Acquiring tokens with authorization codes

The Authorization Code flow is suitable when the application requires the user's interaction with the Azure AD STS during authentication. One such case is when users login to Web applications (web sites) using Open Id connect. The web application receives an authorization code which it can redeem to acquire a token for Web APIs.

Requests for the authorization codes are delegated to the developer. To understand how to request an authorization code, see Authorization code flow.

Upon receiving an authorization code, the acquire_token_with_authorization_code method can be called to request a token. To see how to integrate the Authentication code flow into a web application, see this Python web application sample

The acquire_token_with_authorization_code method can be used for both confidential and public clients.The sample mentioned above acquires a token for a confidential client. For a public client, you would not need a client secret because client secrets cannot be reliably stored on devices. To mitigate the authorization code interception attack for public clients, we have also provided the support for using Proof Key for Code Exchange. It is optional to use this feature. PKCE basically encourages the app to use a random key called code_verifier and derive a transformed value of it called code_challenge. When requesting for an authorization code, the code_challengeand thecode_challenge_methodthat was used to transform thecode_verifierare sent to the authorization server. The authorization code obtained is then sent to the token endpoint along with thecode_verifierwhich is used to verify the identity of the entity asking for the aceess token. Details on how to implement the transformation method for getting thecode_challengeis described in this [PKCE specification document](https://tools.ietf.org/html/rfc7636#appendix-A). ADAL Python provides the support to pass thecode_verifier` in the token request if you have used PKCE for authorization code grant request.