In a traditional client-server authentication model, a resource owner shares their credentials with the client so that the client can access its resources when necessary. The client does that by passing the resource owner’s credentials to the resource server, and the resource server validates the same before providing access to the protected resource(s). Simple, right?
Well, there are a bunch of problems associated with this model, a few of which are listed below:
RingCentral APIs use OAuth 2.0 for authorization. But which grant flow is the best practice for client-side apps, such as desktop, mobile app, and web (Single Page Apps)? The answer to that is authorization code with Proof Key for Code Exchange. In this article, I will introduce and show you how to implement authorization code with PKCE flow in Single Page Apps.
We can get the full steps of authorization code grant flow in the following diagram. A third-party app will need the RingCentral client ID and client secret to exchange and refresh the access token. The third-party app will stay authorized if it refreshes the RingCentral access token before the refresh token has expired, and will get a new refresh token and access token when it refreshes.
