the OAuth 2.0 Authorization Code Grant for descriptions of these properties.

During authentication, the extension opens the authorization endpoint in a new tab or window, which prompts the user to authenticate and, optionally, provide consent for the app to connect to the service. After the user has done this, an auth code is created, which is passed on to the token endpoint to get an access token.

In this way, the Authorization Code Grant method differs from the identity propagation and fixed credential authentication methods. With identity propagation, the user's identity is converted into a token and passed to the REST API. With fixed credential authentication, the identity that the REST API sees is the one that is configured for the REST API regardless of who logs in. Unlike these methods, the identity of the user logging into the system using the Authorization Code Grant method might be different than the identity of the user being passed to the REST API.

The Authorization Code Grant method is available for local servers and runtime server configurations.

Refer to Authorization Code Grant in RFC #6749: The OAuth 2.0 Authorization Framework.

There are currently some known issues for this authentication method:

  • This authentication method currently does not support storing refresh tokens.
  • Proof Key for Code Exchange (PKCE) is not supported in this release. PKCE is a variation of the OAuth Authorization Code Grant flow that doesn't require a client secret. Refer to Proof Key for Code Exchange by OAuth Public Clients.
  • Service connections configured with this authentication method cannot be tested using the Test tab of the Create Service Connection wizard, because the Test tab cannot open the Google login flow in a new tab or child window. Instead, test your service connection from the Request and Response tabs by providing request and response examples as needed.

    See step 2 in Connect to Google Drive Using the OAuth 2.0 Authorization Code Grant for a sample response for the Get method.