Reputation: 12828
Why Authorization Code is necessary in Oauth2?
Authorization Code Grant is one of the four authorization grant types in OAuth2. In Implicit Grant, authorization token is directly sent back in response, but in Authorization Code Grant, code is sent back in response, which will then be used for retrieving token from authorization server.
My question is, why Authorization Code is necessary for Authorization Code Grant, instead of directly sending back token as is done in Implicit Grant?
Upvotes: 1
Views: 308
Answers (1)
Reputation: 4701
With the authorization code grant, the exchange of an authorization code for a token happens on the server-side (i.e. not directly in the browser). This way the client secret and token can be kept more "safely" on the server. Read here about the "simplifications" the implicit flow makes at the expense of some security implications
Upvotes: 3
Related Questions
- What is the purpose of authorization code in OAuth
- Why is there an "Authorization Code" flow in OAuth2 when "Implicit" flow works so well?
- In OAuth 2.0 what is the function of the authorization code?
- oAuth2.0: Why need "authorization-code" and only then the token?
- What is the case for using OAuth2 Authorization Code WITHOUT PKCE
- Why retrieving Access Token is a separate step with extra HTTP request in OAuth2?
- How is authorization code different from the access token?
- Understanding Oauth2
- OAuth 2.0 Authorization Code - Why does the code need to be sent back to the user?
- why authorization code is necessary in authorization-grant-type