Reputation: 8754
OAuth2: (Why) does exchanging authorization code for access token require authorization header?
I'm reading RFC6749 defining OAuth2 and in section 4.1 (about the Authorization Code Grant) it seems to state that when a client is exchanging authorization code for access token, the request needs to include authorization header (see section 4.1.3 specifically).
- Is it indeed required for all such requests or maybe I understand it wrong and it's only required for a subset of such requests? If so, what is the subset?
- If it is required, then why? I thought that the authorization code is enough to prove that the client is authorized to get the token.
Thanks.
Upvotes: 0
Views: 80
Answers (1)
Reputation: 81356
The answer comes from section 2.3 Client Authentication.
If the client type is confidential, the client and authorization server establish a client authentication method suitable for the security requirements of the authorization server. The authorization server MAY accept any form of client authentication meeting its security requirements.
Confidential clients are typically issued (or establish) a set of client credentials used for authenticating with the authorization server (e.g., password, public/private key pair).
The authorization server MAY establish a client authentication method with public clients. However, the authorization server MUST NOT rely on public client authentication for the purpose of identifying the client.
OAuth defines two client types, based on their ability to authenticate securely with the authorization server (i.e., ability to maintain the confidentiality of their client credentials):
confidential
Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with restricted access to the client credentials), or capable of secure client authentication using other means.
public
Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client
authentication via any other means.
Summary
The requirement for an authorization header is determined by the authorization server and is implementation specific.
Upvotes: 2
Related Questions
- Why Doesn't my Authorization Header need "Bearer"?
- OAuth 2.0 Authorization Header
- Why is there an "Authorization Code" flow in OAuth2 when "Implicit" flow works so well?
- oAuth2.0: Why need "authorization-code" and only then the token?
- Why retrieving Access Token is a separate step with extra HTTP request in OAuth2?
- How is authorization code different from the access token?
- OAuth 2.0 Authorization Code - Why does the code need to be sent back to the user?
- why authorization code is necessary in authorization-grant-type
- oAuth 2 authorization header syntax
- Why does the OAuth 2.0 specification prevent re-use of Authorization codes?