OpenAPI: OAuth2 Authorization Code Flow
Document OAuth2 authorization code flow in OpenAPI 3.0. Covers authorization URL, token URL, scopes, and security scheme definition for third-party integrations.
Authentication
Detailed Explanation
Documenting OAuth2 Authorization Code Flow in OpenAPI
The authorization code flow is the recommended OAuth2 flow for server-side applications and SPAs. OpenAPI 3.0 has built-in support for documenting OAuth2 security schemes.
OAuth2 Security Scheme
components:
securitySchemes:
OAuth2:
type: oauth2
flows:
authorizationCode:
authorizationUrl: https://auth.example.com/authorize
tokenUrl: https://auth.example.com/token
refreshUrl: https://auth.example.com/token
scopes:
read:users: Read user profiles
write:users: Create and update users
read:orders: Read order history
write:orders: Create and manage orders
admin: Full administrative access
Applying Scopes to Endpoints
paths:
/users:
get:
summary: List users
security:
- OAuth2:
- read:users
responses:
'200':
description: User list
post:
summary: Create user
security:
- OAuth2:
- write:users
responses:
'201':
description: User created
/admin/settings:
get:
security:
- OAuth2:
- admin
Scope Naming Conventions
Use a hierarchical naming pattern like resource:action:
read:users- read access to user datawrite:users- create/update user datadelete:users- delete user dataadmin- full access
Flow Comparison
| Flow | Best For |
|---|---|
| Authorization Code | Server-side web apps, SPAs with backend |
| Client Credentials | Server-to-server (no user context) |
| Implicit (deprecated) | Legacy SPAs |
| PKCE | Mobile apps, single-page applications |
Document which flow your API supports and provide setup instructions in the API description.
Use Case
Building a platform API that third-party developers integrate with using OAuth2, such as a social media API, cloud platform, or enterprise SaaS product where external apps need delegated access to user resources.