Why do we need to ask the authorization server for theAuthorization code and then exchange the Authorization code for anAccess token on the same server? Why not to return anAccess token directly, without issuing anAuthorization code?
I do understand that it is specified by the standard but there should be some logic behind this.
Asked
Active
Viewed 743 times
6
Kyle Fennell
- 941
- 6
- 12
Oleksandr
- 163
- 4
-
6Does this answer your question? OAuth - Why exchange the authcode for a token and, related, Facebook OAuth 2.0 “code” and “token” on StackOverflow. – TripeHound Jan 15 '20 at 08:25
1 Answers
5
The way the “authorization code grant type” is meant to be implemented is in a web app that has public and confidential clients. The authorization code is authorized by the resource owner and the browser (public client) redirects the application to the callback URL, passing the authorization code in the URL parameters. Because the browser is a public client we should not expose the token here. Instead, the (confidential) backend of our webapp, passes that authorization code as well as client_secret to the authorization server and exchanges it for the token.
Do you see how we protect the token and api client_secret by keeping that workflow in the backend?
Kyle Fennell
- 941
- 6
- 12
-
Thank you very much! Now I understand why we pass
authorization codeinstead ofaccess token– Oleksandr Jan 15 '20 at 15:39