OIDC Authorization Code Flow

OpenID Connect 1.0 authentication using the OAuth 2.0 Authorization Code flow (OIDC Core §3.1). Adds an ID Token containing identity claims about the authenticated user. Most secure flow for server-side applications.

Try in Looking Glass
ID Token

Sequence Diagram

Click any step for details

ClientAuth ServerUser1Discovery Document Fetch2JWKS Fetch3Authentication Request4User Authentication5User Consent6Authorization Code Response7Token Request8Token Response with ID Token9ID Token Validation10UserInfo Request (Optional)11UserInfo Response
Request
Response
Redirect
Internal

Step-by-Step Breakdown

1
Discovery Document Fetch
ClientOpenID Provider
2
JWKS Fetch
ClientOpenID Provider
3
Authentication Request
ClientOpenID Provider
4
User Authentication
UserOpenID Provider
5
User Consent
UserOpenID Provider
6
Authorization Code Response
OpenID ProviderClient
7
Token Request
ClientOpenID Provider
8
Token Response with ID Token
OpenID ProviderClient
9
ID Token Validation
ClientClient
10
UserInfo Request (Optional)
ClientOpenID Provider
11
UserInfo Response
OpenID ProviderClient

Token Inspector

Specs for this flow

Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.

Core specs

· The specifications that define this protocol.

Security & privacy

· Dedicated security and privacy considerations.