What is the difference between authorization code and implicit flow?

Authorization code flow exchanges the code for a token server-side, keeping the access token out of the browser history and URL. Implicit flow returned the token directly in the URL redirect and is now deprecated.

Why must I validate the state parameter?

The state parameter links your authorization request to the callback. If an attacker initiates an OAuth flow and tricks a victim into clicking the callback URL, checking state prevents the attacker from authenticating as the victim.

What is PKCE and when do I need it?

Proof Key for Code Exchange adds a code_verifier and code_challenge to prevent authorization code interception in mobile apps and SPAs where a client secret cannot be stored securely.

OAuth 2.0 Authorization Code Flow

The OAuth 2.0 authorization code flow is the recommended grant type for web applications accessing user data on third-party services. This example shows the sequence of URLs and parameters: the authorization redirect, the code exchange POST request, and the resulting token response. The URL parser decodes the encoded parameters in the redirect URI so you can verify state, scope, and code values. Always validate the state parameter to prevent CSRF attacks in your callback handler.

Example

https://accounts.google.com/o/oauth2/v2/auth?client_id=123456789.apps.googleusercontent.com&redirect_uri=https%3A%2F%2Fapp.example.com%2Fauth%2Fcallback&response_type=code&scope=openid%20email%20profile&state=random_csrf_token_xyz&access_type=offline&prompt=consent

[ open in URL Parser → ]

FAQ

What is the difference between authorization code and implicit flow?: Authorization code flow exchanges the code for a token server-side, keeping the access token out of the browser history and URL. Implicit flow returned the token directly in the URL redirect and is now deprecated.
Why must I validate the state parameter?: The state parameter links your authorization request to the callback. If an attacker initiates an OAuth flow and tricks a victim into clicking the callback URL, checking state prevents the attacker from authenticating as the victim.
What is PKCE and when do I need it?: Proof Key for Code Exchange adds a code_verifier and code_challenge to prevent authorization code interception in mobile apps and SPAs where a client secret cannot be stored securely.

Related Examples

Decode a JWT Authentication Token

JSON Web Tokens are the standard credential format for REST APIs and OAuth 2.0 f...

Parse CORS HTTP Response Headers

CORS misconfigurations are responsible for a large share of frontend API integra...

Manage a .env Environment File

Environment files store secrets and configuration that differ between developmen...