IBM Security Identity and Access: Developer PortalSearchSite map
Home / IBM Verify SDK for Javascript / Oidc / Authorization Flow

Authorization Code Flow (AZN)

Authorization code flow is commonly used where the client secret can be securely maintained like a web application or native mobile applications. The access token passes directly to the web server hosting the app, without going through the end user's web browser which can expose a risk.

Refer to the following guide to learn how to use the SDK with Authorization Code Flow with NodeJS Getting Started

The Authorization Code Flow at a high level:

Note: the Client is your NodeJS web application

  1. Client prepares an authentication request which contains the required request parameters.
  2. Client sends the request to Security Verify authorization server.
  3. Security Verify authorization server authenticates the user.
  4. The Security Verify authorization server sends the user back to the client with an authorization code.
  5. Client requests an authentication response by using the authorization code at the token endpoint.
  6. Client receives a response which contains an access_token and refresh_token in the response body.

Authorization Flow Diagram

Authorization-Flow-Diagram