Skip to content

Authorization Code Flow

Flow Steps

In this flow, your app delegates sign-in to OpenASA itself.

1) Redirect user to OpenASA authorize entry

Your client sends the browser to the OpenASA authorize surface defined by the oauth agreement.

Typical parameters include:

  • response_type=code
  • client_id
  • redirect_uri
  • scope
  • state

2) Receive authorization code on your callback URL

After successful sign-in and consent, OpenASA redirects the browser back to your redirect_uri with:

  • code
  • state

3) Exchange code for OpenASA-issued tokens

Your backend calls the OpenASA token surface and receives:

  • access_token
  • refresh_token
  • id_token (when applicable)
  • expires_in

4) Read user profile from OpenASA

Your backend or trusted client calls the OpenASA userinfo surface and maps the returned subject into your own local user model.

Sequence

sequenceDiagram
  participant U as User/Browser
  participant C as Client App
  participant O as OpenASA OAuth Provider

  U->>C: click sign in
  C-->>U: redirect to OpenASA authorize
  U->>O: authorize + sign in + consent
  O-->>U: redirect to client callback with code/state
  U->>C: open redirect_uri
  C->>O: token exchange
  O-->>C: access_token / refresh_token / id_token
  C->>O: userinfo
  O-->>C: OpenASA user profile