Published on: 2023-02-21
Securing APIs and handling user authentication have become central to how we build modern apps. One of the most widely used standards today is OAuth 2.0 — particularly the Authorization Code Flow, often used by web apps that communicate with third-party services like Google, GitHub, or Microsoft.
Let’s break it down in plain language — and then visualize how it works using a sequence diagram.
❓ The Problem
Imagine your web app wants to let users sign in using Google. You don’t want to ask for their Google password directly (nor should you). Instead, you want to redirect them to Google to approve access and then get back a token you can use — securely.
This is where OAuth 2.0’s Authorization Code Flow comes in.
📊 Sequence Diagram (Mermaid)
Here’s what the interaction looks like using a Mermaid.js sequence diagram:
' class='messageLine0' style='fill:none'/%3e%3ctext x='524' y='124' alignment-baseline='middle' class='messageText' dominant-baseline='middle' dy='1em' style='font-family:arial%2csans-serif%3bfont-size:16px%3bfont-weight:400' text-anchor='middle'%3eRedirect to /authorize%3c/text%3e%3cline x1='333' x2='714' y1='153' y2='153' stroke-width='2' marker-end='url(%23arrowhead)' class='messageLine0' style='fill:none'/%3e%3ctext x='398' y='168' alignment-baseline='middle' class='messageText' dominant-baseline='middle' dy='1em' style='font-family:arial%2csans-serif%3bfont-size:16px%3bfont-weight:400' text-anchor='middle'%3ePrompt login and consent%3c/text%3e%3cline x1='717' x2='79' y1='197' y2='197' stroke-width='2' marker-end='url(%23arrowhead)' class='messageLine0' style='fill:none'/%3e%3ctext x='395' y='212' alignment-baseline='middle' class='messageText' dominant-baseline='middle' dy='1em' style='font-family:arial%2csans-serif%3bfont-size:16px%3bfont-weight:400' text-anchor='middle'%3eSubmit credentials and consent%3c/text%3e%3cline x1='76' x2='714' y1='241' y2='241' stroke-width='2' marker-end='url(%23arrowhead)' class='messageLine0' style='fill:none'/%3e%3ctext x='527' y='256' alignment-baseline='middle' class='messageText' dominant-baseline='middle' dy='1em' style='font-family:arial%2csans-serif%3bfont-size:16px%3bfont-weight:400' text-anchor='middle'%3eRedirect back with auth code%3c/text%3e%3cline x1='717' x2='336' y1='285' y2='285' stroke-width='2' marker-end='url(%23arrowhead)' class='messageLine0' style='fill:none'/%3e%3ctext x='524' y='300' alignment-baseline='middle' class='messageText' dominant-baseline='middle' dy='1em' style='font-family:arial%2csans-serif%3bfont-size:16px%3bfont-weight:400' text-anchor='middle'%3eExchange code for access token (via /token)%3c/text%3e%3cline x1='333' x2='714' y1='329' y2='329' stroke-width='2' marker-end='url(%23arrowhead)' class='messageLine0' style='fill:none'/%3e%3ctext x='527' y='344' alignment-baseline='middle' class='messageText' dominant-baseline='middle' dy='1em' style='font-family:arial%2csans-serif%3bfont-size:16px%3bfont-weight:400' text-anchor='middle'%3eRespond with access token%3c/text%3e%3cline x1='717' x2='336' y1='373' y2='373' stroke-width='2' marker-end='url(%23arrowhead)' class='messageLine1' style='stroke-dasharray:3%2c3%3bfill:none'/%3e%3ctext x='624' y='388' alignment-baseline='middle' class='messageText' dominant-baseline='middle' dy='1em' style='font-family:arial%2csans-serif%3bfont-size:16px%3bfont-weight:400' text-anchor='middle'%3eRequest protected resource with token%3c/text%3e%3cline x1='333' x2='914' y1='417' y2='417' stroke-width='2' marker-end='url(%23arrowhead)' class='messageLine0' style='fill:none'/%3e%3ctext x='627' y='432' alignment-baseline='middle' class='messageText' dominant-baseline='middle' dy='1em' style='font-family:arial%2csans-serif%3bfont-size:16px%3bfont-weight:400' text-anchor='middle'%3eRespond with data%3c/text%3e%3cline x1='917' x2='336' y1='461' y2='461' stroke-width='2' marker-end='url(%23arrowhead)' class='messageLine1' style='stroke-dasharray:3%2c3%3bfill:none'/%3e%3ctext x='205' y='476' alignment-baseline='middle' class='messageText' dominant-baseline='middle' dy='1em' style='font-family:arial%2csans-serif%3bfont-size:16px%3bfont-weight:400' text-anchor='middle'%3eShow data%3c/text%3e%3cline x1='331' x2='79' y1='505' y2='505' stroke-width='2' marker-end='url(%23arrowhead)' class='messageLine1' style='stroke-dasharray:3%2c3%3bfill:none'/%3e%3c/svg%3e)
