OAuth 2.0 Authorization Code - Why does the code need to be sent back to the user?

Question

For reference, here is an image about the authorization code grant type: authorization code grant type

I can't figure out why the authorization server doesn't simply go to the redirect URL instead of responding to the user (step 4 in the image). The authorization server generates and returns an authorization code back to the user and tells it to go to the redirect URL (the client app). As far as I can see, the user is doing nothing with the response before sending the authorization code to the client app so why is the user even involved in this step? Am I fundamentally misunderstanding something?

Thanks in advance.

Answer 1

The code is sent back to the client app otherwise how will the client know whether the user has successfully authenticated to the authorization server or not or how will the client know whether the user has approved the client app to access his resources or not. The client app uses the authorization code redirected to it by the authorization server and exchanges it with an access token.

Beginner’s Guide to OAuth – Part II : Protocol Workflow

Request Tokens (Authorization codes) are only good for obtaining User approval, while Access Tokens are used to access Protected Resources, in this case Jane’s photos. In the first request, Beppa exchanges the Request Token (Authorization code) for an Access Token and in the second (can be multiple requests, one for a list of photos, and a few more to get each photo) request gets the photos.