Before authorization begins, it first generates a random string to use for the state parameter. The client will need to store this to be used in the next step.

/authorize?
  response_type=code
  &client_id=
  &redirect_uri=/authorization-code.html
  &scope=photo+offline_access
  &state=

For this demo, we've gone ahead and generated a random state parameter (shown above) and saved it in a cookie.

Click "Authorize" below to be taken to the authorization server. You'll need to enter the username and password that was generated for you.

The user was redirected back to the client, and you'll notice a few additional query parameters in the URL:

?state=&code=

You need to first verify that the state parameter matches the value stored in this user's session so that you protect against CSRF attacks.

Depending on how you've stored the state parameter (in a cookie, session, or some other way), verify that it matches the state that you originally included in step 1. Previously, we had stored the state in a cookie for this demo.

Does the state stored by the client () match the state in the redirect ()?

Now you're ready to exchange the authorization code for an access token.

The client builds a POST request to the token endpoint with the following parameters:

POST /token

Note that the client's credentials are included in the POST body in this example. Other authorization servers may require that the credentials are sent as a HTTP Basic Authentication header.

Here's the response from the token endpoint!

Great! Now your application has an access token, and can use it to make API requests on behalf of the user.