Reputation: 345
why authorization code is necessary in authorization-grant-type
I am new to OAuth and was wondering why authorization code is required?
Why authorization does not send access token or refresh token in callback response.
why not directly access token?
Upvotes: 0
Views: 458
Answers (1)
Reputation: 54118
The Authorization Code grant uses the short-lived one-time code so that it can be exchanged for the real token (which is longer-lived and multiple-use) in a backchannel call that is more secure and can leverage credentials to authenticate the Client towards the Authorization Server.
The Implicit grant type returns the access token directly in the authorization response. It is considered to be more insecure because it is easier to attack (using crafted redirects etc.) and because there's no way to keep a client credentials secret.
Upvotes: 3
Related Questions
- Why do access tokens expire?
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- How to validate an OAuth 2.0 access token for a resource server?
- Setting Authorization Header of HttpClient
- What are the main differences between JWT and OAuth authentication?
- What is the purpose of the implicit grant authorization type in OAuth 2?
- OAuth 2.0: Benefits and use cases — why?
- Why is there an "Authorization Code" flow in OAuth2 when "Implicit" flow works so well?
- How does OAuth 2 protect against things like replay attacks using the Security Token?
- What is the difference between the OAuth Authorization Code and Implicit workflows? When to use each one?