OAuth Authorization Code Flow

The following shows the code flow of how authorizations are done in OAuth 2.0. The following diagram shows how OAuth could be used by a client in order to fetch "Profile Contacts" (address book) from accounts.google.com.

Tip: There is no need to read this section if you're already familiar with how OAuth works.

The diagram below assumes that the yelp.com client needs to get "profile contacts" data from accounts.google.com

OAuth 2.0 Diagram

  1. First, the User Agent makes a request to the authorization server
  2. The IDP first checks to make sure that the user has been authenticated. There may be some back and forth with the user agent and the IDP to achieve authentication
  3. The IDP then checks with the resource owner (accounts.google.com) to request consent to share "profile contact" data with the client.
  4. The user agent is then redirected back to yoursite.com/callback with an authorization code.
  5. This authorization code is exchanged via a back channel for an access token. This access token is then used to get data directly from the resource owner (accounts.google.com)

At the end of this flow, the user agent has a cookie for access token, that it will pass to google.com to get access to contact information. This access token will have an expiration date, and is only good for the scope it was intended for - for instance, it cannot be used to access the user's email messages, or photos, etc.