Reputation: 3081
How is authorization code different from the access token?
In OAuth 2.0 flows the authorization server sends the authorization code to the redirect endpoint and then the webpage has to hit the server again to get a separate access token to query the protected API with.
Why do there have to be two tokens? Specifically could someone provide example(s) of security attacks/vulnerabilities that emerge without this design.
There is this post Facebook OAuth 2.0 "code" and "token" but it doesn't really fully explain the reasoning behind the design.
Upvotes: 4
Views: 1493
Answers (1)
Reputation: 53928
One (the authorization code) is exchanged in the frontchannel, the other (the access token) in the backchannel. The end goal is obtaining the access token. Since the frontchannel is inherently more insecure it makes sense to send a very short-lived one-time-usage-only temporary credential (i.e the authorization code) in the front channel that the web server can use to obtain the longer-lived repeatedly-usable access token in the backchannel. That backchannel call would also allow for the web server (or: Client) to authenticate itself to the Authorization Server to increase the assurance about dealing with the right party.
Upvotes: 9
Related Questions
- What is the difference between authorization code and Client Credentials?
- What is the purpose of authorization code in OAuth
- In OAuth 2.0 what is the function of the authorization code?
- oAuth2.0: Why need "authorization-code" and only then the token?
- OAuth2 (Code Grant) access_token Meaning
- OAuth 2.0 Authorization Code - Why does the code need to be sent back to the user?
- why authorization code is necessary in authorization-grant-type
- Is short lived access token and request token and authorization code the same thing?
- oAuth2.0 access token confusion
- What is the difference between access tokens and auth_codes in OAuth 2