Authorization code flow is commonly used where the client secret can be securely maintained like a web application or native mobile applications. The access token passes directly to the web server hosting the app, without going through the end user's web browser which can expose a risk.
Refer to the following guide to learn how to use the SDK with Authorization Code Flow with NodeJS Getting Started
The Authorization Code Flow at a high level:
Note: the Client is your NodeJS web application
- Client prepares an authentication request which contains the required request parameters.
- Client sends the request to Security Verify authorization server.
- Security Verify authorization server authenticates the user.
- The Security Verify authorization server sends the user back to the client with an authorization code.
- Client requests an authentication response by using the authorization code at the token endpoint.
- Client receives a response which contains an
refresh_tokenin the response body.