' class='messageLine0' style='fill:none'/%3e%3ctext x='524' y='124' alignment-baseline='middle' class='messageText' dominant-baseline='middle' dy='1em' style='font-family:arial%2csans-serif%3bfont-size:16px%3bfont-weight:400' text-anchor='middle'%3eRedirect to /authorize%3c/text%3e%3cline x1='333' x2='714' y1='153' y2='153' stroke-width='2' marker-end='url(%23arrowhead)' class='messageLine0' style='fill:none'/%3e%3ctext x='398' y='168' alignment-baseline='middle' class='messageText' dominant-baseline='middle' dy='1em' style='font-family:arial%2csans-serif%3bfont-size:16px%3bfont-weight:400' text-anchor='middle'%3ePrompt login and consent%3c/text%3e%3cline x1='717' x2='79' y1='197' y2='197' stroke-width='2' marker-end='url(%23arrowhead)' class='messageLine0' style='fill:none'/%3e%3ctext x='395' y='212' alignment-baseline='middle' class='messageText' dominant-baseline='middle' dy='1em' style='font-family:arial%2csans-serif%3bfont-size:16px%3bfont-weight:400' text-anchor='middle'%3eSubmit credentials and consent%3c/text%3e%3cline x1='76' x2='714' y1='241' y2='241' stroke-width='2' marker-end='url(%23arrowhead)' class='messageLine0' style='fill:none'/%3e%3ctext x='527' y='256' alignment-baseline='middle' class='messageText' dominant-baseline='middle' dy='1em' style='font-family:arial%2csans-serif%3bfont-size:16px%3bfont-weight:400' text-anchor='middle'%3eRedirect back with auth code%3c/text%3e%3cline x1='717' x2='336' y1='285' y2='285' stroke-width='2' marker-end='url(%23arrowhead)' class='messageLine0' style='fill:none'/%3e%3ctext x='524' y='300' alignment-baseline='middle' class='messageText' dominant-baseline='middle' dy='1em' style='font-family:arial%2csans-serif%3bfont-size:16px%3bfont-weight:400' text-anchor='middle'%3eExchange code for access token (via /token)%3c/text%3e%3cline x1='333' x2='714' y1='329' y2='329' stroke-width='2' marker-end='url(%23arrowhead)' class='messageLine0' style='fill:none'/%3e%3ctext x='527' y='344' alignment-baseline='middle' class='messageText' dominant-baseline='middle' dy='1em' style='font-family:arial%2csans-serif%3bfont-size:16px%3bfont-weight:400' text-anchor='middle'%3eRespond with access token%3c/text%3e%3cline x1='717' x2='336' y1='373' y2='373' stroke-width='2' marker-end='url(%23arrowhead)' class='messageLine1' style='stroke-dasharray:3%2c3%3bfill:none'/%3e%3ctext x='624' y='388' alignment-baseline='middle' class='messageText' dominant-baseline='middle' dy='1em' style='font-family:arial%2csans-serif%3bfont-size:16px%3bfont-weight:400' text-anchor='middle'%3eRequest protected resource with token%3c/text%3e%3cline x1='333' x2='914' y1='417' y2='417' stroke-width='2' marker-end='url(%23arrowhead)' class='messageLine0' style='fill:none'/%3e%3ctext x='627' y='432' alignment-baseline='middle' class='messageText' dominant-baseline='middle' dy='1em' style='font-family:arial%2csans-serif%3bfont-size:16px%3bfont-weight:400' text-anchor='middle'%3eRespond with data%3c/text%3e%3cline x1='917' x2='336' y1='461' y2='461' stroke-width='2' marker-end='url(%23arrowhead)' class='messageLine1' style='stroke-dasharray:3%2c3%3bfill:none'/%3e%3ctext x='205' y='476' alignment-baseline='middle' class='messageText' dominant-baseline='middle' dy='1em' style='font-family:arial%2csans-serif%3bfont-size:16px%3bfont-weight:400' text-anchor='middle'%3eShow data%3c/text%3e%3cline x1='331' x2='79' y1='505' y2='505' stroke-width='2' marker-end='url(%23arrowhead)' class='messageLine1' style='stroke-dasharray:3%2c3%3bfill:none'/%3e%3c/svg%3e)
🔍 Key Steps Explained
- Authorization Request: Your app redirects the user to the provider’s
/authorizeendpoint. - Consent Prompt: The user logs in and agrees to grant access.
- Authorization Code: The provider sends a short-lived code to your redirect URI.
- Token Exchange: Your server securely exchanges that code for an access token (and optionally, a refresh token).
- Access Resource: You use that access token to request protected resources on the user’s behalf.
🔐 Why It’s Secure
This flow separates the user interaction from your server’s token handling. Since the access token is only exchanged on the backend, it can’t be intercepted by malicious scripts running in the browser.
🌐 Real-World Uses
- A React front-end that logs in via GitHub
- A Node.js server accessing Google Calendar API
- A CLI tool that authenticates using a web browser popup
🧾 Summary
OAuth 2.0 can feel intimidating at first, but when visualized, the logic becomes clearer. The sequence diagram above shows how each party plays a role — and why this method remains a secure, standards-based approach to third-party login.
If you’re building something that involves user identity, it’s worth getting comfortable with this flow.